SUMMARY

You may have users who use Internet Message Access Protocol, Version 4rev1 (IMAP4) to connect to your Exchange 2003 server. Typically, IMAP4 connections are used in environments where there are either bandwidth limitations or firewall port restrictions. Like Post Office Protocol version 3 (POP3), IMAP4 authentication and message transmission use unencrypted (clear text) commands that are open to interception.
This step-by-step article discusses how to configure the security settings for incoming IMAP4 connections to your Exchange 2003 server so that users can authenticate and receive potentially sensitive material and help reduce the risk that either the user name, the password, or the message content may be intercepted.
This article assumes that you are familiar with the following topics:

• Exchange System Manager
• TCP/IP configuration
• Security concepts such as Secure Sockets Layer (SSL) and encryption
• Security certificates
• Network Monitor captures

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that are required:

• Microsoft Windows 2000 Server with at least Service Pack 2 (SP2)
• The Microsoft Active Directory directory service
• Exchange Server 2003 installed on a Windows 2000-based member server in the domain
• An IMAP4 client such as Outlook Express v5.0 or later

back to the top

How to Plan for the Level of Security

Before you start to configure the IMAP4 virtual server, you must consider the level of security that you want to implement. You can configure IMAP4 security in three areas: connection control, access control, and secure communication.

Connection Control

With connection control you can restrict connections based on the IP address, the subnet address or the domain name. You can also use reverse Domain Name System (DNS) lookups. This level of security is effective only if you are sure of the IP address of the incoming connection to Exchange 2003. This level of security does not encrypt passwords or message data. This level of security can be combined with other security levels as part of your security strategy.

Access Control

Access control supports both Basic Authentication and Integrated Windows authentication, sometimes known as NTLM authentication. Basic Authentication allows clear text user names and passwords. Therefore, you may want to disable Basic Authentication and to use Integrated Windows authentication exclusively. When Basic Authentication is disabled, client logons are completed by using Secure Password Authentication on IMAP4 clients. To configure Secure Password Authentication on IMAP4 clients, see the client software documentation.

Integrated Windows authentication is supported only in environments where the client can communicate with a domain controller to validate their account credentials.

Note Secure Password Authentication encrypts only the logon session, not the message body.

Secure Communication

Secure communication encodes the whole IMAP4 session, including the logon sequence and the transmission of the message body, by using Secure Sockets Layer (SSL) encryption. As both the logon sequence and the message are encrypted, Microsoft recommends you use SSL for all IMAP4-to-Exchange connections travel over public networks such as the Internet. SSL requires a server certificate be installed on to your IMAP4 virtual server. An external certification authority can grant the certificate, or you can use Certificate Services.

Important If your front-end servers are accessible from the Internet, consider configuring SSL reduce the risk of critical information being intercepted.

Note If you encrypt the IMAP4 protocol, sessions are protected only when you are collecting mail from the Exchange 2003 IMAP4 virtual server; however, Simple Mail Transfer Protocol (SMTP) message delivery is not encrypted. Microsoft recommends that you take additional precautions to encrypt SMTP message delivery. For additional information about how to encrypt SMTP mail delivery, click the following article number to view the article in the Microsoft Knowledge Base:

back to the top

How to Access the IMAP4 Virtual Server Properties

1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the left pane, click Administrative Groups.
3. Double-click your Administrative Group.
4. In the left pane, click Servers.
5. Click the server that you want to configure, and then double-click Protocols.
6. Double-click IMAP4.
7. Right-click Default IMAP4 Virtual Server, and then click Properties.
8. Click Access to open the access control settings.

back to the top

How to Configure IP Address Restrictions

1. Open the Default IMAP4 Virtual Server properties by using the steps provided in the How to Access the IMAP4 Virtual Server Properties section of this article.
2. On the Access tab, click Connection.
3. Click Only the list below.
   

When you click Only the list below, only the single computers, groups of computers or domains that are listed can connect to the IMAP4 virtual server. Configure the list of computers by using one of the following methods:

1. • Add a single IP address at a time. To do so, specify the IP address you want to add. Optionally, you can type a host name, and then click DNS lookup to resolve that name automatically to an IP address. Use this method if you have remote users who always connect from fixed IP addresses where those IP addresses are not contiguous.
   • Add a group of computers by using a range of IP addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. You can use subnet masks such as 255.255.255.252 to restrict the acceptable hosts to a range of only six IP addresses.
   • Add restrictions on a domain basis. For example, you can limit connections so that only connections from example.com are accepted. However, if you use this method, a reverse DNS lookup is performed on every incoming connection. This behavior can adversely affect the performance of your Exchange 2003 computer. For additional information, see the Troubleshoot section at the end of this article.
2. Click OK to accept the IP address restrictions.

back to the top

How to Configure Access Control

1. Open the Default IMAP4 Virtual Server properties.
2. Click Access, and then click Authentication.
   

Note By default, both Basic Authentication and Integrated Windows authentication are enabled. If your environment supports Windows Authentication, you can click to clear the Basic Authentication check box, and then click OK to accept the change.
Note To enable Integrated Windows authentication, click to select the Simple Authentication and Security Layer check box.

1. Configure the IMAP4 account settings of the e-mail client software to use Secure Password Authentication. For more information, see the documentation for your e-mail client software.
2. Click OK, and then click Close.
   

back to the top

How to Configure SSL - Request and Install a Certificate

1. In Exchange System Manager, access the Default IMAP4 Virtual Server Properties dialog box by using the procedure that is described in the How to Access the IMAP4 Virtual Server Properties section of this article.
2. Click Access, and then click Certificate.
3. To request a new certificate, follow the instructions on the screen to complete the Web Server Certificate Wizard.
4. 
   Note If you do not have a server that is running Certificate Services in your domain, you must submit the certificate request to a certificate granting authority. For additional information about how to install Certificate Services, click the following article number to view the article in the Microsoft Knowledge Base:

   231881 How To How to Install/Uninstall a Public Key Certificate Authority for Windows 2000

5. Click Apply to save your settings.
6. To install the certificate, click Certificate again.
7. Follow the instructions on the screen to complete the Web Server Certificate Wizard again.

back to the top

How to Configure SSL - Configure Encryption

After you install a certificate on your server, to configure a security channel, follow these steps:

1. Open the Default IMAP4 Virtual Server properties.
2. Click Access, and then click Communication.
3. Click to select the Require secure channel check box.
4. If both the Exchange 2003 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
5. Click OK, and then click OK.
6. Stop and then restart the Exchange 2003 IMAP4 service.
7. To configure the client, see the e-mail client documentation on how to configure SSL connections.

back to the top

How to Confirm That You Have Configured IMAP4 Security Correctly

To verify your IMAP4 security settings, complete the following tests:

• To verify that IP restrictions are working as expected, try to connect by using IMAP4 with a valid user name from an excluded IP address.
  
  If the IP restrictions are configured correctly, you receive a message that states that the connection to the server was declined.
• To verify that authentication is being encrypted, use Network Monitor to capture the authentication traffic. For additional information about Network Monitor, click the following article number to view the article in the Microsoft Knowledge Base:

  243270 How To Install Network Monitor in Windows 2000

  
  To use Network Monitor to view authentication traffic:

  1. Run Network Monitor on your Exchange 2003 computer, and then use the default authentication settings to initiate an IMAP4 session from the client while you capture the traffic that is coming in to the Exchange 2003 computer.
  2. Review the IMAP4 session and note the packets that were sent from the client to the server on port 143 (008Fh).
     
     Note The user's logon name and password are sent in clear text.
  3. Remove support for Basic Authentication, configure the client to require Secure Password Authentication, initiate another IMAP4 session from the client, and then capture the traffic in Network Monitor.
     
     The user account and password details are now encrypted.
• To verify SSL encryption:
  1. Configure the access settings so that the IMAP4 virtual server requires a security channel, and then configure the client to use SSL.
  2. Start a Network Monitor capture and have the client check their mail by using IMAP4.
  3. In Network Monitor, stop the capture, and then examine the packets that were sent.
     
     Note that all client-to-server packets with a destination of port 993 (03E1h) are encrypted.

Note If you have not enabled encryption on SMTP mail delivery, you may still see some unencrypted packets from the client that are destined for port 25 (0019h).

After you confirm that you configured IMAP4 security correctly, Microsoft recommends that you configure secure SMTP delivery for your IMAP4 clients.For additional information about how to encrypt SMTP mail delivery, click the article number below to view the article in the Microsoft Knowledge Base:

back to the top

Troubleshoot

If you restrict IP addresses based on DNS names, you can adversely affect the performance of the Exchange 2003 server. Performance may be affected because the Exchange 2003 server must perform a reverse DNS lookup on each incoming connection. Additionally, a functioning reverse DNS lookup zone must be available, and the IMAP4 client must be registered with that zone. If you have large numbers of incoming IMAP4 connections, you may want to disable reverse DNS lookup.

If you do not specify the correct values for the server name or the organization, when you create the SSL certificate on the default IMAP4 virtual server, users may receive the following message:

To prevent this message from being displayed, make sure the common name for the certificate matches its Internet address.

back to the top