How to help secure SMTP client message delivery in Exchange 2003 (823019)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition

Table of Contents

SUMMARY

This article describes how to configure security settings for incoming client Simple Mail Transfer Protocol (SMTP) connections to your Exchange 2003 computers. These settings permit your users to authenticate and to receive potentially sensitive material, and to help prevent the user name, the password, or the message content from being intercepted. You may have users who have to use either Post Office Protocol 3 (POP3) or Internet Message Access Protocol 4 (IMAP4) to connect to your Exchange 2003 computer. Both these protocols rely on SMTP for message delivery.

Note In a default installation of Exchange 2003, you do not have to configure additional options for POP3 or IMAP4 clients that connect to the server. This article discusses some default security settings, and contains information about additional options that are available in Exchange 2003.

back to the top

Considerations

Note the following considerations that apply:

Creating an additional SMTP virtual server



Create a new SMTP virtual server to use for incoming client connections.

Connection control



Connection control restricts connections that are based on IP address or domain name, including reverse Domain Name System (DNS) lookups. Connection control options do not encrypt passwords or message data.

Access control



You can configure either basic authentication, anonymous authentication, or integrated Windows authentication (formerly named NTLM or Windows NT Challenge/Response authentication). Because basic authentication sends user names and passwords in clear text, it is not secure. To enable the encryption of user names and passwords, use either basic authentication with Transport Layer Security (TLS), or use integrated Windows authentication. Like Secure Sockets Layer (SSL), TLS encrypts user names, passwords, and message data. Note that integrated Windows authentication works only in scenarios where the client computer can contact a Windows-based domain controller to validate its credentials. In most firewall configurations, this contact cannot occur. However, internal implementations of SMTP access (where the logon session does not traverse the Internet) can use integrated Windows authentication.

Encryption



Security-enhanced communication encrypts the SMTP session, including the user name, the password, and the message data by using SSL encryption. It is better if you use SSL for all SMTP connections to Exchange 2003 that cross public networks such as the Internet. You must install a certificate on your SMTP virtual server. You can either use an external certification authority or you can install Certificate Services to your Microsoft Active Directory directory service forest to install a certificate.

Relaying control



By default, when you create a SMTP virtual server in Exchange 2003, it is configured to prevent the relaying of e-mail messages. Note that if your POP3 or IMAP4 clients do not have permission to relay, users cannot send SMTP mail to external domains through the SMTP virtual server. However, if you permit the relaying of messages, a user may be used to propagate unsolicited commercial e-mail messages (junk e-mail messages). When you use the default relay settings, only clients that are authenticated can relay messages through the SMTP virtual server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

319278 How to secure Internet Message Access Protocol client access in Exchange 2000

back to the top

To Create a New SMTP Virtual Server

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Right-click SMTP, point to New, and then click SMTP Virtual Server.
  4. In the Name box, type the name of the virtual server, and then click Next.
  5. Click the IP address that you want to use, and then click Finish.
  6. After you create the SMTP virtual server, confirm that the new virtual server is using the correct fully qualified domain name (FQDN). To do so:
    1. Right-click the SMTP virtual server that you created, and then click Properties.
    2. Click the Delivery tab, and then click Advanced.
    3. Confirm that the domain name in the Fully-qualified domain name box matches the name that your users type when they configure their client software to deliver SMTP mail. To confirm that the domain name resolves correctly, click Check DNS.
    4. Click OK, and then click OK.
Note If you are configuring an SMTP virtual server for clients that access this SMTP virtual server across the Internet, you may have to configure external DNS servers because the FQDN of the SMTP virtual server must resolve to an external Internet address. To do so, click Configure in the Advanced Delivery dialog box, click Add, and then type the IP address of the external DNS server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

326992 Outgoing SMTP mail messages are not sent



back to the top

To Configure IP Address Restrictions

To configure IP address restrictions:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click Default SMTP Virtual Server, and then click Properties.
  4. Click the Access tab, and then click Connection.
  5. In the Connection dialog box, click Only the list below.

    This indicates that only the IP addresses and the domains that are in the list are permitted to connect to the SMTP virtual server.
  6. Click Add, and then do one of the following to add a single computer, a group of computers, or a domain, as appropriate to your situation:
    • To add a single computer, click Single Computer, type the IP address of the e-mail messaging server of your Internet service provider (ISP) in the IP address box, and then click OK.

      Alternatively, click DNS Lookup, type a host name, and then click OK.
    • To add a group of computers, click Group of computers, type the subnet address and the subnet mask of the group in the corresponding boxes, and then click OK.

      Microsoft recommends this option if your ISP has a tendency to change the IP address of their e-mail messaging server without warning.
    • To add a domain, click Domain, type the domain name that you want in the Name box, and then click OK.

      Note that this option requires a DNS reverse lookup on each incoming connection. This requirement may adversely affect the performance of the Exchange server. For more information, see the Troubleshoot section later in this article.
back to the top

To Configure Access Control

To configure access control:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
  4. Click the Access tab, and then click Authentication.

    By default, anonymous access is disabled, and basic authentication and integrated Windows authentication are enabled. Configure the SMTP virtual server to use basic authentication with TLS encryption or integrated Windows authentication, and then click OK.
Note You must also enable the logon by using the Secure Password Authentication option on the SMTP client software. To do so in Microsoft Outlook Express:
  1. Start Outlook Express.
  2. On the Tools menu, click Accounts.
  3. Click the Mail tab, and then click Properties.
  4. Click the Servers tab, click to select the Log on using Secure Password Authentication check box, click OK, and then click Close.
    Note that the user name and the password are encrypted. Message data is not encrypted.
back to the top

To Configure Encryption

To configure encryption:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
  4. Click the Access tab, and then click Certificate. Web Server Certificate Wizard starts.
  5. Click Next.
  6. Follow the instructions on the remaining pages of the wizard to create a new certification or to assign an existing certificate.
After the certificate is installed on the server, configure the communications method. To do so:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
  4. Click the Access tab, and then click Communication.
  5. Click to select the Require secure channel check box.
  6. If both the Exchange 2003 computer and the clients support 128-bit encryption, click Require 128-bit encryption.
  7. Click OK, and then click OK.
  8. Stop and then restart the SMTP virtual server.
If your clients are using Outlook Express, configure Outlook Express to use SSL. To do so:
  1. Start Outlook Express.
  2. On the Tools menu, click Accounts.
  3. Click the Mail tab.
  4. Double-click the Exchange Server mail account, and then click the Advanced tab.
  5. Under Outgoing Mail (SMTP), click to select the This server requires a secure connection (SSL) check box.
  6. Click OK, and then click Close.
back to the top

To Configure Relaying

To configure relaying:
  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand Administrative Groups (if appropriate), expand AdministrativeGroup (if appropriate), expand Servers, expand ServerName, and then expand Protocols.
  3. Expand SMTP, right-click the SMTP virtual server, and then click Properties.
  4. Click the Access tab, and then click Relay.

    The default settings permit authenticated clients to relay messages. Typically, these settings are sufficient so that only clients with the correct credentials can relay messages through the SMTP virtual server. You can also restrict relay permissions to single IP addresses, IP address ranges, or DNS suffixes.
  5. Click OK.
back to the top

To Test Whether the SMTP Virtual Server Settings That You Configured Work Correctly

To test whether the SMTP virtual server settings that you configured work correctly:
  • To confirm that the IP restrictions work correctly, use a POP3 and an IMAP4 client to try to connect to the server from an excluded IP address. If the IP restrictions are configured correctly, you receive a message that notifies you that a connection to the server is declined.
  • To verify authentication encryption:
    1. Run Network Monitor on your Exchange 2003 computer, and use the default authentication settings to initiate an SMTP session from the client while you capture the traffic that is coming to the Exchange 2003 computer.
    2. Review the SMTP session and note the packets from the client to the server on port 25 (0019h).

      Note that the user's logon name and password are sent in clear text.
    3. Remove support for basic authentication, configure the client to require Secure Password Authentication, initiate another SMTP session from the client, and then capture the traffic in Network Monitor.

      The user account and password are now encrypted.
  • To test SSL encryption:
    1. Add a certificate, configure the settings so that you require a security-enhanced channel on the SMTP virtual server, and then configure the client to use SSL.
    2. Start a Network Monitor capture, and then initiate an SMTP mail collection session from the client.
    3. Stop the capture, and then examine the packets that were sent.

      Note that all client to server packets with a destination of port 25 (0019h) are encrypted.
    Note If you have not enabled encryption on the POP3 or IMAP4 mail collection , you may still see some unencrypted packets from the client that are destined for port 110 (006Eh) or for port 143 (008Fh).
  • To test whether relay restrictions work correctly, send mail from an excluded IP address to an external domain. You receive an error message that states that the server was unable to relay for the recipient's address.
back to the top

Troubleshoot

Any restrictions that are based on DNS lookup can adversely affect the performance of the Exchange 2003 computer. Because the server performs a reverse DNS lookup on each inbound connection, a DNS reverse lookup zone must be available and the sending host must be registered with that zone.

back to the top

REFERENCES

For more information about Exchange Server 2003, visit the following Microsoft Web site:

http://www.microsoft.com/exchange/library

back to the top
Modification Type:MinorLast Reviewed:9/13/2006
Keywords:kbhowto KB823019 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.