In the last part of this tutorial series I gave you an overview of the POP3 protocol and showed you how to enable POP3 for Exchange Server 2010. In this tutorial I’ll show you how to configure the Exchange 2010 POP3 service for secure client access.
Understanding the Need for Secure POP3
The Post Office Protocol (POP) can be insecure as it allows the passing of user credentials in plain text. To understand how serious this is, imagine that your end users are in a public wi-fi network and connecting to your corporate Exchange servers over POP3. They’ll be authenticating with their Active Directory username and password.
If POP access is not secured those credentials will be sent “in the clear” and could be sniffed by an attacker who is also on the same wi-fi network. To see an example of this in action, here is a POP3 session login sniffed on an insecure network.
The user’s cleverly chosen password of “Seagull1” is visible to anyone who is able to sniff the network traffic.
As you can see in the example above it is very important that POP traffic is secured if you plan to use it for remote email access in your Exchange 2010 environment.
Configuring Security for the Exchange Server 2010 POP3 Service
To configure the POP3 service on Exchange Server 2010 Client Access servers open the Exchange Management Console and navigate to Server Configuration/Client Access.
Click on the name of the Client Access server you want to configure, and then open the Properties of the POP3 protocol in the lower pane.
On the Authentication tab you can see that Secure logon is the default setting. So why have I been explaining the importance of POP3 security to you when Exchange 2010 is secure by default?
Because I see a lot of customers changing this setting to Plain text logon, simply because that is the easiest way to get POP3 working quickly. Usually they do this because they encounter logon errors for clients who are trying to connect.
A network capture shows the same error occurring.
This will happen if the email client is not configured to use SSL for the connection.
When the POP3 connection is made using SSL the client is able to logon and retrieve mail successfully. And more importantly, they are doing so without attackers on insecure networks being able to sniff the credentials from the network traffic.
Configuring Ports for Exchange Server 2010 POP3
You may have noticed in the screenshot above that when the client is configured for SSL it changes the port from 110 to 995. TCP 995 is the port for SSL-secured POP3. The POP3 service is bound to both ports 110 and 995 by default. You can see this in the Bindings tab of the POP3 properties.
Configuring an SSL Certificate for Exchange Server 2010 POP3
This certificate must include the name that you want your remote users to connect to for POP3 access, as well as be trusted by the remote user’s computer that they are connecting from. If it is not trusted, or there is a name mismatch, then they may receive certificate warnings in their POP3 email client.
To fix this after installing an SSL certificate configure the certificate name in the Authentication tab of the POP3 properties.
You’ll need to restart the POP3 service to apply this or any other configuration change that you make.
When all of the settings are configured correctly your remote email users will be able to connect to Exchange Server 2010 over POP3 securely.
In the next part of this tutorial series we’ll take a look at some of the other configuration options for Exchange 2010 POP3.