Controlling User Access to IMAP and POP


As with Outlook Web Access, there are three primary methods of choosing who can use your IMAP and POP servers: controlling which Internet Protocol (IP) addresses are allowed to connect, specifying which authentication methods the server supports, and identifying which users are allowed to use the specified protocols.

Choosing an Authentication Method

Exchange’s IMAP and POP servers support two authentication methods: basic authentication and integrated Windows authentication. (See Chapter 14, “Securing Outlook Web Access,” for a refresher on the relative strengths and weaknesses of these authentication methods.) You can set these methods in the Access tab of the virtual server (VS) properties dialog box. Simply click Authentication and you’ll open the dialog box shown in Figure 15-1. Choose the authentication method you want to use; if you specify a default domain, remember that Exchange IMAP doesn’t support using the fully qualified domain name (FQDN) of the server for a logon request—your users have to specify either their username alone (in which case the default domain you specify is used) or the username and the NetBIOS name of their domain.

click to expand
Figure 15-1: You can enable basic and integrated authentication separately for each POP or IMAP virtual server.

Controlling Access by IP Address

You can control the connection behavior of the virtual servers in a couple of different ways. First, you can use the controls in the General tab of the VS properties dialog box to control what IP address and port it listens on. For example, you could configure the POP and IMAP services on a front end server so that they don’t accept requests from clients on the internal local area network (LAN).

Second, you can use the Connection button in the Access tab of the VS Properties dialog box to restrict connections by specifying individual IP addresses, IP ranges, or Domain Name System (DNS) domain names. You can apply restrictions that allow only the listed computers to connect or that allow any machine other than those listed to connect. Either way, the VS refuses connection requests according to the list you provide.

Regulating Who Can Use the Protocol Server

You might want to control or restrict which users can use POP or IMAP on your servers. There are four ways you can do this, all of which are fairly straightforward. Each method provides a different degree of selectivity. From the most specific to the least specific, your options are as follows:

  • Enable or disable IMAP or POP access for an individual user. You can use Active Directory Users and Computers to modify individual users’ protocol settings. In Chapter 14, we examined how to do this for Hypertext Transfer Protocol (HTTP) access. The process is the same for IMAP and POP: open the user’s Properties dialog box, click the Exchange Advanced tab, and click Protocol Settings. In the resulting Protocols dialog box, select the protocol of interest and click Settings. You can then use the Enable For Mailbox check box to control whether the protocol is active for that mailbox or not.

  • Enable or disable IMAP or POP for a group of users. To do this, you’ll need to stamp a value into the protocolSettings attribute of each affected user’s account properties in Active Directory. Microsoft Knowledge Base article 252459 contains some sample code that explains (sort of) the format of this attribute; it’s a string value where the name of the protocol (HTTP, IMAP4, POP3, and NNTP are legal values) is followed by the character and either 0 (meaning the protocol is disabled) or 1 (meaning that it is enabled). You can optionally append more characters and more options, including message format specifiers that control the default character set and message format.

  • Turn off IMAP or POP on a particular server. You can do this by stopping the default virtual servers: launch Exchange System Manager, open the target server’s Protocols container, find the VS you want to stop, right-click it, and select Stop from the shortcut menu. This stops the services until the next reboot; if you want them turned off permanently, use the Services control panel icon to disable the Microsoft Exchange IMAP4 and Microsoft Exchange POP3 services. Actually, the IMAP4 and POP3 services are implemented as dynamic link libraries (DLLs) that run within IIS, but for ease of management they show up as though they were standalone services.

  • Block the selected protocols at the network boundary. IMAP uses TCP port 143 for normal traffic and port 995 for Secure Sockets Layer (SSL) + IMAP; POP uses ports 110 and 993. If you block these ports, you’ll shut off inbound traffic, denying your clients the ability to use the selected protocols from the outside world; this is what Microsoft does on their network. Of course, you can always create an additional POP or IMAP VS and assign it a nonstandard port number. This provides a small degree of security through obscurity, but it’s a hassle for your clients and likely isn’t worth the effort.

    Tip

    The easiest way to generate the value of the protocolSettings attribute is to use the process just described to modify one user’s protocol settings to match your requirements. Once you’ve done that, you can use the ADSIEdit snap-in to inspect the value of protocolSettings to make sure that you get the value right in your script.




Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net