Setup a user that can only access POP3 email. Security reasons

I have a client that because of outside contraints needs to forward all his exchange box email to a outside account via pop3. I don't like the security of pop3 because of the clear text passwords and this particular user has some heavy access rights. What I did was to setup another user with a email account and forward the real users email to this account. The outside program then connects to our server and retrieves the forward email from a mailbox with as little rights as possible. This works great but I would like to lock down the account that I use to forward mail for the pop3 mail transfer. Right not the user is a domain user.  I could probably do better with some more testing but don't have the time. I am looking for some guiadance on how to lock down the pop3 accout. SSL is not an option here since I don't have control over the software that retrieves the pop3 mail. I look forward to you answers.

Glenn Thibeault
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Why do you need to have it forward via POP3??? Why not just forward the email directly from Exchange?  All you would need to do is create a CONTACT in Active Directory with the external address you want to forward messages to set as an SMTP email address.  Then on the Properties dialogue of the user click the Exchange General TAB > Delivery Options...  and then enter the Forwarding information.

I would never run the POP3 service for retreiving messages from a SBS.... it's too insecure and takes up too many resources.

OnsiteITAuthor Commented:
That was my first thought and we have done this but beceause  (I have been working on this problem for a long time) of some problems on other side of the email setup ( that even MS says is the other group fault) we get multiple emails messages (such as five to one sometimes) we have to do it this way. Like I said I don't control the other side of the equation so I can only work with what I have. And the other people swear that it's our fault. Typicle stuff but I still have to find a way to make it work.

Having used that forwarding solution on numerous occasions I would definitely say it is the other side that is causing the problem, can you not set the user up with a different pop3 account a free one, hotmail or something and forward all mail to that as jeff says.

THe problem you have is that how do you lock down something when most of your constraints are going to be at the other end. Your security weakness lies in the very method you are using rather than in your configuration of that method so I would revist the other end. Normally if a solution is not presented to people then they can't suggest you use it, therefore you don't put yourself in a position where you are using a weak solution to cater for others incompetence.

I would get back onto the other side of this equation and discuss your options or just use a hotmail or something then you don't need to worry about any pop3 business just get exchange to forward (this works like a charm)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Exactly... do what I suggested with the CONTACT, and forward the mail to a GMail account which will give you FREE POP3 access.  Then, the user can pull mail from the GMail account.

OnsiteITAuthor Commented:
I thought about doing that also, it seems against my grain to have to go through some many hoops to do this. I am sure that there is a way to control the user rights on an account to really lock this whole thing down. But is it worth the time and effort.

Glennn T
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yes, there is, but I don't think it's worth the time and effort.  And it's not any additional hoops... Essentially you are still forwarding to a separate email account for POP3 retrieval.  It's just a GMail account instead of an internal one.  The added benefit of doing it this way is that you won't have the POP3 service running on your machine.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.