The customer wants to keep the IMAP/POP functionality in the new Exchange 2010 environment available, but wants to secure it where possible. In answer to that question i replied that we would keep the functionality, but switch to SSL encrypted communication between the clients and the servers. To do so, i also recommended that the clients would use the client submission port (TCP587(RFC5321)) in stead of simple SMTP (TCP25) to send to the server(s). Where we would also impose authentication. This way IMAP/POP and SMTP traffic would be encrypted and would only occur via authenticated users.
Enforcing the clients to use the client submission port enhances security as you would not need to create a relay receive connector for the clients on TCP port 25.
I knew this all is possible from theory but never implemented this before, as this is the first time i come across an environment where they still use IMAP/POP3 in a real live environment. To make sure i knew how to implement the theory i started playing in my test environment during the Christmas holidays.
In my test environment I have a single Exchange 2010 server with the three required roles installed (HUB/CAS/MBX), and downloaded and installed Mozilla Thunderbird as a POP client.
As we are going to use TLS to digitally encrypt the communications channels, we have to make sure that the intended FQDN's are present in the SSL certificate. The Exchange environment already has and SSL certificate assigned to it for SMTP and IIS, and we are going to reuse that SSL certificate to secure the POP3 access.
Note: You can run previous commands in a single line by running "Get-ExchangeCertificate | fl CertifiacteDomains, Services"In the screenshot you will see that the POP and Imap Service are already assigned in my case, this was because i toke the screenshots after testing and not while testing. To assign the Certificate to the IMAP/POP3 service, you need to run following command:
If you have multiple certificates in use:
select the required certificate and assign it to the requested services
Get-ExchangeCertificate -Thumbprint "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" | Enable-ExchangeCertificate -Services "POP, IMAP"
The required certificate is now assigned to the IMAP and POP3 service.
Note: If the MSExchangePOP3 or MSExchangeIMAP where already started before assigning the certificate, you will need to restart these services. Is required each time you change or reassign a certificate to a service.Configuring the Client Access Server
Open the Exchange Management Console, go to server configuration and Client Access Server Role.
Note: I still allow connection over port 110, but you can remove that if you wish to allow only secured communication (which will be done with my customer).Then go to the Authentication Tab, modify the authentication if required and verify that the certificate name is the name of the certificate which you selected in previous step.
Note: These are basically the default settings as Exchange 2010 aims to be secure by default.We do not need to modify the other tabs.
Now verify that the same settings apply to IMAP, which it should as it is designed to be secure by default.
Note: Modify the bindings if you wish to only allow secure connections.Starting the required services
The Imap and POP3 service are set to manual start in which they are not started automatically. If you wish to supply access by these services, you have to change the start-up mode to automatic. In my test environment i merely started the services as they are only required for testing the configuration.
To change the startup mode:
Get-service -name msexchangepop3, msexchangeimap4 | Set-Service -StartupType Automatic
Get-service -name msexchangepop3, msexchangeimap4 | Start-Service
Configure SMTP access (Client Submission Port)
We want user to authenticate and use TLS encryption when sending (relaying) mail through Exchange 2010.
Open the Exchange Management Console, go to server configuration and Hub Transport Server Role.
Select the receive connector for the client submission port which is called "Client" by defaul, but which i renamed to "Client Exch02". Right click and select Properties. Verify that the client network is allowed to use the connector in the Network Tab. Go to the Authentication Tab and select "Transport Layer Security (TLS)", "Basic Authentication" and "Offer Basic Authentication only after Starting TLS".
Note: I have tried with TLS alone, but then the credentials are not accepted. I could only make with work with basic authentication, but that is no issue as the Authentication is done in a TLS encrypted tunnel in which the communication is encrypted anyways. This is why you need to make sure that "Offer Basic Authentication only after Starting TLS" is also selected.
As client i choose to use Mozilla Thunderbird, as it is a widely used client in Windows and operating Systems.
I am not going to completely explain the configuration of the client as it is pretty straight forward, yet i am showing the setting in the client to prove that communication is indeed TLS encrypted and authentication is required to send mail (SMTP).