How to help secure Post Office Protocol client access in Exchange 2000

This step-by-step article describes how to configure security settings for incoming Post Office Protocol V3 (POP3) connections to your Exchange 2000 computers. These security settings help your users authenticate and receive potentially sensitive material, and try to minimize the risk that the user name, the password, or the message content could be intercepted.

You use POP3 to connect to your Exchange 2000 computers if there are either bandwidth limitations or firewall port restrictions. However, POP3 authentication and message transmission use clear-text commands that are open to interception.

Requirements

The following items describe the recommended hardware, software, network infrastructure, skills, knowledge, and service packs you must have to configure the security settings.

• Microsoft Windows 2000 Server with Service Pack 2 (SP2)
• Microsoft Active Directory directory service
• Exchange Server 2000 with Service Pack 1 (SP1)
• A POP3 client such as Microsoft Outlook Express 5.0 or later

This article assumes that you are familiar with the following topics:

• Exchange System Manager
• TCP/IP configuration issues
• Security concepts such as Secure Sockets Layer (SSL) technology and encryption
• Security certificates
• Network Monitor captures

How to Plan for the Level of Security

Before you start to configure the POP3 virtual server, you must consider the level of security that you want to implement. You can configure POP3 security settings on three main levels:

• Connection control:
  
  You can restrict connections based on Internet Protocol (IP) address or domain name, including reverse Domain Name System (DNS) lookups. This level of security is a basic level that you use only if you know the exact IP address of the incoming connection. This level of security does not encrypt passwords or message data; however, you can use this level with the other security settings.
• Access control:
  
  You can configure either basic authentication or integrated Windows authentication (NTLM authentication). Because basic authentication allows clear text user names and passwords, it is recommended that you disable this authentication type. If you disable basic authentication, you need to enable Log on using Secure Password Authentication on the POP3 client software. Click the Servers tab in the Accounts properties to enable Secure Password Authentication in Microsoft Outlook Express. Note that Secure Password Authentication encrypts only the logon session, not the message body.
• Security-enhanced communication:
  
  You can encode the entire POP3 session, including the logon sequence and the transmission of the message body, by using SSL encryption. It is recommended that you use SSL for all POP3 connections to Exchange 2000 that cross public networks such as the Internet. You must install a certificate on your POP3 virtual server. You can either use an external certification authority or you can install Certificate Services in your Microsoft Active Directory directory service forest to install a certificate.

Note If you encrypt the POP3 protocol, sessions are protected only when you collect mail from the Exchange 2000 POP3 virtual server; however, Simple Mail Transfer Protocol (SMTP) message delivery is not encrypted. It is recommended that you take additional precautions to encrypt SMTP message delivery. For more information about how to encrypt SMTP mail delivery, click the following article number to view the article in the Microsoft Knowledge Base:

How to Access the POP3 Virtual Server Object

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane, double-click Servers.
3. Click the server that you want to configure, click Protocols, and then click POP3.
4. Right-click Default POP3 Virtual Server, and then click Properties.
5. Click the Access tab to configure the access control settings.

How to Configure IP Address Restrictions

1. Open the Default POP3 Virtual Server properties.
   
   To do so, follow the procedure in the preceding section.
2. Click the Access tab, and then click Connection.
3. Click Only the list below.
   
   If you do so, only the IP addresses and domains in the list are allowed to connect to the POP3 virtual server. Use any of the following methods to add items to this list:
   • Add a single IP address at a time. To do so, type a host name, and then click DNS lookup to resolve that name automatically to an IP address. Use this method if you have remote users that always connect from fixed IP addresses where those IP addresses are not contiguous.
   • Add a range of addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. You can use subnet masks such as 255.255.255.252 to restrict the acceptable hosts to a range of only six IP addresses.
   • Set restrictions on a domain basis. For example, you can limit connections so that only connections from contoso.com are accepted. However, if you use this method, you must perform a DNS reverse lookup on each incoming connection, which can adversely affect the Exchange 2000 computer's performance. For more information, refer to the "Troubleshooting" section at the end of this article.
4. Click OK to accept the IP address restrictions.

How to Configure Access Control

1. Open the Default POP3 Virtual Server properties.
2. Click the Access tab, and then click Authentication.
   
   By default, both the Basic Authentication and Integrated Windows Authentication check boxes are selected. If your environment supports Windows authentication, you can clear the Basic Authentication check box. Click OK to accept the change.
3. Start Microsoft Outlook Express, and then configure the POP3 account settings to use Secure Password Authentication. To do so:
   1. Click Accounts on the Tools menu.
   2. Click the Mail tab, and then double-click the POP3 mail account.
   3. Click the Servers tab, and then click to select the Log on using Secure Password Authentication check box.
4. Click OK, and then click Close.
   

How to Configure Secure Communications (Part One)

1. Open the Default POP3 Virtual Server properties.
2. Click the Access tab, and then click Certificate.
3. After the Internet Information Services (IIS) Certificate wizard starts, click either Create a new certificate or Assign an existing certificate from an external certification authority, and then click Next.
4. If you have a certification authority (CA) installed, click Send the request immediately to an online certification authority.
   
   If you do not have a CA installed, click Prepare the request now but send it later, and then click Next.
5. If you send your request to an online CA, either give the request an appropriate name or accept the default name "Default POP3 Virtual Server," type a bit length, and then click Next.
   
   Note Longer key lengths affect performance.
6. Type the organization and organization unit information for the CA from which you are requesting a certificate in the appropriate boxes, and then click Next.
7. Type the common name for your site, and then click Next.
   
   Note If you enable access from the Internet, you must use an externally resolvable fully qualified domain name (FQDN).
8. Type the country, the state or province, and the city or locality information for your CA in the appropriate boxes, and then click Next.
9. If you choose to send the request immediately to an online CA in step 4, confirm that the CA for your organization is displayed, and then click Next.
   
   However, if you choose to prepare the request now but send it later in step 4, accept the default file name for the certificate request or save it to a different file, and then click Next.
10. Review the information on the Certificate Request Submission, and then click Next.
11. Click Finish.

How to Configure Secure Communications (Part Two)

After you install a certificate on your server, follow these steps to force secure communications:

1. Open the Default POP3 Virtual Server properties.
2. Click the Access tab, and then click Communication.
3. Click to select the Require secure channel check box.
4. If both the Exchange 2000 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
5. Click OK, and then click OK.
6. Stop and restart the Exchange 2000 POP3 service.
7. Start Outlook Express, click Accounts on the Tools menu, and then click the Mail tab.
8. Double-click the Exchange Server Mail account, click the Advanced tab, and then click This server requires a secure connection (SSL).
   
   The incoming mail (POP3) port number changes from 110 to 995.
9. Click OK, and then click Close.

How to Confirm That You Configured POP3 Security Correctly

• To verify that the IP restrictions work as expected, try to connect with a valid user name from an excluded IP address.
  
  You receive a message that states that the connection to the server was declined.
• To verify the authentication encryption:
  1. Run Network Monitor on your Exchange 2000 computer, and then use the default authentication settings to initiate a POP3 session from the client while you capture the traffic that is coming in to the Exchange 2000 computer.
  2. Review the POP3 session and note the packets from the client to the server on port 110 (006Eh).
     
     Note that the user's logon name and password are being sent in clear text.
  3. Remove support for Basic Authentication, configure the client to require Secure Password Authentication, initiate another POP3 session from the client, and then capture the traffic in Network Monitor.
     
     The user account and password details are now encrypted.
• To verify full SSL encryption:
  1. Add a certificate, configure the settings so that you require a secure channel on the POP3 virtual server, and then configure the client to use SSL.
  2. Start a Network Monitor capture and initiate a POP3 mail collection session from the client.
  3. Stop the capture, and then examine the packets that were sent.
     
     Note that all client to server packets with a destination of port 995 (03E3h) are encrypted.

Note If you have not enabled encryption on SMTP mail delivery, you may still see some unencrypted packets from the client that are destined for port 25 (0019h).

After you confirm that you configured POP3 security correctly, it is recommended that you configure secure SMTP delivery for your POP3 clients. For more information about how to encrypt SMTP mail delivery, click the following article number to view the article in the Microsoft Knowledge Base:

Troubleshooting

If you restrict IP addresses based on DNS lookup, you can adversely affect the performance of the Exchange 2000 computer. Because the Exchange 2000 computer performs a reverse DNS lookup on each incoming connection, a functioning DNS reverse lookup zone must be available and the POP3 client must be registered with that zone. If you have large numbers of incoming POP3 connections, you should consider disabling reverse DNS lookup. For more information about how to configure reverse lookup zones, click the following article number to view the article in the Microsoft Knowledge Base: If you do not specify the correct values for the server name or the organization, when you create the SSL certificate on the default POP3 virtual server, users may receive the following message: To prevent this message from being displayed, ensure that the common name for the certificate matches its Internet address.

For more information about how to configure POP3 security, see Exchange Server 2000 Help and the Exchange 2000 Server Resource Kit.