In the last part of this tutorial series I gave you an overview of the POP3 protocol and showed you how to enable POP3 for Exchange Server 2010. In this tutorial I’ll show you how to configure the Exchange 2010 POP3 service for secure client access.
Understanding the Need for Secure POP3
The Post Office Protocol (POP) can be insecure as it allows the passing of user credentials in plain text. To understand how serious this is, imagine that your end users are in a public wi-fi network and connecting to your corporate Exchange servers over POP3. They’ll be authenticating with their Active Directory username and password.
If POP access is not secured those credentials will be sent “in the clear” and could be sniffed by an attacker who is also on the same wi-fi network. To see an example of this in action, here is a POP3 session login sniffed on an insecure network.
The user’s cleverly chosen password of “Seagull1” is visible to anyone who is able to sniff the network traffic.
As you can see in the example above it is very important that POP traffic is secured if you plan to use it for remote email access in your Exchange 2010 environment.
Configuring Security for the Exchange Server 2010 POP3 Service
To configure the POP3 service on Exchange Server 2010 Client Access servers open the Exchange Management Console and navigate to Server Configuration/Client Access.
Click on the name of the Client Access server you want to configure, and then open the Properties of the POP3 protocol in the lower pane.
On the Authentication tab you can see that Secure logon is the default setting. So why have I been explaining the importance of POP3 security to you when Exchange 2010 is secure by default?
Because I see a lot of customers changing this setting to Plain text logon, simply because that is the easiest way to get POP3 working quickly. Usually they do this because they encounter logon errors for clients who are trying to connect.
A network capture shows the same error occurring.
This will happen if the email client is not configured to use SSL for the connection.
When the POP3 connection is made using SSL the client is able to logon and retrieve mail successfully. And more importantly, they are doing so without attackers on insecure networks being able to sniff the credentials from the network traffic.
Configuring Ports for Exchange Server 2010 POP3
You may have noticed in the screenshot above that when the client is configured for SSL it changes the port from 110 to 995. TCP 995 is the port for SSL-secured POP3. The POP3 service is bound to both ports 110 and 995 by default. You can see this in the Bindings tab of the POP3 properties.
Configuring an SSL Certificate for Exchange Server 2010 POP3
Because SSL is being used to secure the POP3 connections you will need to configure an SSL certificate for your Client Access server.
This certificate must include the name that you want your remote users to connect to for POP3 access, as well as be trusted by the remote user’s computer that they are connecting from. If it is not trusted, or there is a name mismatch, then they may receive certificate warnings in their POP3 email client.
To fix this after installing an SSL certificate configure the certificate name in the Authentication tab of the POP3 properties.
You’ll need to restart the POP3 service to apply this or any other configuration change that you make.
When all of the settings are configured correctly your remote email users will be able to connect to Exchange Server 2010 over POP3 securely.
In the next part of this tutorial series we’ll take a look at some of the other configuration options for Exchange 2010 POP3.
Hi Paul,
Sorry for not making the scenario clear.
2-CAS/HUB in site A (LB)
2-MBX in Site A (DAG)
2-CAS/HUB in site B (LB)
2-MBX in Site B (DAG)
Enabled pop3 on one CAS ServerA in Site A
Client is in Site B connecting via POP3, but the logs show the connection going to CAS ServerB
We just want to enable POP3 on one of the CAS Servers (CAS ServerA) within Site A, so any other future POP3 connections regardless of the site will connect to that CAS Server within Site A
Is this possible?
Thanks Eric
Paul,
If we have multiple CAS servers within the Org can we enable pop3 on just one of them and have the person(s) connect to that one specifically or we would have to do this on all of them in the Org?
Regards,
Eric
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
For Exchange 2010? You can enable it on a single CAS if you want to.
Hi Paul,
I have several CAS Servers in the environment (2010), enable POP3 on a specific CAS server does not work, after enabling POP3 logging I see in the log that it is redirecting the traffic to another CAs Server? Enabling the CAS server in the log, then the pop3 client starts to function. Am I not seeing something properly here?
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you using a load balancer?
There is a load balancer in place, with two CAS Servers within the CAS array. I have enabled POP3 on only one of the CAS Servers within the ARRAY itself, and I point the pop client directly to that POP3 Server. Doing it like this the Client is unable to connect, only when I enable POP3 on the other CAS Server within the ARRAY it works.
Ultimately I am trying to bypass the LB and the Array and go directly to one of the two CAS Servers.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Ignore the CAS Array, it’s not relevant to POP connections.
I’m trying to understand your scenario. Are they dedicated CAS, or multi-role? Are they all in the same site?
Why not just enable POP on all CAS and load balance the traffic anyway?
tried all your steps. still can’t add an email account on my iphone.
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Are you trying to connect from your iPhone to Exchange using POP? Why not just use ActiveSync?
Paul,
Thank for you for sharing such valuable article. I would also like to know if there is something similar for Exchange 2013? As i am not able to use SSL for POP3 . All the certificates are set and enable for required services. I keep getting :- 0x800CCC1A “Your server does not support the connection encryption type you have specified”
The Real Person!
Author Paul Cunningham acts as a real person and passed all tests against spambots. Anti-Spam by CleanTalk.
Sounds like your client hasn’t been configured correctly.
Pingback: motorcycle helmets
Pingback: The best internet security requires you think about it: PC security for non-IT people
Pingback: How to Publish POP3 Client Settings to Users with Exchange 2010 SP1 - Exchange Server Pro