none
Secure POP3 Client Connections to Exchange 2013 CU15

    Question

  • what is the process to enforce secure POP3 client connections to Exchange 2013? I  need to ensure the username and password sent by a client connecting to mailboxes on Exchange 2013 are sending this data over a secure connection and that the mail being downloaded to the client is encrypted. POP3 uses port 110 by default and I don't believe this traffic is encrypted. Can someone clarify the process of securing client POP3 connection to Exchange 2013. CU = 15.

    Thanks

    Monday, August 21, 2017 4:13 PM

All replies

  • Block port 110 in the Windows Firewall.

    You can also enter this:

    Set-POPSettings -UnencryptedOrTlsBindings $Null

    Then restart the POP3 services.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, August 21, 2017 9:48 PM
    Moderator
  • currently these are the -UnencryptedOrTlsBindings settings in my envrionment.

    InternalConnectionSettings    : {servername.internaldomain.com:995:SSL, servernam.internaldomain.com:110:TLS}

    ExternalConnectionSettings     :{}

    X509CertificateName          :CommonName of my Public Certificate assigned to Exchange IIS,SMTP,POP,IMAP Services

    LoginType     : PlainTextLogin

    ________________________________________________________________________________

    Questions:

    1.Because the LoginType is PlainText, the username and password is being sent in clear text right? What are the requirements if I want to switch to "SecureLogin"

    2. Because the Exchange 2013 server names are not present on my Public Exchange Certificate and this particular cert is assigned POP services, I suspect if I disable port110, I will break all connections to Exchange 2013 over POP3.

    3. what does the TLS mean after servernam.internaldomain.com:110:TLS under InternalConnectionSettings?  This leads me to believe that mail is downloaded to the client over TLS. Is this not the case?

    4. because my UC Certificate on Exchange 2013 has all of my Exchange Server FQDN's on the cert, I'm thinking I could assign this certifcate to POP3 and then I could run the command you suggested Set-POPSettings -UnencryptedOrTlsBindings $Null and that would force all mail to be transferred over a secure connection for POP connections.

    Tuesday, August 22, 2017 7:07 PM
  • I don't see that setting in what you posted, just other settings.

    Seriously, if you're worried about security, don't use POP at all or restrict its use to closely guarded and connected systems where it will be difficult to sniff the wire.

    1.  Just assume that this is the case.

    2.  You can use a name that's in the certificate if it points to the Exchange server.  If the names point to a load balancer, you can route POP3 through the load balancer.  Make sure to set persistence to source IP address.

    3.  If the client supports TLS, but that doesn't make it required.

    4.  You can use the following command to designate your certificate as accepted for IMAP.

    Set-ImapSettings -CertPrincipalName msstd:owa.company.com

    where owa.company.com is the CN of the certificate.

    I'd recommend that you just require SSL if it's at all possible.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Tuesday, August 22, 2017 8:01 PM
    Moderator
  • the screenshot didn't come through. Here's my settings:

    UnencryptedOrTLSBindings          : {[::]:110, 0.0.0.0:110}

    SSLBindings                       : {[::]:995, 0.0.0.0:995}

    Tuesday, August 22, 2017 8:04 PM
  • The command I gave you originally will secure your POP3 by keeping clients from connecting over TCP port 110, requiring them to use TCP port 999 SSL.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Tuesday, August 22, 2017 8:06 PM
    Moderator