Exchange Server 2010 POP3: Securing POP3 Client Remote Access

In this tutorial I’ll show you how to configure the Exchange 2010 POP3 service for secure client access.

Understanding the Need for Secure POP3

The Post Office Protocol (POP) can be insecure as it allows the passing of user credentials in plain text.  To understand how serious this is, imagine that your end users are in a public wi-fi network and connecting to your corporate Exchange servers over POP3.  They’ll be authenticating with their Active Directory username and password.

If POP access is not secured those credentials will be sent “in the clear” and could be sniffed by an attacker who is also on the same wi-fi network.  To see an example of this in action, here is a POP3 session login sniffed on an insecure network.

Insecure POP3 login traffic

The user’s cleverly chosen password of “Seagull1″ is visible to anyone who is able to sniff the network traffic.

As you can see in the example above it is very important that POP traffic is secured if you plan to use it for remote email access in your Exchange 2010 environment.

Configuring Security for the Exchange Server 2010 POP3 Service

To configure the POP3 service on Exchange Server 2010 Client Access servers open the Exchange Management Console and navigate to Server Configuration/Client Access.

Click on the name of the Client Access server you want to configure, and then open the Properties of the POP3 protocol in the lower pane.

Configuring the POP3 protocol for Exchange 2010 Client Access servers

On the Authentication tab you can see that Secure logon is the default setting.  So why have I been explaining the importance of POP3 security to you when Exchange 2010 is secure by default?

Exchange 2010 POP3 default Authentication settings

Because I see a lot of customers changing this setting to Plain text logon, simply because that is the easiest way to get POP3 working quickly.  Usually they do this because they encounter logon errors for clients who are trying to connect.

POP3 logon errors for Exchange Server 2010 remote user

A network capture shows the same error occurring.

Exchange 2010 POP3 client logon error network traffic

This will happen if the email client is not configured to use SSL for the connection.

Configuring SSL connection for POP3 client

When the POP3 connection is made using SSL the client is able to logon and retrieve mail successfully.  And more importantly, they are doing so without attackers on insecure networks being able to sniff the credentials from the network traffic.

Network capture of SSL-secured POP3 traffic

Configuring Ports for Exchange Server 2010 POP3

You may have noticed in the screenshot above that when the client is configured for SSL it changes the port from 110 to 995.  TCP 995 is the port for SSL-secured POP3.  The POP3 service is bound to both ports 110 and 995 by default.  You can see this in the Bindings tab of the POP3 properties.

Exchange 2010 POP3 default port bindings

Configuring an SSL Certificate for Exchange Server 2010 POP3

Because SSL is being used to secure the POP3 connections you will need to configure an SSL certificate for your Client Access server.

This certificate must include the name that you want your remote users to connect to for POP3 access, as well as be trusted by the remote user’s computer that they are connecting from.  If it is not trusted, or there is a name mismatch, then they may receive certificate warnings in their POP3 email client.

Certificate warnings for Exchange 2010 POP3 users

To fix this after installing an SSL certificate configure the certificate name in the Authentication tab of the POP3 properties.

Configuring SSL certificate name for Exchange 2010 POP3

You’ll need to restart the POP3 service to apply this or any other configuration change that you make.

When all of the settings are configured correctly your remote email users will be able to connect to Exchange Server 2010 over POP3 securely.