In the last part of this tutorial series I gave you an overview of the POP3 protocol and showed you how to enable POP3 for Exchange Server 2010.  In this tutorial I’ll show you how to configure the Exchange 2010 POP3 service for secure client access.

Understanding the Need for Secure POP3

The Post Office Protocol (POP) can be insecure as it allows the passing of user credentials in plain text.  To understand how serious this is, imagine that your end users are in a public wi-fi network and connecting to your corporate Exchange servers over POP3.  They’ll be authenticating with their Active Directory username and password.

If POP access is not secured those credentials will be sent “in the clear” and could be sniffed by an attacker who is also on the same wi-fi network.  To see an example of this in action, here is a POP3 session login sniffed on an insecure network.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Insecure POP3 login traffic

The user’s cleverly chosen password of “Seagull1” is visible to anyone who is able to sniff the network traffic.

As you can see in the example above it is very important that POP traffic is secured if you plan to use it for remote email access in your Exchange 2010 environment.

Configuring Security for the Exchange Server 2010 POP3 Service

To configure the POP3 service on Exchange Server 2010 Client Access servers open the Exchange Management Console and navigate to Server Configuration/Client Access.

Click on the name of the Client Access server you want to configure, and then open the Properties of the POP3 protocol in the lower pane.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Configuring the POP3 protocol for Exchange 2010 Client Access servers

On the Authentication tab you can see that Secure logon is the default setting.  So why have I been explaining the importance of POP3 security to you when Exchange 2010 is secure by default?

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Exchange 2010 POP3 default Authentication settings

Because I see a lot of customers changing this setting to Plain text logon, simply because that is the easiest way to get POP3 working quickly.  Usually they do this because they encounter logon errors for clients who are trying to connect.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
POP3 logon errors for Exchange Server 2010 remote user

A network capture shows the same error occurring.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Exchange 2010 POP3 client logon error network traffic

This will happen if the email client is not configured to use SSL for the connection.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Configuring SSL connection for POP3 client

When the POP3 connection is made using SSL the client is able to logon and retrieve mail successfully.  And more importantly, they are doing so without attackers on insecure networks being able to sniff the credentials from the network traffic.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Network capture of SSL-secured POP3 traffic

Configuring Ports for Exchange Server 2010 POP3

You may have noticed in the screenshot above that when the client is configured for SSL it changes the port from 110 to 995.  TCP 995 is the port for SSL-secured POP3.  The POP3 service is bound to both ports 110 and 995 by default.  You can see this in the Bindings tab of the POP3 properties.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Exchange 2010 POP3 default port bindings

Configuring an SSL Certificate for Exchange Server 2010 POP3

Because SSL is being used to secure the POP3 connections you will need to configure an SSL certificate for your Client Access server.

This certificate must include the name that you want your remote users to connect to for POP3 access, as well as be trusted by the remote user’s computer that they are connecting from.  If it is not trusted, or there is a name mismatch, then they may receive certificate warnings in their POP3 email client.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Certificate warnings for Exchange 2010 POP3 users

To fix this after installing an SSL certificate configure the certificate name in the Authentication tab of the POP3 properties.

Exchange Server 2010 POP3: Securing POP3 Client Remote Access
Configuring SSL certificate name for Exchange 2010 POP3

You’ll need to restart the POP3 service to apply this or any other configuration change that you make.

When all of the settings are configured correctly your remote email users will be able to connect to Exchange Server 2010 over POP3 securely.

In the next part of this tutorial series we’ll take a look at some of the other configuration options for Exchange 2010 POP3.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Eric

    Hi Paul,

    Sorry for not making the scenario clear.

    2-CAS/HUB in site A (LB)
    2-MBX in Site A (DAG)
    2-CAS/HUB in site B (LB)
    2-MBX in Site B (DAG)

    Enabled pop3 on one CAS ServerA in Site A

    Client is in Site B connecting via POP3, but the logs show the connection going to CAS ServerB

    We just want to enable POP3 on one of the CAS Servers (CAS ServerA) within Site A, so any other future POP3 connections regardless of the site will connect to that CAS Server within Site A

    Is this possible?

    Thanks Eric

  2. Eric

    Paul,

    If we have multiple CAS servers within the Org can we enable pop3 on just one of them and have the person(s) connect to that one specifically or we would have to do this on all of them in the Org?

    Regards,
    Eric

      1. Eric

        Hi Paul,

        I have several CAS Servers in the environment (2010), enable POP3 on a specific CAS server does not work, after enabling POP3 logging I see in the log that it is redirecting the traffic to another CAs Server? Enabling the CAS server in the log, then the pop3 client starts to function. Am I not seeing something properly here?

          1. Eric

            There is a load balancer in place, with two CAS Servers within the CAS array. I have enabled POP3 on only one of the CAS Servers within the ARRAY itself, and I point the pop client directly to that POP3 Server. Doing it like this the Client is unable to connect, only when I enable POP3 on the other CAS Server within the ARRAY it works.

            Ultimately I am trying to bypass the LB and the Array and go directly to one of the two CAS Servers.

          2. Avatar photo

            Ignore the CAS Array, it’s not relevant to POP connections.

            I’m trying to understand your scenario. Are they dedicated CAS, or multi-role? Are they all in the same site?

            Why not just enable POP on all CAS and load balance the traffic anyway?

  3. tim tutcho

    tried all your steps. still can’t add an email account on my iphone.

  4. Binu Kumar

    Paul,

    Thank for you for sharing such valuable article. I would also like to know if there is something similar for Exchange 2013? As i am not able to use SSL for POP3 . All the certificates are set and enable for required services. I keep getting :- 0x800CCC1A “Your server does not support the connection encryption type you have specified”

Leave a Reply