Exchange Server 2003 POP3/Secure POP3 Publishing

 

The most common, and the most popular form of email retrieval is via the POP3 protocol. Users connect to their mailbox on the POP3 server and download mail to their email client application. Almost all users have experience with POP3 connections and are comfortable with using POP3 email clients.

 

Your Exchange Server can provide POP3 email services for local and remote users. Important features of a POP3 server include:

 

• Users can download all messages to the POP3 client or leave the messages on the server
• All email applications support the POP3 mail protocols
• Almost all users have experience with the POP3 protocol
• You can secure POP3 connections with TLS encryption to protect user credentials and data
• POP3 is typically less resource intensive because mail is deleted from the server after the client downloads it and the client does not keep a persistent connection with the server
• If a user downloads mail from the POP3 server and does not configure the client to leave the mail on the server, the entire contents of the user’s mailbox is removed from the Exchange Server.

 

 

The following procedures are discussed in this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document:

 

·         Enable the POP3 service on the Exchange Server

 

The POP3 service is disabled by default on an Exchange 2003 Server. You must enable it and configure it to start automatically. On Exchange 2000 Servers, the POP3 service is enabled by default.

 

·         Request and install a Web site certificate for the Exchange Server POP3 virtual server

 

You must bind a Web site certificate to the POP3 service before is can negotiate a secure TLS connection with the POP3 client. You can make either an online certificate request to an online Microsoft enterprise CA, or you can create a certificate request file and send the request to an offline CA. The certificate is installed on the Exchange Server and bound to the POP3 service after it is issued.

 

·         Configure a secure POP3 virtual server

 

You should install and configure a secure POP3 virtual server. This secure POP3 virtual server forces POP3 clients to negotiate a TLS connection before user credentials are sent to the server. If the client fails to create the secure link, the server terminates the connection attempt. This is a secure configuration because it requires the user to authenticate, the credentials are protected by TLS encryption, and the data is protected by TLS encryption.

 

·         Create and configure and optional non-encrypted POP3 server

 

There may be circumstances when you need clients to create a non-secure connection with the Exchange Server using the POP3 mail protocol. In this case, you can create a second virtual POP3 server that allows non-secured connections, but requires that the clients use integrated authentication to connect. This prevents the POP3 client from using basic authentication, which is insecure because the credentials are passed “in the clear”.

 

·         Install Windows Server 2003 on the firewall computer

 

Windows Server 2003 is installed on the firewall computer and is used as the base operating system on which ISA Server 2000 is installed

 

·         Install ISA Server 2000 on the firewall computer

 

Install ISA Server 2000 on the firewall computer after Windows Server 2003 has been installed.

 

·         Create the POP3 and Secure POP3 Server Publishing Rules

 

You can create the POP3 and secure POP3 Server Publishing Rules on the ISA Server computer after the ISA Server 2000 firewall software is installed.

 

·         SMTP Server considerations for POP3 and Secure POP3 mail clients

 

The POP3 protocol only allows the client to download messages, similar to the IMAP4 protocol. Like the IMAP4 protocol, you need to use SMTP to send email. You can create your own SMTP server for external users to send email securely, or you can allow users to connect to a local SMTP server if their ISP provides one.

 

·         Configure the mail client to support POP3 and Secure POP3 connections

 

The email client software must be configured to support either POP3 or secure POP3 connections with the POP3 server. If you require secure POP3, then the client must trust the CA that issued the certificate to the POP3 server.

 

 

Enable the POP3 service on the Exchange Server

 

The first step is to enable the POP3 service on the Exchange 2003 server. By default, the POP3 service is disabled and it is not configured to start up automatically on system startup.

 

Perform the following steps to enable the POP3 service:

 

1. Click Start, point to Administrative Tools and click on Services (figure 1).

 

Figure 1

 

2. In the Services console (figure 2), locate the Microsoft Exchange POP3 entry and right click on it. Click the Properties command.

 

Figure 2

 

3. On the Microsoft Exchange POP3 Properties dialog box, click the down arrow on the Startup type drop down list box (figure 3). Select the Automatic option.

 

Figure 3

 

4. After the Automatic option is selected, the Start button will become available. Click the Start button to start the POP3 service (figure 4).

 

Figure 4

 

5. The Service Control dialog box shows a progress bar for starting the POP3 service (figure 5).

 

Figure 5

 

6. Click OK on the Microsoft Exchange POP3 Properties dialog box after the service has started (figure 6).

 

Figure 6

 

7. The Microsoft Exchange POP3 entry in the Services dialog box will show the service as Started and the Startup Type as Automatic (figure 7).

 

Figure 7

 

 

 

Request and install a Web site certificate for the Exchange Server POP3 virtual server

 

A Web site certificate must be installed on the POP3 virtual server before the TLS connection can be established. ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Obtain a Web Site Certificate contains details on the Internet Information Services Web Site Certificate Request Wizard. Please refer to that ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document for more information on how to obtain and install the Web site certificate on the POP3 virtual server.

 

Perform the following the following steps to begin the Web site certificate request processes for the POP3 server:

 

1.       Open the Exchange System Manager, expand the organization name and then expand the Servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command (figure 8).

 

Figure 8

 

2.       Click on the Access tab and click the Authentication button in the Access control frame (figure 9).

 

Figure 9

 

3.       Read the information on the Welcome to the Web Server Certificate Wizard page and click Next (figure 10). Follow the on screen instructions provided by the Wizard to complete the request. For a detailed account of how to request and install the Web site certificate, please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Obtain a Web Site Certificate.

 

Figure 10

 

 

4.       The Communication button in the Secure communication frame becomes available after the certificate is installed (figure 11). You will use this button later to force TLS security on POP3 connections with this POP3 server

 

Figure 11

 

The POP3 virtual server will be able to create secure connections using TLS security after the certificate is installed.

 

 

 

Configure the Secure POP3 virtual server

 

You can configure the POP3 virtual server now that the POP3 virtual server has a certificate installed:

 

1.       Open the Exchange System Manager, expand your organization name and expand the Servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command (figure 12).

 

Figure 12

 

2.       The General tab is the first to appear in the Default POP3 Virtual Server Properties dialog box (figure 13). Click the down arrow for the IP address drop down list and select an IP address for the secure POP3 site. Make sure this is not the same IP address used by any other POP3 virtual server on the Exchange Server computer. You can use the same IP address used by another Exchange Server service, such as the IMAP4 service, but do not assign the same address to two POP3 virtual servers.

 

Figure 13

 

3.       Select the Limit number of connections to option if you want to limit the number of connections to the server (figure 14).

 

Figure 14

 

4.       Click on the Access tab. Click the Authentication button in the Access control frame (figure 15).

 

Figure 15

 

 

5.       You can select the forms of authentication you want to support in the Authentication dialog box (figure 16). You have the following options:

 

Basic authentication (password is send in clear text)

The basic authentication option insures the highest level of compatibility with different POP3 clients. However, basic authentication passes user name and password information “in the clear”. You should use basic authentication only when you protect the connection using TLS encryption.

 

Requires SSL/TLS encryption

This setting forces the POP3 client to establish an SSL/TLS connection before credentials are sent to the POP3 server. If the client does not successfully establish a secure connection with the POP3 server, then the connection is dropped without the exchange of credentials.

 

Simple Authentication and Security Layer

Use this option to allow the POP3 client to use integrated authentication (NTLM).

 

We recommend that you enable all options. This allows the greatest level of flexibility and security for your POP3 client/server connections.

 

Figure 16

 

6.       Click on the Communication button in the Secure communication frame (figure 17).

 

Figure 17

 

7.       Put a checkmark in the both the Require secure channel and Require 128-bit encryption checkboxes (figure 18). This option forces the POP3 client to negotiate a secure TLS connection before any credentials or data is transferred between the POP3 client and server. Click OK.

 

Figure 18

 

8.       Click on the Calendaring tab (figure 19). The settings on this tab determine the URL POP3 clients receive when they download meeting requests. Note that you should use SSL when connecting to the Outlook Web Access (OWA) server. Select the Use front-end server option and type in the fully qualified domain name (FQDN) of the OWA server. This FQDN must be resolvable to an address that remote POP3 clients can reach. Place a checkmark in the Use SSL connections checkbox to force the POP3 client to use SSL to connection to the OWA site.

 

Figure 19

 

 

 

Create and Configure an Optional Non-Encrypted POP3 Server

 

I strongly encourage you to use only secure connections when connecting to the POP3 server. The only way to insure that all connections with the POP3 server are secure is to force TLS security at the POP3 server. When the secure connection is enforced, POP3 clients that do not, or can not, establish a TLS link will not be able to connect.

 

There may be circumstances when you want to allow non-secure connections to the POP3 server. You should create a second virtual POP3 server if you require non-secure POP3 connections. This allows you to force security on the first POP3 virtual server and allow non-secure connections to the second POP3 virtual server.

 

Note:
You will need an IP address bound to the Exchange Server’s network interface card if you have more than one virtual POP3 server on the Exchange Server. However, you can use a single IP address on the external interface of the ISA Server firewall if you do not plan to use secure connections to this non-encrypted POP3 virtual server.

 

Perform the following steps to create a second virtual POP3 server that accepts non-secure connections:

 

1.       Right click on the POP3 node in the left pane of the Exchange System Manager console, point to New and click on POP3 Virtual Server (figure 20).

 

Figure 20

 

2.       Type in a name for the virtual POP3 server in the Name text box on the Welcome to the New POP3 Virtual Server Wizard page (figure 21). Click Next.

 

Figure 21

 

3.       Click the down arrow on the Select the IP address for this POP3 virtual server drop down list box on the Select IP Address page (figure 22). Select an IP address that is not being used by any other virtual POP3 server on the Exchange Server machine. Click Finish.

 

Figure 22

 

4.       The new virtual POP3 server appears in the Exchange System Manager (figure 23).

 

Figure 23

 

5.       Right click on the new virtual POP3 server name in the left pane of the console and click the Properties command. On the General tab of the virtual POP3 server’s Properties dialog box, put a checkmark in the Limit number of connections to checkbox and add a value in the text box if you wish to limit the number of connections to the virtual POP3 server (figure 24). Click Apply.

 

Figure 24

 

6.       Click on the Access tab (figure 25). Click the Authentication button in the Access control frame.

 

Figure 25

 

7.       On the Authentication dialog box (figure 26), remove the checkmark from the Basic authentication (password is sent in clear text) checkbox. You do not want to allow basic authentication against this virtual POP3 server because the user name and password will not be protected by TLS encryption. Place a checkmark in the Simple Authentication and Security Layer checkbox. NTLM authentication is much more secure than basic authentication, although it is less secure when not protected by TLS encryption.

 

Figure 26

 

8.       Click on the Calendaring tab (figure 27). The settings on this tab determine the URL POP3 clients receive when the download meeting requests. Note that you should use SSL when connecting to the Outlook Web Access (OWA) server. Select the Use front-end server option and type in the fully qualified domain name (FQDN) of the OWA server. This FQDN must be resolvable to an address that remote POP3 clients can reach. Place a checkmark in the Use SSL connections checkbox to force the POP3 client to use SSL to connection to the OWA site.

 

Figure 27

 

The virtual POP3 servers are now configured and ready to accept incoming POP3 and secure POP3 connections.

 

 

 

Installing Windows Server 2003 on the Firewall Computer

 

The computer that will become the ISA Server 2000 firewall relay must meet the following minimum requirements:

 

• A personal computer with a 1.5 MHz or higher Intel/AMD-compatible CPU
• For the operating system, Windows 2000 Service Pack 4 or Windows Server 2003
• 256 MB of memory (RAM)
• 20 MB of available hard disk space for program files
• Two network adapters that is compatible with Windows 2000 or Windows Server 2003 , for communication with the internal and external networks
• One local hard disk partition that is formatted with the NTFS file system for log files and Web caching (if you wish to run the ISA Server firewall’s Web caching facilities)

 

The ISA Server firewall and Web caching components work very well on modest hardware. This is true even when the SMTP filter is enabled and protecting the published SMTP servers. However, if you run decide to use the SMTP Message Screener on the firewall, or if you use SSL to protect Web Published Web site, or if you use the ISA Server firewall as a VPN server, you need to increase the minimum requirements to support encryption services.

 

 

 

Install ISA Server 2000 on the Firewall Computer

 

Install ISA Server 2000 after installing Windows Server 2003 onto the firewall computers. You must go through some specific procedures outside of the standard ISA Server 2000 installation when installing the firewall software onto a Windows Server 2003 computer. Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Installing ISA Server 2000 on Windows Server 2003.

 

 

Create the POP3 and Secure POP3 Server Publishing Rules

 

Now you can create the POP3 and secure POP3 Server Publishing Rules. Perform the following steps to create the POP3 Server Publishing Rule:

 

1.       Open the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Publishing node and click on the Server Publishing Rules node. Right click on the Server Publishing Rules node, point to New and click on Rule (figure 28).

 

Figure 28

 

2.       Type in a name for the Server Publishing Rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page (figure 29). Click Next.

 

Figure 29

 

3.       On the Address Mapping page (figure 30), type in an IP address for the internal secure virtual POP3 server in the IP address of internal server text box. Click the Browse button next to the External IP address on ISA Server text box. Select the IP address on the external interface of the ISA Server firewall that you want to listen for incoming secure POP3 connection requests in the New Server Publishing Rule Wizard dialog box. Click OK.

 

Figure 30

 

4.       Click Next on the Address Mapping page (figure 31).

 

Figure 31

 

5.       Click the down arrow for the Apply the rule to this protocol drop down list box on the Protocol Settings page (figure 32). Select the POP3 Server.

 

Figure 32

 

6.       On the Client Type page, select the Any request option (figure 33). Click Next.

 

Figure 33

 

7.       Review your settings on the Complete the New Server Publishing Rule Wizard page and click Finish (figure 34).

 

Figure 34

 

8.       The new POP3 Server Publishing Rule appears in the right pane of the ISA Management console (figure 35).

 

Figure 35

 

 

Perform the following steps to create the secure POP3 Server Publishing Rule:

 

1.       Type in a name for the Server Publishing Rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page (figure 36). Click Next.

 

Figure 36

 

2.       On the Address Mapping page (figure 37), type in an IP address for the internal secure virtual POP3 server in the IP address of internal server text box. Click the Browse button next to the External IP address on ISA Server text box. Select the IP address on the external interface of the ISA Server firewall that you want to listen for incoming secure POP3 connection requests in the New Server Publishing Rule Wizard dialog box. Click OK.

 

Figure 37

 

3.       Click Next on the Address Mapping page (figure 38).

 

Figure 38

 

4.       Click the down arrow for the Apply the rule to this protocol drop down list box on the Protocol Settings page (figure 39). Select the POP3S Server.

 

Figure 39

 

5.       On the Client Type page, select the Any request option (figure 40). Click Next.

 

Figure 40

 

6.       Review your settings on the Complete the New Server Publishing Rule Wizard page and click Finish (figure 41).

 

Figure 41

 

7.       The new POP3 Server Publishing Rule appears in the right pane of the ISA Management console (figure 42).

 

Figure 42

 

 

 

SMTP Server considerations for POP3 and Secure POP3 mail clients

 

The POP3 client downloads messages from the POP3 server and removes them from the server. You can configure most POP3 clients to leave the messages on the server if you do not want them removed. The message stays on the Exchange Server and is available to the user at a later time. For example, the user might use POP3 while on the road and the full MAPI Outlook client while in the office.

 

POP3 allows for downloading only. You must use SMTP to send responses to the messages or to create and send new mail. The POP3 client has several options:

 

• Use the SMTP server provided by the ISP

 

If the POP3 user logs onto an ISP that provides an SMTP server address, the user can use the local ISP’s SMTP server to send messages. The ISP may even offer secure SMTP access that allows the use to protect credentials and data using SSL/TLS. Note that when the user uses a local ISP’s SMTP server, it becomes the users’ responsible to force a secure connection with the SMTP server.

 

• Use an SMTP server you provide for the POP3 user

 

If the user does not log on to a local ISP, or uses an ISP that does not provide a secure SMTP server, you can create your own secure SMTP server for your users. The secure SMTP server can be placed on the ISA Server firewall as a secure SMTP relay, or you can publish a secure SMTP virtual server located on the Exchange Server.

 

Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Configuring a Windows Server 2003-based ISA Server as a Secure Authenticating SMTP Relay for information on how to configure a secure authenticating SMTP server on the ISA Server firewall.

 

Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document Secure Exchange 2003 SMTP/SMTPS publishing for information on how to configure a secure authenticating SMTP server on the ISA Server firewall.

 

• Provide no publicly accessible SMTP mail facility and require the user to use a secure VPN connection to send mail

 

Another option is to allow the user to connect to a secure POP3 server over the Internet, but require that all outbound messages be sent over a VPN link. This configuration is problematic because the POP3 client is configured to a public address to connect to the secure POP3 server, but is configured to use the Exchange Server’s private address that it can connect to after the VPN connection is established. The problem is that this configuration will not allow the POP3 component to work when the VPN connection is established because that would require split tunneling and split tunneling is an extreme security risk. The most common solution to this problem is to have the user change the IP address used for the POP3 server to the Exchange Server’s internal IP address while connected to the VPN and then change it back to the public address used in the secure POP3 Server Publishing Rule when the VPN link is disconnected.

 

We recommend that you create your own secure SMTP server on either the ISA Server firewall computer, or on the Exchange Server itself. This option allows you to easily force the client to use a secure connection when connecting to the SMTP server. If the user removes the secure configuration on the client, no SMTP mail will be sent.

 

 

 

Configuring the SMTP Client to use TLS Encryption for SMTP Messages

 

The SMTP client must be configured to negotiate a TLS connection with the authenticating SMTP relay. The method used to configure the client to use secure SMTP connections varies with the client. The following ISA Server 2000 Exchange Server 2000/2003 Deployment Kit documents discuss how to configure some popular SMTP client to the SMTP relay using TLS:

 

• Configuring Outlook Express
• Configuring Outlook 2000
• Configuring Outlook 2002
• Configuring Outlook 2003

 

Regardless of the SMTP email client application, all clients will need a copy of the Root CA certificate of the CA that assigned the authenticating SMTP server its Web site certificate. Please refer to ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document How to Import the Root CA Certificate into Email Client Certificate Stores

 

 

 

Summary

 

In this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we discussed the procedures required to create both a secure POP3 and a non-secured POP3 server. You saw how to request a certificate for the POP3 server and how to force a secure connection to the server. You also learned how to create a second virtual POP3 server that allows non-secured POP3 connections for those clients that are unable to create secured connections. SMTP server issues will discussed and several alternatives were presented.