2.2.38 [RFC3501] Section 11.2, Other Security Considerations

V0061:

The specification states: "A server SHOULD have mechanisms in place to limit or delay failed AUTHENTICATE/LOGIN attempts."

Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, Microsoft Exchange Server 2019

Microsoft Exchange Server allows four failed attempts before it drops the session. However, Microsoft Exchange does not have any cross-session limits.