#1 & 2
zimbraPop3SSLServerEnabled TRUE & zimbraPop3CleartextLoginEnabled FALSE
Those can be set on global or server level via CLI or admin console (server overrides global).
su - zimbra
zmprov ms `zmhostname` zimbraPop3SSLServerEnabled TRUE
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
zmmailboxdctl restart
Then configure your thick-client accordingly.
If you want only SSL externally, just block POP port 110 access at your firewall.
Or you can take it a step further and do:
zmprov ms `zmhostname` zimbraPop3ServerEnabled FALSE
#3
This is not Zimbra's problem, these are your local security policies. You could do IMAP though most clients automatically download/keep at least the message headers in a cache (sometimes configurable), but retrieving/storing the full message body for every message offline is optional on pretty much every IMAP client. Again this is a thick-client issue.
#4
Upgrade to 5.0.9+ and you'll get warnings in audit.log
Bug 29680 - POP3 Server Does Not Log IP Addresses of Failed Logins
I just checked on 5.0.10, while it doesn't disconnect the client after x tries, (we could implement that) but it only slows them down a little as they can just reconnect - an RFE to block IP's after x tries would be better.
For now the best option is auth lockout as POP access still respects these COS/user values:
zimbraPasswordLockoutEnabled
zimbraPasswordLockoutDuration
zimbraPasswordLockoutMaxFailures
zimbraPasswordLockoutFailureLifetime
Easily set in admin console gui > COS > advanced tab or:
zmprov mc COSname zimbraAttribute value
#5
ZCS's current UIDL generation will never trigger this. You should plan an upgrade into the 5.0.x series sometime though as we didn't pull up old 4.5.x code to check.
# 6 & 7
We're currently discussing if it should be the server's job to mangle messages to play defense for clients that can get burned by this. (If we create an RFE I'll post the # - or you can go ahead and create one.) What thick-clients are you testing, might be good to discuss in their forums/bug trackers as well.
#8
Just sounds like you're describing the limitation of POP in general.
IP blocking RFE?
If you want to mark something as spam just fowrard the mail as an attachment to spam.#@domain.com or ham.#@domain.com (you can rename these along with zimbraSpamIsSpamAccount/zimbraSpamIsNotSpamAccount values.
If you want to view the junk folder via POP you can tweak the login username: userid{folder:Inbox folder:Junk}
Quote:
openssl s_client -host IP -port 995
+OK server Zimbra POP3 server ready
USER user@domain.com{"in folder:Inbox"}
+OK hello user, please enter your password
PASS password
+OK server ready
|
Or something like
user@domain.com{"tag:name"}
Also note:
Quote:
Originally Posted by mmorse  In ZCS 5.0.1 and earlier, user filters were run before the spam filter check was run. This meant that if the user filtered mail into a folder, spam would not be identified and sent to the Junk folder.
Beginning with 5.0.2, spam check is completed first and messages identified as spam are moved to the Junk folder. With this change, users cannot write a filter to move false positive spam out of the Junk folder.
Two options:
A) If you prefer ZCS 5.0.2+ to use the spam filter function as it works for 5.0.1 and earlier, you can set the zimbraSpamApplyUserFilters option to True.
This can be done by COS:
zmprov mc COSname zimbraSpamApplyUserFilters TRUE
or for individual accounts:
zmprov ma user@domain.com zimbraSpamApplyUserFilters TRUE
B) You can create a spam white list for individual accounts that allows an account to identify email addresses that should not be marked as spam: zmprov ma user@domain.com +amavisWhiteListSender someone@example.com
RFE to bring this into the end-user UI: Bug 6953 - Per user white & black lists in the UI |
Bugzilla
Wiki
Source
Regarding pop3 vernablities 
Linear Mode
