Using POP and IMAP with SSL

Previous page
Table of content
Next page


One way to bolster the security of IMAP and POP services is to allow (or require) your users to use them with Secure Sockets Layer/Transport Layer Security (SSL/ TLS) protection. There are two ways to accomplish this. One way is for the server to accept connections on the default port number, then start an SSL conversation on the same port when it encounters a compatible client. This, you might recall, is the approach taken by the STARTTLS extension for the Simple Mail Transfer Protocol (SMTP), as described in Chapter 11, “Securing Internet Communications.” Although this opportunistic encryption is supported by many UNIX servers (and a significant number of clients), Exchange doesn’t work this way. Instead, clients that want an SSL-protected IMAP or POP session have to connect to the SSL equivalent of the default service port. Although you can change this port number in the VS properties, doing so requires you to change the port that clients use, too—always a time- consuming and error-prone proposition.

Tip

If you’re using a clustered mailbox server with IMAP or POP, make sure that you enable both the SSL and plain versions of the protocol. The cluster resource monitor queries the default TCP ports of the IMAP, POP, and SMTP services; if SSL is enabled, the cluster service receives an unintelligible response, and it fails the services over—but they fail back at the next checkpoint, and so on.

To request a certificate for use with IMAP or POP and SSL, you need to follow the process outlined in Chapter 11. Interestingly, Outlook Web Access and SMTP automatically share one certificate, but you’ll need to either create new certificates or assign an existing certificate to each POP or IMAP VS that you want to secure. Accordingly, when you start the Web Server Certificate Wizard by clicking Certificate in the Access tab of the VS Properties dialog box, the first interesting page you see is the Server Certificate page, which you use to specify whether you want to request a new certificate or assign an existing certificate. It’s perfectly acceptable to reuse your Outlook Web Access certificate for POP and IMAP VSs, as long as they’re running on the same machine.

Once you’ve installed the certificate, you’ll need to do two things to enable it for use with the selected protocol VS. First, you have to decide whether you want to require SSL or just allow it. If you want to require it, open the VS Properties dialog box and click the Access tab. Notice that the Communication button is now enabled—that’s proof that your certificate is installed and ready for use. Clicking Communications opens the Security dialog box (see Figure 15-2); there you can turn on SSL by selecting the Require Secure Channel check box and force the use of 128-bit SSL by selecting the Require 128-Bit Encryption check box. If you’re going to require SSL, you should require 128-bit SSL because it offers much better security than the default 40-bit version.

click to expand
Figure 15-2: Turning on SSL is easy, but remember that it might break your wireless clients.

The other thing you have to do is to configure your clients to use SSL with the selected protocol. The exact procedure for doing this varies by client. For Microsoft Outlook 2002, you’ll need to do the following:

  1. Log on to Outlook with the profile that contains your IMAP account.

  2. Use the Tools | E-Mail Accounts command to open the E-Mail Accounts dialog box. In that dialog box, choose View Or Change Existing E-Mail Accounts and then click Next.

  3. In the E-Mail Accounts page, select your IMAP account and click Change.

  4. In the Internet E-Mail Settings page, click More Settings to display the Internet E-Mail Settings dialog box, which has four tabs: General, Outgoing Server, Connection, and Advanced.

  5. Click the Advanced tab (see Figure 15-3). There are two check boxes for enabling SSL: one in the Incoming Server (IMAP) control group and one in the Outgoing Server (SMTP) group. If you want to use SSL for IMAP, select the former; if you want to use it for SMTP, select the latter.

    click to expand
    Figure 15-3: Configure Outlook to use SSL for IMAP, SMTP, or both.

start sidebar
SSL and Wireless Devices

There’s one major drawback to requiring SSL for POP and IMAP: it will probably disable the ability of your wireless clients to retrieve mail. For example, Eudora is the only one of the mail clients for the Palm OS that supports SSL for POP; there aren’t any that support SSL with IMAP. In the Pocket PC realm, there’s at least one way to set up SSL+IMAP with Pocket Outlook (see http://www.e2ksecurity.com for details), but it’s pretty involved.

In general, any device or program that interposes its own service or redirector between you and your mailbox server is unlikely to work properly with SSL- enabled IMAP or POP servers. In those cases, you have to decide whether you want to allow unsecured IMAP or POP (risking the exposure of your users’ credentials) or block users of those devices from your servers. There’s an additional alternative: some services, like Corsoft’s Aileron (http://www.corsoft.net) and the Research in Motion BlackBerry line (http://www.blackberry.net), implement their own encryption between the user’s device and the service.

end sidebar



Previous page
Table of content
Next page
Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169
BUY ON AMAZON
Qshell for iSeries
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Snort Cookbook
Competency-Based Human Resource Management
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy