Using POP and IMAP with SSL | Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

One way to bolster the security of IMAP and POP services is to allow (or require) your users to use them with SSL/TLS protection. There are two ways to accomplish this. One way is for the server to accept connections on the default port number, then start an SSL conversation on the same port when it encounters a compatible client. This, you might recall, is the approach taken by the STARTTLS extension for the Simple Mail Transfer Protocol (SMTP), as described in Chapter 11, Securing Internet Communications. Although this opportunistic encryption is supported by many UNIX servers (and a significant number of clients on various platforms), Exchange Server 2003 doesn t work this way. Instead, clients that want an SSL-protected IMAP or POP session have to connect to the SSL equivalent of the default service port. Although you can change this port number in the VS properties, doing so requires you to change the port that clients use, too ”always a time-consuming and error- prone proposition.

Tip

In Exchange 2000 Server, if you use a clustered mailbox server with IMAP or POP, you have to make sure that you enable both the SSL and plain versions of the protocol. The Exchange 2000 Server cluster resource monitor queries the default TCP ports of the IMAP, POP, and SMTP services; if SSL is enabled, the cluster service receives an unintelligible response, and it fails the services over ”but they fail back at the next checkpoint, and so on. Thankfully, Exchange Server 2003 fixes this behavior so that enabling SSL-only sessions works fine and fails over properly.

To request a certificate for use with IMAP or POP and SSL, you need to follow the process outlined in Chapter 11. Interestingly, Outlook Web Access and SMTP automatically share one certificate, but you ll need to either create new certificates or assign an existing certificate to each POP or IMAP virtual server that you want to secure. Accordingly, when you start the Web Server Certificate Wizard by clicking Certificate on the Access tab of the VS Properties dialog box, the first interesting page you see is the Server Certificate page, which you use to specify whether you want to request a new certificate or assign an existing certificate. It s perfectly acceptable to reuse your Outlook Web Access certificate for POP and IMAP virtual servers, as long as they re running on the same machine and using the same fully qualified domain name (FQDN).

Once you ve installed the certificate, you ll need to do two things to enable it for use with the selected protocol virtual server. First, you have to decide whether you want to require SSL or just allow it. If you want to require it, open the VS Properties dialog box and click Access. Notice that the Communication button is now enabled ”that s proof that your certificate is installed and ready for use. Clicking Communications opens the Security dialog box (see Figure 15-3); there you can turn on SSL by selecting the Require Secure Channel check box and force the use of 128-bit SSL by selecting the Require 128-Bit Encryption check box. If you re going to require SSL, you should require 128-bit SSL because it offers much better security than the 40-bit default version that originally shipped with Microsoft Windows NT 4.0.

Figure 15-3: Turning on SSL is easy, but remember that it might break your wireless clients.

The other thing you have to do is to configure your clients to use SSL with the selected protocol. The exact procedure for doing this varies by client. For Microsoft Outlook 2002 and Outlook 2003, you ll need to do the following:

Log on to Outlook with the profile that contains your IMAP account.
Use the Tools E-Mail Accounts command to open the E-Mail Accounts dialog box. In that dialog box, choose View Or Change Existing E-Mail Accounts and then click Next.
On the E-Mail Accounts page, select your IMAP account and click Change.
On the Internet E-Mail Settings page, click More Settings to display the Internet E-Mail Settings dialog box, which has four tabs: General, Outgoing Server, Connection, and Advanced.
Click the Advanced tab (see Figure 15-4). There are two check boxes for enabling SSL: one in the Incoming Server (IMAP) control group and one in the Outgoing Server (SMTP) group . If you want to use SSL for IMAP, select the former; if you want to use it for SMTP, select the latter.

Figure 15-4: Configure Outlook to use SSL for IMAP, SMTP, or both.

SSL and Wireless Devices

There s one major drawback to requiring SSL for POP and IMAP: it might disable the ability of your wireless clients to retrieve mail because many wireless clients don t support the use of SSL. On the Palm OS, Eudora and SnapperMail both support SSL with POP, and PapiMail supports SSL with IMAP. In the Pocket PC realm, there s at least one way to set up SSL+IMAP with Pocket Outlook (see http://www.e2ksecurity.com for details), but it s pretty involved.

In general, any device or program that interposes its own service or redirector between you and your mailbox server is unlikely to work properly with SSL- enabled IMAP or POP servers. In those cases, you have to decide whether you want to allow unsecured IMAP or POP (risking the exposure of your users credentials) or block users of those devices from your servers. There s an additional alternative: some services, like Corsoft s Aileron ( http://www.corsoft.net ) and the Research in Motion BlackBerry line ( http://www.blackberry.com ), implement their own encryption between the user s device and the service.