Exchange Server 2003 Pop3/Secure Pop3 Publishing

ISA Server 2000 Exchange 2000/2003 Deployment Kit

Exchange Server 2003 POP3/Secure POP3 Publishing

The most common, and the most popular form of email retrieval is via the POP3 protocol. Users connect to their mailbox on the POP3 server and download mail to their email client application. Almost all users have experience with POP3 connections and are comfortable with using POP3 email clients.

Your Exchange Server can provide POP3 email services for local and remote users. Important features of a POP3 server include:

·  Users can download all messages to the POP3 client or leave the messages on the server

·  All email applications support the POP3 mail protocols

·  Almost all users have experience with the POP3 protocol

·  You can secure POP3 connections with TLS encryption to protect user credentials and data

·  POP3 is typically less resource intensive because mail is deleted from the server after the client downloads it and the client does not keep a persistent connection with the server

·  If a user downloads mail from the POP3 server and does not configure the client to leave the mail on the server, the entire contents of the user’s mailbox is removed from the Exchange Server.

The following procedures are discussed in this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document:

·  Enable the POP3 service on the Exchange Server

The POP3 service is disabled by default on an Exchange 2003 Server. You must enable it and configure it to start automatically. On Exchange 2000 Servers, the POP3 service is enabled by default.

·  Request and install a Web site certificate for the Exchange Server POP3 virtual server

You must bind a Web site certificate to the POP3 service before is can negotiate a secure TLS connection with the POP3 client. You can make either an online certificate request to an online Microsoft enterprise CA, or you can create a certificate request file and send the request to an offline CA. The certificate is installed on the Exchange Server and bound to the POP3 service after it is issued.

·  Configure a secure POP3 virtual server

You should install and configure a secure POP3 virtual server. This secure POP3 virtual server forces POP3 clients to negotiate a TLS connection before user credentials are sent to the server. If the client fails to create the secure link, the server terminates the connection attempt. This is a secure configuration because it requires the user to authenticate, the credentials are protected by TLS encryption, and the data is protected by TLS encryption.

·  Create and configure and optional non-encrypted POP3 server

There may be circumstances when you need clients to create a non-secure connection with the Exchange Server using the POP3 mail protocol. In this case, you can create a second virtual POP3 server that allows non-secured connections, but requires that the clients use integrated authentication to connect. This prevents the POP3 client from using basic authentication, which is insecure because the credentials are passed “in the clear”.

·  Install Windows Server 2003 on the firewall computer

Windows Server 2003 is installed on the firewall computer and is used as the base operating system on which ISA Server 2000 is installed

·  Install ISA Server 2000 on the firewall computer

Install ISA Server 2000 on the firewall computer after Windows Server 2003 has been installed.

·  Create the POP3 and Secure POP3 Server Publishing Rules

You can create the POP3 and secure POP3 Server Publishing Rules on the ISA Server computer after the ISA Server 2000 firewall software is installed.

·  SMTP Server considerations for POP3 and Secure POP3 mail clients

The POP3 protocol only allows the client to download messages, similar to the IMAP4 protocol. Like the IMAP4 protocol, you need to use SMTP to send email. You can create your own SMTP server for external users to send email securely, or you can allow users to connect to a local SMTP server if their ISP provides one.

·  Configure the mail client to support POP3 and Secure POP3 connections

The email client software must be configured to support either POP3 or secure POP3 connections with the POP3 server. If you require secure POP3, then the client must trust the CA that issued the certificate to the POP3 server.

Enable the POP3 service on the Exchange Server

The first step is to enable the POP3 service on the Exchange 2003 server. By default, the POP3 service is disabled and it is not configured to start up automatically on system startup.

Perform the following steps to enable the POP3 service:

1.  Click Start, point to Administrative Tools and click on Services (figure 1).

Figure 1

2.  In the Services console (figure 2), locate the Microsoft Exchange POP3 entry and right click on it. Click the Properties command.

Figure 2

3.  On the Microsoft Exchange POP3 Properties dialog box, click the down arrow on the Startup type drop down list box (figure 3). Select the Automatic option.

Figure 3

4.  After the Automatic option is selected, the Start button will become available. Click the Start button to start the POP3 service (figure 4).

Figure 4

5.  The Service Control dialog box shows a progress bar for starting the POP3 service (figure 5).

Figure 5

6.  Click OK on the Microsoft Exchange POP3 Properties dialog box after the service has started (figure 6).

Figure 6

7.  The Microsoft Exchange POP3 entry in the Services dialog box will show the service as Started and the Startup Type as Automatic (figure 7).

Figure 7

Request and install a Web site certificate for the Exchange Server POP3 virtual server

A Web site certificate must be installed on the POP3 virtual server before the TLS connection can be established. ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Obtain a Web Site Certificate contains details on the Internet Information Services Web Site Certificate Request Wizard. Please refer to that ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document for more information on how to obtain and install the Web site certificate on the POP3 virtual server.

Perform the following the following steps to begin the Web site certificate request processes for the POP3 server:

1.  Open the Exchange System Manager, expand the organization name and then expand the Servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command (figure 8).

Figure 8

2.  Click on the Access tab and click the Authentication button in the Access control frame (figure 9).

Figure 9

3.  Read the information on the Welcome to the Web Server Certificate Wizard page and click Next (figure 10). Follow the on screen instructions provided by the Wizard to complete the request. For a detailed account of how to request and install the Web site certificate, please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Obtain a Web Site Certificate.

Figure 10

4.  The Communication button in the Secure communication frame becomes available after the certificate is installed (figure 11). You will use this button later to force TLS security on POP3 connections with this POP3 server

Figure 11

The POP3 virtual server will be able to create secure connections using TLS security after the certificate is installed.

Configure the Secure POP3 virtual server

You can configure the POP3 virtual server now that the POP3 virtual server has a certificate installed:

1.  Open the Exchange System Manager, expand your organization name and expand the Servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command (figure 12).

Figure 12

2.  The General tab is the first to appear in the Default POP3 Virtual Server Properties dialog box (figure 13). Click the down arrow for the IP address drop down list and select an IP address for the secure POP3 site. Make sure this is not the same IP address used by any other POP3 virtual server on the Exchange Server computer. You can use the same IP address used by another Exchange Server service, such as the IMAP4 service, but do not assign the same address to two POP3 virtual servers.

Figure 13

3.  Select the Limit number of connections to option if you want to limit the number of connections to the server (figure 14).

Figure 14

4.  Click on the Access tab. Click the Authentication button in the Access control frame (figure 15).

Figure 15

5.  You can select the forms of authentication you want to support in the Authentication dialog box (figure 16). You have the following options:

Basic authentication (password is send in clear text)

The basic authentication option insures the highest level of compatibility with different POP3 clients. However, basic authentication passes user name and password information “in the clear”. You should use basic authentication only when you protect the connection using TLS encryption.

Requires SSL/TLS encryption

This setting forces the POP3 client to establish an SSL/TLS connection before credentials are sent to the POP3 server. If the client does not successfully establish a secure connection with the POP3 server, then the connection is dropped without the exchange of credentials.

Simple Authentication and Security Layer

Use this option to allow the POP3 client to use integrated authentication (NTLM).

We recommend that you enable all options. This allows the greatest level of flexibility and security for your POP3 client/server connections.

Figure 16

6.  Click on the Communication button in the Secure communication frame (figure 17).

Figure 17

7.  Put a checkmark in the both the Require secure channel and Require 128-bit encryption checkboxes (figure 18). This option forces the POP3 client to negotiate a secure TLS connection before any credentials or data is transferred between the POP3 client and server. Click OK.

Figure 18

8.  Click on the Calendaring tab (figure 19). The settings on this tab determine the URL POP3 clients receive when they download meeting requests. Note that you should use SSL when connecting to the Outlook Web Access (OWA) server. Select the Use front-end server option and type in the fully qualified domain name (FQDN) of the OWA server. This FQDN must be resolvable to an address that remote POP3 clients can reach. Place a checkmark in the Use SSL connections checkbox to force the POP3 client to use SSL to connection to the OWA site.

Figure 19

Create and Configure an Optional Non-Encrypted POP3 Server

I strongly encourage you to use only secure connections when connecting to the POP3 server. The only way to insure that all connections with the POP3 server are secure is to force TLS security at the POP3 server. When the secure connection is enforced, POP3 clients that do not, or can not, establish a TLS link will not be able to connect.

There may be circumstances when you want to allow non-secure connections to the POP3 server. You should create a second virtual POP3 server if you require non-secure POP3 connections. This allows you to force security on the first POP3 virtual server and allow non-secure connections to the second POP3 virtual server.

Note:
You will need an IP address bound to the Exchange Server’s network interface card if you have more than one virtual POP3 server on the Exchange Server. However, you can use a single IP address on the external interface of the ISA Server firewall if you do not plan to use secure connections to this non-encrypted POP3 virtual server.

Perform the following steps to create a second virtual POP3 server that accepts non-secure connections:

1.  Right click on the POP3 node in the left pane of the Exchange System Manager console, point to New and click on POP3 Virtual Server (figure 20).

Figure 20

2.  Type in a name for the virtual POP3 server in the Name text box on the Welcome to the New POP3 Virtual Server Wizard page (figure 21). Click Next.

Figure 21

3.  Click the down arrow on the Select the IP address for this POP3 virtual server drop down list box on the Select IP Address page (figure 22). Select an IP address that is not being used by any other virtual POP3 server on the Exchange Server machine. Click Finish.

Figure 22

4.  The new virtual POP3 server appears in the Exchange System Manager (figure 23).

Figure 23

5.  Right click on the new virtual POP3 server name in the left pane of the console and click the Properties command. On the General tab of the virtual POP3 server’s Properties dialog box, put a checkmark in the Limit number of connections to checkbox and add a value in the text box if you wish to limit the number of connections to the virtual POP3 server (figure 24). Click Apply.

Figure 24

6.  Click on the Access tab (figure 25). Click the Authentication button in the Access control frame.

Figure 25