How to secure Simple Mail Transfer Protocol client message delivery in Exchange 2000 Server (319267)



The information in this article applies to:

  • Microsoft Exchange 2000 Server

This article was previously published under Q319267

SUMMARY

This step-by-step article describes how to configure security for incoming client Simple Mail Transfer Protocol (SMTP) connections to your Exchange 2000 computers so that your users can authenticate and receive potentially sensitive material without the risk of either the user name, the password, or message content being intercepted.

You may have users who need to use either Post Office Protocol v.3 (POP3) or Internet Message Access Protocol (IMAP4) to connect to your Exchange 2000 computer. Both of these protocols rely on SMTP for message delivery. Like POP3 or IMAP4, SMTP authentication and message transmission uses clear-text commands that may be intercepted. Additionally, SMTP uses Anonymous Authentication by default.

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:
  • Microsoft Windows 2000 Server with Service Pack 2 (SP2)
  • Active Directory
  • Exchange Server 2000 with Service Pack 1 (SP1) installed on a Windows 2000-based member server in the domain.
  • An IMAP4 client such as Outlook Express v5.0 or later
This article assumes that you are familiar with the following topics:
  • Exchange System Manager
  • TCP/IP configuration issues
  • Security concepts such as Secure Sockets Layer (SSL) and encryption
  • Security certificates
  • Network Monitor captures
  • How to create an SMTP virtual server
back to the top

Plan For the Level of Security

Before you start to configure the IMAP4 virtual server, you must consider the level of security that you want to implement. You must consider the following five factors:
  • Creating a new SMTP virtual server
  • Connection control
  • Access control
  • Secure communication
  • Relaying control
When you configure SMTP security, note that the default SMTP virtual server is normally used to create an instance of the Internet Mail connector. The Internet Mail connector makes connections to remote Internet domains to deliver and receive messages to and from external organizations. Because most of the SMTP servers on the Internet only support Anonymous Authentication, if you configure authentication or encrypt settings for your POP3 or IMAP4 clients, inbound sessions from external SMTP servers will be affected. To secure SMTP client access, you must first create a new SMTP virtual server to use with inbound client connections.

Connection control restricts connections based on Internet Protocol (IP) address or domain name, including reverse DNS lookups. This level of security is a basic level that you use only if you can guarantee the IP address of the incoming connection. This level of security does not encrypt passwords or message data; however, you can use this level with the other security settings.

Access control lets you configure either Basic Authentication, Anonymous Authentication or Integrated Windows Authentication (NTLM authentication). Because Basic Authentication allows clear text user names and passwords, it is recommended that you disable this authentication type. If you disable Basic Authentication, you need to enable logon using Secure Password Authentication on the SMTP client software. Click the Outgoing Mail Server authentication settings button on the Servers tab in the Accounts properties to enable Secure Password Authentication in Microsoft Outlook Express. Note that Secure Password Authentication encrypts only the logon session, not the message body.

NOTES:
  • Integrated Windows Authentication works only in scenarios where the client computer can contact a domain controller to validate their credentials. In most firewall configurations, this scenario is not possible and not desirable. However, internal implementations of SMTP access (where the logon session does not traverse the Internet) can use NTLM authentication.
  • When you use Basic Authentication, you can use Transport Layer Security (TLS). Like Secure Sockets Layer (SSL), TLS encrypts the logon sequence and the message traffic.
Secure communication encodes the entire SMTP session, including the logon sequence and the transmission of the message body by using SSL encryption. It is recommended that you use SSL for all SMTP connections to Exchange 2000 that cross public networks such as the Internet. You must install a certificate on to your SMTP virtual server. You can either use an external certification authority or you can install Certificate Services into your Active Directory forest to install a certificate.


NOTE: When you encrypt SMTP protocol, sessions are protected only when you are delivering mail to the Exchange 2000 computer. However, POP3 or IMAP4 mail collection is not encrypted. It is recommended that you take additional precautions to encrypt mail collection. For additional information about how to encrypt mail collection, click the following article numbers to view the articles in the Microsoft Knowledge Base:

319273 HOW TO: Secure Post Office Protocol Client Access in Exchange 2000

319278 HOW TO: Secure Internet Message Access Protocol Client Access in Exchange 2000

Finally, you also need to be able to control how mail is relayed through your SMTP virtual server. If your POP3 or IMAP4 clients do not have permission to relay, users cannot send SMTP mail to external domains by using your Exchange 2000 computer. However, if you make it too easy to relay messages, a user may be used to propagate unsolicited commercial e-mail messages. If you use the default settings for relaying, only authenticated clients can relay messages by using your Exchange 2000 computer.

back to the top

Access the SMTP Protocol Object

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. In the left pane, double-click Servers.
  3. Click the server that you want to configure, and then click Protocols.

    The SMTP protocol object is displayed.
back to the top

How to Create a New SMTP Virtual Server

  1. Right-click the SMTP protocol object, point to New, and then click SMTP Virtual Server.
  2. Type a name for the SMTP virtual server, and then click Next.

    It is recommended that you use a name that describes the function of this virtual server, such as "Client Access Virtual Server."
  3. Click the IP address to which this SMTP virtual server will bind, and then click Finish.
  4. After you create the SMTP virtual server, confirm that the new virtual server is using the correct fully qualified domain name (FQDN):
    1. Right-click the SMTP virtual server that you created in step 3 and click Properties.
    2. Click the Delivery tab and then click Advanced.
    3. Confirm that the domain name in the Fully qualified domain name box matches the name that your users type when they configure their client software to connect to deliver SMTP mail.

      To confirm that the domain name resolves correctly, click Check DNS.
    4. Click OK, and then click OK.
NOTE: If you are configuring an SMTP virtual server for clients that access this SMTP virtual server across the Internet, you may need to configure external DNS servers because the SMTP virtual server FQDN needs to resolve to an external Internet address. To do so, click Configure in the Advanced Delivery dialog box, click Add, and then type the IP address of the external DNS servers.

back to the top

How to Configure IP Address Restrictions

  1. Start Exchange System Manager, right-click the newly created SMTP virtual server, click the Access tab, and then click Connection.
  2. Click Only the list below.

    If you do so, only the IP addresses and domains in the list are allowed to connect to the SMTP virtual server. Use any of the following methods to add items to this list:
    • Add a single IP address at a time. To do so, type a host name, and then click DNS lookup to resolve that name automatically to an IP address. Use this method if you have remote users that always connect from fixed IP addresses where those IP addresses are not contiguous.
    • Add a range of addresses, such as 131.107.2.0 with a subnet mask of 255.255.255.0. You can use subnet masks such as 255.255.255.252 to restrict the acceptable hosts to a range of only six IP addresses.
    • Set restrictions on a domain basis. For example, you can limit connections so that only connections from contoso.com are accepted. However, if you use this method, you must perform a DNS reverse lookup on each incoming connection, which can adversely affect the Exchange 2000 computer's performance. For more information, refer to the "troubleshooting" section at the end of this article.
  3. Click OK to accept the IP address restrictions.
back to the top

How to Configure Access Control

  1. Start Exchange System Manager, right-click the newly created SMTP virtual server, and then click Properties.
  2. Click the Access tab, and then click Authentication.

    By default, Anonymous Authentication, Basic Authentication and Integrated Windows Authentication methods are selected. If your environment supports Windows Authentication, you can clear both the Anonymous Authentication check box and the Basic Authentication check box. Click OK to accept the change.
  3. Start Outlook Express, and then configure the SMTP account settings to use Secure Password Authentication. To do so:
    1. Click Accounts on the Tools menu.
    2. Click the Mail tab, click the appropriate mail account, and then click Properties.
    3. Click the Servers tab, and then confirm that the Log on using Secure Password Authentication check box is selected.

      NOTE: Secure Password Authentication only encrypts the logon session, not the message body.
  4. Click OK, and then click Close.
back to the top

How to Configure Secure Communications (Part One)

  1. Right-click the new SMTP virtual server and click Properties.
  2. Click the Access tab, and then click Certificate.
  3. After the IIS Certificate wizard starts, click either Create a new certificate or Assign an existing certificate from an external certification authority, and then click Next.
  4. If you have a certification authority (CA) installed, click Send the request immediately to an online certification authority.

    If you do not have a CA installed, click Prepare the request now but send it later, and then click Next.
  5. If you send your request to an online CA, give the request an appropriate name, type a bit length, and then click Next.

    NOTE: Longer key lengths affect performance.
  6. Type the organization and organization unit information for the CA from which you are requesting a certificate in the appropriate boxes, and then click Next.
  7. Type the common name for your site, and then click Next.

    NOTE: Make sure that the common name matches the DNS FQDN that you used when you configured the new SMTP virtual server. If you enable access from the Internet, you must use an externally resolvable fully qualified domain name (FQDN).
  8. Type the country, the state or province, and the city or locality information for your CA in the appropriate boxes, and then click Next.
  9. If you choose to send the request immediately to an online CA in step 4, confirm that the CA for your organization is displayed, and then click Next.

    However, if you choose to prepare the request now but send it later in step 4, accept the default file name for the certificate request or save it to a different file, and then click Next.
  10. Review the information on the Certificate Request Submission, and then click Next.
  11. Click Finish.
back to the top

How to Configure Secure Communications (Part Two)

After you install a certificate on your server, force secure communications:
  1. Right-click your new SMTP virtual server and click Properties.
  2. Click the Access tab, and then click Communication.
  3. Click to select the Require secure channel check box.
  4. If both the Exchange 2000 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
  5. Click OK, and then click OK.
  6. Stop and restart the SMTP virtual server.
  7. Start Outlook Express, click Accounts on the Tools menu, and then click the Mail tab.
  8. Double-click the Exchange Server Mail account, click the Advanced tab, and then click This server requires a secure connection (SSL) in the Outgoing Mail (SMTP) server section.

    The outgoing mail (SMTP) port does not change from port 25.
  9. Click OK, and then click Close.
back to the top

How to Configure Relay Restrictions

  1. Right-click the new SMTP virtual server and click Properties.
  2. Click the Access tab, and then click Relay.

    The default settings allow authenticated clients to relay messages. Typically, these settings are adequate; only clients that present connection credentials can relay messages through the SMTP virtual server. You can restrict relay permissions to single IP addresses, IP address ranges, or DNS suffixes. To do so, use the same procedure to configure incoming address restrictions that is described in the "How to Configure IP Address Restrictions" section of this article.
NOTE: If you remove all relay restrictions, you increase the possibility that your Exchange 2000 computer will be used for unsolicited commercial e-mail messages. You are strongly recommended not to remove relay restrictions if you allow anonymous authentication.

For additional information about how to secure Exchange 2000 Server computers against unsolicited commercial e-mail messages, click the following article number to view the article in the Microsoft Knowledge Base:

319356 How to prevent unsolicited commercial e-mail in Exchange 2000 Server

back to the top

How to Confirm That You Configured SMTP Security Correctly

  • To verify that the IP restrictions work as expected, try to connect with a valid user name from an excluded IP address.

    You receive a message that states that the connection to the server was declined.
  • To verify the authentication encryption:
    1. Run Network Monitor on your Exchange 2000 computer, and then use the default authentication settings to initiate an SMTP session from the client while you capture the traffic that is coming in to the Exchange 2000 computer.
    2. Review the SMTP session and note the packets from the client to the server on port 25 (0019h).

      Note that the user's logon name and password are being sent in clear text.
    3. Remove support for Basic Authentication, configure the client to require Secure Password Authentication, initiate another SMTP session from the client, and then capture the traffic in Network Monitor.

      The user account and password details are now encrypted.
  • To verify full SSL encryption:
    1. Add a certificate, configure the settings so that you require a secure channel on the SMTP virtual server, and then configure the client to use SSL.
    2. Start a Network Monitor capture and initiate an SMTP mail collection session from the client.
    3. Stop the capture, and then examine the packets that were sent.

      Note that all client to server packets with a destination of port 25 (0019h) are encrypted.

      NOTE: If you have not enabled encryption on the POP3 or IMAP4 mail collection, you may still see some unencrypted packets from the client destined for port 110(006Eh) or port 143 (008Fh).
  • To confirm that the relay restrictions work, send mail from an excluded IP address to an external domain. You receive an error message that states that the server was unable to relay for the recipient's address.
back to the top

Troubleshooting

If you restrict IP addresses based on DNS lookup, you can adversely affect the performance of the Exchange 2000 computer. Because the Exchange 2000 computer performs a reverse DNS lookup on each incoming connection, a functioning DNS reverse lookup zone must be available and the SMTP client must be registered with that zone. If you have large numbers of incoming SMTP connections, you should consider disabling reverse DNS lookup. For additional information about how to configure reverse lookup zones, click the following article number to view the article in the Microsoft Knowledge Base:

251509 XFOR: Cannot Restrict Access by Domain Name if DNS Is Not Configured Correctly

If you do not specify the correct values for the server name or the organization, when you create the SSL certificate on the default SMTP virtual server, users may receive the following message:

The server you are connecting to is using a security certificate that does not match its Internet address. Do you want to continue using this server?

To prevent this message from being displayed, ensure that the common name for the certificate matches its Internet address.

back to the top

REFERENCES

For more information about how to configure SMTP security, refer to Exchange 2000 Help and the Exchange 2000 Server Resource Kit.

back to the top

Modification Type:MinorLast Reviewed:4/25/2005
Keywords:kbhowto kbHOWTOmaster KB319267