The ancillary mail services of the Post Office Protocol version 3 (POP3) and Internet Message Access Protocol version 4 (IMAP4) can be secured through an ISA Server. This is particularly important for organizations that require support of these legacy protocols; they are less secure than the newer forms of mail access available. Creating and Configuring a POP Mail Publishing Rule POP3 Servers are secured in ISA through the creation of a special rule that enables ISA to examine all traffic sent to the POP3 server and perform intrusion detection heuristics on it with an advanced POP intrusion detection filter. The POP server does not necessarily need to be a Microsoft server, such as Exchange, but can be run on any POP3-compliant messaging system. CAUTION Enable POP support in a messaging environment only if there is no other viable option. POP3 support is less secure than other access methods, and can cause mail delivery and security issues. For example, many POP clients are configured to pull all the mail off the POP server, making it difficult to do disaster recovery of mail data. Enabling POP3 Access on an Exchange Server If no existing POP3 server is available, but support for the protocol needs to be enabled, the service can be enabled on an internal Exchange Server 2003 system via the following procedure: 1. | On the Exchange server, open the Services MMC Console (Start, All Programs, Administrative Tools, Services).
| 2. | Right-click the Microsoft Exchange POP3 service and choose Properties.
| 3. | Change the Startup Type to Automatic, as shown in Figure 13.21.
Figure 13.21. Enabling POP Support on the Exchange server.
| 4. | Click Start to start the service and click OK.
| Enabling SSL Support on the POP Virtual Server Realistically, all POP traffic across an untrusted network such as the Internet should be encrypted as well, using Secure Sockets Layer. This involves installing a certificate onto the POP Virtual Server. NOTE An existing certificate can be used for POP-SSL traffic as well as HTTPS traffic. ISA is intelligent enough to decipher whether the traffic hitting its interface is HTTPS or POP-SSL traffic, and it forwards the requests to the appropriate rule. That said, some organizations do decide to create an additional name (such as pop.companyabc.com) for POP traffic to create a logical separation. Although this is convenient, this is not necessary with ISA. To configure the POP virtual server for SSL by using an existing certificate (for example, mail.companyabc.com), do the following: 1. | On the Exchange Server (or front-end Exchange Server), open Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager).
| 2. | Navigate to ORGANIZATIONNAME, Administrative Groups, ADMINGROUPNAME, Servers, SERVERNAME, Protocols, POP3.
| 3. | Right-click the POP virtual server and select Properties.
| 4. | Select the Access tab.
| 5. | Under Secure Communication, click the Certificate tab.
| 6. | Click Next at the welcome dialog box.
| 7. | Select Assign an Existing Certificate and click Next.
| 8. | Select the certificate desired (for example, mail.companyabc.com) from the list and click Next to continue.
| 9. | Click Next at the summary page.
| 10. | Click Finish.
| The final step is to force SSL on the POP Virtual Server. To do this in the same dialog box, perform the following steps: 1. | Click the Communication button.
| 2. | Check Require Secure channel and Require 128 Bit Encryption, and click OK.
| 3. | Click the Authentication button.
| 4. | Clear the button for Simple Authentication and leave Basic authentication checked. Check the box for Requires SSL/TLS encryption, as shown in Figure 13.22.
Figure 13.22. Forcing SSL on the POP virtual server.
| 5. | Click OK.
| Configuring an ISA POP Filtering Rule After a POP server has been enabled or established on the internal network, it can be secured via modification of an existing rule or creation of a new rule to secure POP traffic as follows: 1. | From the ISA Console, select the Firewall Policy Node from the console tree.
| 2. | In the Tasks pane, click the link for Publish a Mail Server.
| 3. | Enter a descriptive name for the rule (for example, POP-SSL Access) and click Next.
| 4. | Select Client Access: RPC, IMAP, OP3, SMTP from the radio box list and click Next.
| 5. | In the Select Services dialog box select Secure Ports for POP3 and click Next.
| 6. | Enter the internal IP address of the POP server and click Next.
| 7. | Select to which networks the ISA server will listen by checking the boxes next to them and click Next.
| 8. | Click Finish, Apply, and OK.
| Creating and Configuring an IMAP Mail Publishing Rule The Internet Message Access Protocol (IMAP) is often used as a mail access method for Unix systems and even for clients such as Outlook Express. It also can be secured through an ISA Server, using the same rule as a POP rule, or through the configuration of a unique IMAP publishing rule. Enabling IMAP4 Access on an Exchange Server If IMAP protocol support is required, but an internal IMAP server is not currently available, Exchange Server 2003 can be configured to provide for IMAP functionality through the following procedure: 1. | On the Exchange server, open the Services MMC Console (Start, All Programs, Administrative Tools, Services).
| 2. | Right-click the Microsoft Exchange IMAP4 service and choose Properties.
| 3. | Change the Startup type to Automatic.
| 4. | Click Start to start the service and click OK.
| Configuring SSL on the IMAP Virtual Server As with POP traffic, it is preferable to force SSL encryption for IMAP traffic. The procedure to configure this is very similar to POP SSL configuration and can be done with the following steps: 1. | On the Exchange Server (or front-end Exchange Server), open Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager).
| 2. | Navigate to ORGANIZATIONNAME, Administrative Groups, ADMINGROUPNAME, Servers, SERVERNAME, Protocols, IMAP4.
| 3. | Right-click the IMAP virtual server and select Properties.
| 4. | Select the Access tab.
| 5. | Under Secure Communication click the Certificate tab.
| 6. | Click Next at the welcome dialog box.
| 7. | Select Assign an Existing Certificate and click Next.
| 8. | Select the certificate desired (for example, mail.companyabc.com) from the list and click Next to continue.
| 9. | Click Next at the summary page.
| 10. | Click Finish.
| The final step is to force SSL on the IMAP Virtual Server. To do this, perform the following steps in the same dialog box: 1. | Click the Communication button.
| 2. | Check Require Secure Channel and Require 128 Bit Encryption and click OK.
| 3. | Click the Authentication button.
| 4. | Clear the button for Simple Authentication and leave Basic Authentication checked. Check the box for Requires SSL/TLS Encryption and click OK.
| 5. | Click OK.
| Configuring an ISA IMAP Filtering Rule After the internal IMAP presence has been established, an ISA rule can be created to allow IMAP traffic to the IMAP server. The following procedure outlines this process: 1. | From the ISA Console, select the firewall policy node from the console tree.
| 2. | In the Tasks pane, click the link for Publish a Mail Server.
| 3. | Enter a descriptive name for the rule (for example, IMAP-SSL Access) and click Next.
| 4. | Select Client Access: RPC, IMAP, POP3, SMTP from the radio box list, as shown in Figure 13.23, and click Next.
Figure 13.23. Setting up an ISA IMAP Publishing Rule.
| 5. | Under the Select Services dialog box select Secure Ports for IMAP4 and click Next.
| 6. | Enter the internal IP address of the POP server and click Next.
| 7. | Select to which networks the ISA server will listen by checking the boxes next to them and click Next.
| 8. | Click Finish.
| |