Microsoft KB Archive/319278

= HOW TO: Secure Internet Message Access Protocol Client Access in Exchange 2000 =

Article ID: 319278

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q319278



IN THIS TASK
SUMMARY
 * Requirements
 * How to Plan for the Level of Security
 * How to Access the IMAP4 Virtual Server Object
 * How to Configure IP Address Restrictions
 * How to Configure Access Control
 * How to Configure Secure Communications (Part One)
 * How to Configure Secure Communications (Part Two)
 * How to Confirm That You Configured IMAP4 Security Correctly
 * Troubleshooting

REFERENCES



SUMMARY
This step-by-step article describes how to configure security for incoming Internet Message Access Protocol (IMAP4) connections to your Exchange 2000 computers so that your users can authenticate and receive potentially sensitive material without the risk of either the user name, the password, or message content being intercepted.

You may have users who need to use IMAP4 to connect to your Exchange 2000 computers. Typically, you use IMAP4 connections if there are either bandwidth limitations or firewall port restrictions but you require greater flexibility than the flexibility that is provided if you use Post Office Protocol v.3 (POP3) connections. However, like POP3, IMAP4 authentication and message transmission use clear-text commands that are open to interception.

back to the top

Requirements
The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:
 * Microsoft Windows 2000 Server with Service Pack 2 (SP2)
 * Active Directory
 * Exchange Server 2000 with Service Pack 1 (SP1) installed on a Windows 2000-based member server in the domain.
 * An IMAP4 client such as Outlook Express v5.0 or later

This article assumes that you are familiar with the following topics:
 * Exchange System Manager
 * TCP/IP configuration issues
 * Security concepts such as Secure Sockets Layer (SSL) and encryption
 * Security certificates
 * Network Monitor captures

back to the top

How to Plan for the Level of Security
Before you start to configure the IMAP4 virtual server, you must consider the level of security that you want to implement. You can configure IMAP4 security on three main levels:
 * Connection control:

Connection control restricts connections based on Internet Protocol (IP) address or domain name, including reverse DNS lookups. This level of security is a basic level that you use only if you can guarantee the IP address of the incoming connection. This level of security does not encrypt passwords or message data; however, you can use this level with the other security settings.
 * Access control:

Access control lets you configure either Basic Authentication or Integrated Windows Authentication (NTLM authentication). Because Basic Authentication allows clear text user names and passwords, it is recommended that you disable this authentication type. If you disable Basic Authentication, you need to enable logon using Secure Password Authentication on the IMAP4 client software. Click the Servers tab in the Accounts properties to enable Secure Password Authentication in Microsoft Outlook Express. Note that Secure Password Authentication encrypts only the logon session, not the message body.

NOTE: Integrated Windows Authentication works only in scenarios where the client computer can contact a domain controller to validate their credentials. In most firewall configurations, this scenario is not possible and not desirable. However, internal implementations of IMAP4 access (where the logon session does not traverse the Internet) can use NTLM authentication.
 * Secure communication:

Secure communication encodes the entire IMAP4 session, including the logon sequence and the transmission of the message body by using SSL encryption. It is recommended that you use SSL for all IMAP4 connections to Exchange 2000 that cross public networks such as the Internet. You must install a certificate on to your IMAP4 virtual server. You can either use an external certification authority or you can install Certificate Services into your Active Directory forest to install a certificate.

NOTE: If you encrypt the IMAP4 protocol, sessions are protected only when you are collecting mail from the Exchange 2000 IMAP4 virtual server; however, Simple Mail Transfer Protocol (SMTP) message delivery is not encrypted. It is recommended that you take additional precautions to encrypt SMTP message delivery. For additional information about how to encrypt SMTP mail delivery, click the article number below to view the article in the Microsoft Knowledge Base:

319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery

back to the top

How to Access the IMAP4 Virtual Server Object

 * 1) Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
 * 2) In the left pane, click Servers.
 * 3) Click the server that you want to configure, click Protocols, and then click IMAP4.
 * 4) Right-click Default IMAP4 Virtual Server, and then click Properties.
 * 5) Click the Access tab to configure the access control settings.

back to the top

How to Configure IP Address Restrictions

 * 1) Open the Default IMAP4 Virtual Server properties.

To do so, follow the procedure in the preceding section.
 * 1) Click the Access tab, and then click Connection.
 * 2) Click Only the list below.

If you do so, only the IP addresses and domains in the list are allowed to connect to the IMAP4 virtual server. Use any of the following methods to add items to this list:
 * 1) * Add a single IP address at a time. To do so, type a host name, and then click DNS lookup to resolve that name automatically to an IP address. Use this method if you have remote users that always connect from fixed IP addresses where those IP addresses are not contiguous.
 * 2) * Add a range of addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. You can use subnet masks such as 255.255.255.252 to restrict the acceptable hosts to a range of only six IP addresses.
 * 3) * Set restrictions on a domain basis. For example, you can limit connections so that only connections from contoso.com are accepted. However, if you use this method, you must perform a DNS reverse lookup on each incoming connection, which can adversely affect the Exchange 2000 computer's performance. For more information, refer to the &quot;troubleshooting&quot; section at the end of this article.
 * 4) Click OK to accept the IP address restrictions.

back to the top

How to Configure Access Control
 Open the Default IMAP4 Virtual Server properties. Click the Access tab, and then click Authentication.

By default, both the Basic Authentication and Integrated Windows Authentication methods are selected. If your environment supports Windows Authentication, you can clear the Basic Authentication check box. Click OK to accept the change. Start Outlook Express, and then configure the IMAP4 account settings to use Secure Password Authentication. To do so:  Click Accounts on the Tools menu. Click the Mail tab, and then double-click the IMAP4 mail account. Click the Servers tab, and then click to select the Log on using Secure Password Authentication check box.</ol> </li> Click OK, and then click Close.

</li></ol>

back to the top

How to Configure Secure Communications (Part One)

 * 1) Open the Default IMAP4 Virtual Server properties.
 * 2) Click the Access tab, and then click Certificate.
 * 3) After the IIS Certificate wizard starts, click either Create a new certificate or Assign an existing certificate from an external certification authority, and then click Next.
 * 4) If you have a certification authority (CA) installed, click Send the request immediately to an online certification authority.

If you do not have a CA installed, click Prepare the request now but send it later, and then click Next.
 * 1) If you send your request to an online CA, either give the request an appropriate name or accept the default name &quot;Default IMAP4 Virtual Server,&quot; type a bit length, and then click Next.

NOTE: Longer key lengths affect performance.
 * 1) Type the organization and organization unit information for the CA from which you are requesting a certificate in the appropriate boxes, and then click Next.
 * 2) Type the common name for your site, and then click Next.

NOTE: If you enable access from the Internet, you must use an externally resolvable fully qualified domain name (FQDN).
 * 1) Type the country, the state or province, and the city or locality information for your CA in the appropriate boxes, and then click Next.
 * 2) If you choose to send the request immediately to an online CA in step 4, confirm that the CA for your organization is displayed, and then click Next.

However, if you choose to prepare the request now but send it later in step 4, accept the default file name for the certificate request or save it to a different file, and then click Next.
 * 1) Review the information on the Certificate Request Submission, and then click Next.
 * 2) Click Finish.

back to the top

How to Configure Secure Communications (Part Two)
After you install a certificate on your server, force secure communications:
 * 1) Open the Default IMAP4 Virtual Server properties.
 * 2) Click the Access tab, and then click Communication.
 * 3) Click to select the Require secure channel check box.
 * 4) If both the Exchange 2000 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
 * 5) Click OK, and then click OK.
 * 6) Stop and restart the Exchange 2000 IMAP4 service.
 * 7) Start Outlook Express, click Accounts on the Tools menu, and then click the Mail tab.
 * 8) Double-click the Exchange Server Mail account, click the Advanced tab, and then click This server requires a secure connection (SSL).

The incoming mail (IMAP4) port number changes from 143 to 993.
 * 1) Click OK, and then click Close.

back to the top

How to Confirm That You Configured IMAP4 Security Correctly

 * To verify that the IP restrictions work as expected, try to connect with a valid user name from an excluded IP address.

You receive a message that states that the connection to the server was declined.
 * To verify the authentication encryption:
 * Run Network Monitor on your Exchange 2000 computer, and then use the default authentication settings to initiate an IMAP4 session from the client while you capture the traffic that is coming in to the Exchange 2000 computer.
 * Review the IMAP4 session and note the packets from the client to the server on port 143 (008Fh).

Note that the user's logon name and password are being sent in clear text.
 * Remove support for Basic Authentication, configure the client to require Secure Password Authentication, initiate another IMAP4 session from the client, and then capture the traffic in Network Monitor.

The user account and password details are now encrypted.
 * To verify full SSL encryption:
 * Add a certificate, configure the settings so that you require a secure channel on the IMAP4 virtual server, and then configure the client to use SSL.
 * Start a Network Monitor capture and initiate an IMAP4 mail collection session from the client.
 * Stop the capture, and then examine the packets that were sent.

Note that all client to server packets with a destination of port 993 (03E1h) are encrypted.

NOTE: If you have not enabled encryption on SMTP mail delivery, you may still see some unencrypted packets from the client that are destined for port 25 (0019h).

After you confirm that you configured IMAP4 security correctly, it is recommended that you configure secure SMTP delivery for your IMAP4 clients.For additional information about how to encrypt SMTP mail delivery, click the article number below to view the article in the Microsoft Knowledge Base:

319267 HOW TO: Secure Simple Message Transfer Protocol Client Message Delivery in Exchange 2000

back to the top

Troubleshooting
If you restrict IP addresses based on DNS lookup, you can adversely affect the performance of the Exchange 2000 computer. Because the Exchange 2000 computer performs a reverse DNS lookup on each incoming connection, a functioning DNS reverse lookup zone must be available and the IMAP4 client must be registered with that zone. If you have large numbers of incoming IMAP4 connections, you should consider disabling reverse DNS lookup. For additional information about how to configure reverse lookup zones, click the article number below to view the article in the Microsoft Knowledge Base:

251509 XFOR: Cannot Restrict Access by Domain Name if DNS Is Not Configured Correctly

If you do not specify the correct values for the server name or the organization, when you create the SSL certificate on the default IMAP4 virtual server, users may receive the following message:

The server you are connecting to is using a security certificate that does not match its Internet address. Do you want to continue using this server?

To prevent this message from being displayed, ensure that the common name for the certificate matches its Internet address.

back to the top

<div class="references_section">