Secure Exchange Server 2003 POP3 Publishing
Thomas W Shinder, M.D.
The most common and most popular form of email retrieval is via the POP3 protocol. Users connect to their mailbox on the POP3 server and download mail to their email client application. Almost all users have experience with POP3 connections and are comfortable with using POP3 email clients such as Outlook Express and Outlook 2000/2002.
Your Exchange Server can provide POP3 email services for local and remote users. Reasons why you might want to use the Exchange POP3 server include:
The default configuration of most email clients and servers is to allow downloading "in the clear". Since you have administrative control over the Exchange 2003 Server and the email clients, you should not allow users to connect to your POP3 server without encryption. The encryption component protects not only the content of the email messages; it also protects the user credentials. Basic authentication passes the credentials entirely in the clear, and even NTLM authentication, while not easily breakable, can be done by motivated individuals.
For these reasons and more, only connections that have successfully negotiated a TLS security session should be allowed to your Exchange 2003 POP3 server.
We will cover the follow procedures in this two part article on publishing the Exchange 2003 POP3 service using ISA Server 2000:
- Enable the POP3 service on the Exchange Server
The POP3 service is disabled by default on an Exchange 2003. You must enable it and configure it to start automatically.
- Request and install a Web site certificate for the Exchange Server POP3 virtual server
You must install a Web site certificate on the POP3 virtual server before the server can create a secure TLS connection with a POP3 client. You can make either an online certificate request to a Microsoft enterprise CA, or you can create a certificate request file and send the request to an offline CA. The offline CA can be one you manage, or it can be a third party certificate provider. The Web site certificate is installed the Exchange Server’s machine certificate store and bound to the POP3 service.
- Configure a secure POP3 virtual server
The secure POP3 virtual server forces the POP3 client to negotiate a TLS connection before user credentials are sent to the server. If the client fails to create a secure link, the server terminates the connection attempt. This is a secure configuration because it requires the user to authenticate and user credentials are protected by TLS encryption. The data is protected by TLS encryption.
- Install Windows Server 2003 on the firewall computer
Windows Server 2003 is installed on the firewall computer and is used as the base operating system on which ISA Server 2000 is installed
- Install ISA Server 2000 on the firewall computer
Install ISA Server 2000 on the firewall computer after Windows Server 2003 has been installed.
- Create the Secure POP3 Server Publishing Rule
Create the secure POP3 Server Publishing Rule on the ISA Server computer after the ISA Server 2000 firewall software is installed.
- SMTP Server considerations for Secure POP3 mail clients
The POP3 protocol only allows the client to download messages, similar to the IMAP4 protocol. Like the IMAP4 protocol, you need to use SMTP to send email. You can create your own SMTP server for external users to send email securely, or you can allow users to connect to a local SMTP server if their ISP provides one.
- Configure the mail client to support Secure POP3 connections
The email client software must be configured to support either POP3 or secure POP3 connections with the POP3 server. If you require secure POP3, then the client must trust the CA that issued the certificate to the POP3 server.
Enable the POP3 service on the Exchange Server
The first step is to enable the POP3 service on the Exchange 2003 server. By default, the POP3 service is disabled and it is not configured to start up automatically on system startup.
Perform the following steps to enable the POP3 service:
- Click Start, point to Administrative Tools and click on Services.
- In the Services console, locate the Microsoft Exchange POP3 entry and right click on it. Click the Properties command.
- On the Microsoft Exchange POP3 Properties dialog box, click the down arrow on the Startup type drop down list box. Select the Automatic option.
- After the Automatic option is selected, the Start button will become available. Click the Start button to start the POP3 service.
- The Service Control dialog box shows a progress bar for starting the POP3 service.
- Click OK on the Microsoft Exchange POP3 Properties dialog box after the service has started.
- The Microsoft Exchange POP3 entry in the Services dialog box will show the service as Started and the Startup Type as Automatic (figure XX).
Request and install a Web site certificate for the Exchange Server POP3 virtual server
A Web site certificate must be installed on the POP3 virtual server before the TLS connection can be established. My article on how to publish Outlook Web Access contains the details on how to obtain a Web site certificate. Check it out here.
Perform the following the following steps to begin the Web site certificate request processes for the POP3 server:
- Open the Exchange System Manager, expand the organization name and then expand the Servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command.
- Click on the Access tab and click the Authentication button in the Access control frame.
- Read the information on the Welcome to the Web Server Certificate Wizard page and click Next. Follow the on screen instructions provided by the Wizard to complete the request. For a detailed account of how to request and install the Web site certificate, please refer to Publishing Exchange 2003 Outlook Web Access (OWA) with ISA Server 2000 - Part 3: SSL Bridging Drill Down and Requesting a Web Site Certificate
- The Communication button in the Secure communication frame becomes available after the certificate is installed. You will use this button later to force TLS security on POP3 connections with this POP3 server
- The POP3 virtual server will be able to create secure connections using TLS security after the certificate is installed.
Configure the Secure POP3 virtual server
Now that you have a Web site certificate installed on the Exchange 2003 machine and bound to the POP3 service, you can configure the POP3 virtual server to require TLS security for all incoming connections:
- Open the Exchange System Manager, expand your organization name and expand the servers node. Expand your server name and then expand the Protocols node. Expand the POP3 node and click on the Default POP3 Virtual Server node. Right click on the Default POP3 Virtual Server node and click the Properties command.
- The General tab is the first to appear in the Default POP3 Virtual Server Properties dialog box. Click the down arrow for the IP address drop down list and select an IP address for the secure POP3 site. Make sure that this is not the same IP address used by any other POP3 server on the Exchange Server computer. You can use the same IP address used by another Exchange Server service, such as the IMAP4 service, but do not assign the same address to two POP3 virtual servers.
- Click on the Access tab. Click the Authentication button in the Access control frame.
- You can select the authentication methods you want to support in the Authentication dialog box. You have the following options:
Basic authentication (password is send in clear text)
The basic authentication option insures the highest level of compatibility with different POP3 clients. However, basic authentication passes user name and password information "in the clear". You should use basic authentication only when you protect the connection using TLS encryption.
Requires SSL/TLS encryption
This setting forces the POP3 client to establish an SSL/TLS connection before credentials are sent to the POP3 server. If the client does not successfully establish a secure connection with the POP3 server, then the connection is dropped without the exchange of credentials. Never allow basic authentication without protecting the connection with TLS security.
Simple Authentication and Security Layer
Use this option to allow the POP3 client to use integrated authentication (NTLM).
I recommend that you enable all options. This allows the greatest level of flexibility and security for your POP3 client/server connections.
- Click on the Communication button in the Secure communication frame.
- Put a checkmark in the both the Require secure channel and Require 128-bit encryption checkboxes. This option forces the POP3 client to negotiate a secure TLS connection before any credentials or data is transferred between the POP3 client and server. Click OK.
Installing Windows Server 2003 on the Firewall Computer
The computer that will be the ISA Server 2000 firewall must meet the following minimum requirements:
- A personal computer with a 1.5 MHz or higher Intel/AMD-compatible CPU
- For the operating system, Windows 2000 Service Pack 4 or Windows Server 2003
- 256 MB of memory (RAM)
- 20 MB of available hard disk space for program files
- Two network adapters that is compatible with Windows 2000 or Windows Server 2003 , for communication with the internal and external networks
- One local hard disk partition that is formatted with the NTFS file system for log files and Web caching (if you wish to run the ISA Server firewall’s Web caching facilities)
The ISA Server firewall and Web caching components work very well on modest hardware. This is true even when the SMTP filter is enabled and protecting the published SMTP servers. However, if you run decide to use the SMTP Message Screener on the firewall, or if you use SSL to protect Web Published Web site, or if you use the ISA Server firewall as a VPN server, you need to increase the minimum requirements to support processor intensive encryption services.
Install ISA Server 2000 on the Firewall Computer
Install ISA Server 2000 after installing Windows Server 2003 onto the firewall computers. You must go through some specific procedures outside of the standard ISA Server 2000 installation when installing the firewall software onto a Windows Server 2003 computer. Please refer to Installing ISA Server 2000 on Windows Server 2003 for details.
Create the POP3 and Secure POP3 Server Publishing Rules
Now you can create the secure POP3 Server Publishing Rule. Perform the following steps to create the POP3 Server Publishing Rule:
Perform the following steps to create the secure POP3 Server Publishing Rule:
- Type in a name for the Server Publishing Rule in the Server publishing rule name text box on the Welcome to the New Server Publishing Rule Wizard page. Click Next.
- On the Address Mapping page, type in an IP address for the internal secure virtual POP3 server in the IP address of internal server text box. Click the Browse button next to the External IP address on ISA Server text box. Select the IP address on the external interface of the ISA Server firewall that you want to listen for incoming secure POP3 connection requests in the New Server Publishing Rule Wizard dialog box. Click OK and then click Next on the Address Mapping page.
- Click the down arrow for the Apply the rule to this protocol drop down list box on the Protocol Settings page. Select the POP3S Server.
- On the Client Type page, select the Any request option. Click Next.
- Review your settings on the Complete the New Server Publishing Rule Wizard page and click Finish.
- The new POP3 Server Publishing Rule appears in the right pane of the ISA Management console. Note that in this example that I’ve created an unsecured POP3 Server Publishing Rule for testing purposes. You can create an unsecured POP3 Server Publishing Rule to test basic connectivity, but please disable or delete that rule as soon as you confirm connectivity.
SMTP Server considerations for POP3 and Secure POP3 mail clients
The most common configuration has the POP3 client download mail from the POP3 server and remove the messages from the server. You can configure most POP3 clients to leave the messages on the server if you do not want them removed. The message stays on the Exchange 2003 Server and is available to the user at a later time. You might want to set up this type of configuration when the user uses POP3 on the road and the full MAPI Outlook client while in the office.
POP3 allows for downloading only. You must use SMTP to send responses to the messages or to create and send new mail. The POP3 client has several options:
- Use the SMTP server provided by the ISP
If the POP3 user logs onto an ISP that provides an SMTP server address, the user can use the local ISP’s SMTP server to send messages. The ISP may even offer secure SMTP access that allows the use to protect credentials and data using SSL/TLS. Note that when the user uses a local ISP’s SMTP server, it becomes the users’ responsibility to force a secure connection with the SMTP server. Allowing the user to decide on the level of security provided for any connection is poor security policy.
- Create an SMTP server for the POP3 user
If the user does not log on to a local ISP, or if the user uses an ISP that does not provide a secure SMTP server, you can create your own secure SMTP server. The secure SMTP server can be placed on the ISA Server firewall as a secure SMTP relay, or you can publish a secure SMTP virtual server located on the Exchange Server.
I’ll provide details on how to both create a secure authenticating SMTP relay on the firewall itself and how to create a secure authenticating SMTP server on the Exchange 2003 server in future articles.
Another option is to allow the user to connect to a secure POP3 server over the Internet, but require that all outbound messages be sent over a VPN link. This configuration is problematic because the POP3 client is configured to use a public address to connect to the secure POP3 server, but is configured to use the Exchange Server’s private address (that it can connect to after the VPN connection is established) to send SMTP mail.
The problem with this configuration is that it does not allow the POP3 component to work when the VPN connection is established. This would require split tunneling and split tunneling is an extreme security risk. For more information on the dangers of split tunneling, please see VPN Client Security Part 2: Forcing Firewall Policy on VPN Clients and Forcing Firewall Policy on VPN Clients
The most common solution to this problem is to have the user change the IP address used for the POP3 server to the Exchange Server’s internal IP address while connected to the VPN and then change it back to the public address used in the secure POP3 Server Publishing Rule when the VPN link is disconnected. No matter how you cut it, its not a very functional solution.
I recommend that you create your own secure SMTP server on either the ISA Server firewall computer, or on the Exchange Server itself. Another option is to use a machine between the ISA Server firewall and the Exchange Server as a secure authenticating relay. The advantages of this configuration are:
Configuring the SMTP Client to use TLS Encryption for SMTP Messages
The SMTP client must be configured to negotiate a TLS connection with the authenticating SMTP relay. The method used to configure the client to use secure SMTP connections varies with the client. Regardless of the SMTP email client application, all clients will need a copy of the Root CA certificate of the CA that assigned the authenticating SMTP server its Web site certificate. I cover the details on how to configure the Outlook Express SMTP client in a future article.
In this article we discussed the procedures required to create a secure POP3 server. You saw how to request a certificate for the POP3 server and how to force a secure connection to the server. Finally, you saw how to create the secure POP3 Server Publishing Rule that forwards the incoming POP3 requests to the secure POP3 server.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=6;t=001942 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom