Search This Blog

Tuesday, January 8, 2013

Securing POP and SMTP traffic from POP clients in Exchange 2010

I working on an exchange migration from Exchange 2003 to Exchange 2010. The customer is using a mixed environment with Microsoft Windows (Windows XP/Vista and Seven) clients, and Linux Unix clients which use POP and IMAP to retrieve mail from Exchange 2003. The Windows Clients use Outlook 2010, while the Linux clients use and a number of application which use IMAP or POP3 to access there mailboxes.

The customer wants to keep the IMAP/POP functionality in the new Exchange 2010 environment available, but wants to secure it where possible. In answer to that question i replied that we would keep the functionality, but switch to SSL encrypted communication between the clients and the servers. To do so, i also recommended that the clients would use the client submission port (TCP587(RFC5321)) in stead of simple SMTP (TCP25) to send to the server(s). Where we would also impose authentication. This way IMAP/POP and SMTP traffic would be encrypted and would only occur via authenticated users.
Enforcing the clients to use the client submission port enhances security as you would not need to create a relay receive connector for the clients on TCP port 25.

I knew this all is possible from theory but never implemented this before, as this is the first time i come across an environment where they still use IMAP/POP3 in a real live environment. To make sure i knew how to implement the theory i started playing in my test environment during the Christmas holidays.

In my test environment I have a single Exchange 2010 server with the three required roles installed (HUB/CAS/MBX), and downloaded and installed Mozilla Thunderbird as a POP client.

As we are going to use TLS to digitally encrypt the communications channels, we have to make sure that the intended FQDN's are present in the SSL certificate. The Exchange environment already has and SSL certificate assigned to it for SMTP and IIS, and we are going to reuse that SSL certificate to secure the POP3 access.
In the screenshot you will see that the hostname of the server is present in the certificate, and that is the FQDN we intend to use for POP and SMTP communication. Now we need to see, to which service the certificate is assigned.
Note: You can run previous commands in a single line by running "Get-ExchangeCertificate | fl CertifiacteDomains, Services"
In the screenshot you will see that the POP and Imap Service are already assigned in my case, this was because i toke the screenshots after testing and not while testing. To assign the Certificate to the IMAP/POP3 service, you need to run following command:
If you have multiple certificates in use:
List certificates:
 select the required certificate and assign it to the requested services
Get-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | Enable-ExchangeCertificate -Services "POP, IMAP"
The required certificate is now assigned to the IMAP and POP3 service.
Note: If  the MSExchangePOP3 or MSExchangeIMAP where already started before assigning the certificate, you will need to restart these services. Is required each time you change or reassign a certificate to a service.
Configuring the Client Access Server
Open the Exchange Management Console, go to server configuration and Client Access Server Role.
Go to tab Bindings, and configure the IP addresses on which the Service should listen. By default it lists all IPv4 and IPv6 addresses, but I removed the IPv6 addresses as i do not use IPv6 in the test environment.

  Note: I still allow connection over port 110, but you can remove that if you wish to allow only secured communication (which will be done with my customer).     
Then go to the Authentication Tab, modify the authentication if required and verify that the certificate name is the name of the certificate which you selected in previous step.
Note: These are basically the default settings as Exchange 2010 aims to be secure by default.
  We do not need to modify the other tabs.

Now verify that the same settings apply to IMAP, which it should as it is designed to be secure by default.
Note: Modify the bindings if you wish to only allow secure connections.  
Starting the required services
The Imap and POP3 service are set to manual start in which they are not started automatically. If you wish to supply access by these services, you have to change the start-up mode to automatic. In my test environment i merely started the services as they are only required for testing the configuration.
To change the startup mode:
Get-service -name msexchangepop3, msexchangeimap4 | Set-Service -StartupType Automatic
Get-service -name msexchangepop3, msexchangeimap4 | Start-Service

Configure SMTP access (Client Submission Port)
We want user to authenticate and use TLS encryption when sending (relaying) mail through Exchange 2010.
Open the Exchange Management Console, go to server configuration and Hub Transport Server Role.

Select the receive connector for the client submission port which is called "Client" by defaul, but which i renamed to "Client Exch02". Right click and select Properties. Verify that the client network is allowed to use the connector in the Network Tab. Go to the Authentication Tab and select "Transport Layer Security (TLS)", "Basic Authentication" and "Offer Basic Authentication only after Starting TLS".
 Note: I have tried with TLS alone, but then the credentials are not accepted. I could only make with work with basic authentication, but that is no issue as the Authentication is done in a TLS encrypted tunnel in which the communication is encrypted anyways. This is why you need to make sure that "Offer Basic Authentication only after Starting TLS" is also selected.  
In the "Permission Groups" setting you have to make sure that "Exchange Users" and "Exchange Servers" is checked.

Client Configuration
As client i choose to use Mozilla Thunderbird, as it is a widely used client in Windows and operating Systems.
I am not going to completely explain the configuration of the client as it is pretty straight forward, yet i am showing the setting in the client to prove that communication is indeed TLS encrypted and authentication is required to send mail (SMTP).
POP3 Settings:
    SMTP Settings:
Here you see that authentication is required.
To client submission connector allows relaying for Exchange Authenticated users, so you have allowed relaying but on a more secure reliable way. If you have applications which need to send or relay SMTP traffic via your Exchange 2010 environment, you should investigate if the same settings can be used for these applications. 


  1. this post is really nice , you share this that why we learn like this . I am an ordinary Accessory Designer and I am thankful to you for this kind of informative post.
    thanks for sharing

  2. Exchange SSL Certificate (including wildcard and Multi Domain SSL certificates) from Hong Kong.protect your designed,email communication for exchange servers and office communication servers