We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Setup a user that can only access POP3 email. Security reasons

OnsiteIT
OnsiteIT asked
on
Medium Priority
309 Views
Last Modified: 2006-11-18
I have a client that because of outside contraints needs to forward all his exchange box email to a outside account via pop3. I don't like the security of pop3 because of the clear text passwords and this particular user has some heavy access rights. What I did was to setup another user with a email account and forward the real users email to this account. The outside program then connects to our server and retrieves the forward email from a mailbox with as little rights as possible. This works great but I would like to lock down the account that I use to forward mail for the pop3 mail transfer. Right not the user is a domain user.  I could probably do better with some more testing but don't have the time. I am looking for some guiadance on how to lock down the pop3 accout. SSL is not an option here since I don't have control over the software that retrieves the pop3 mail. I look forward to you answers.


Glenn Thibeault
Comment
Watch Question

Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Why do you need to have it forward via POP3??? Why not just forward the email directly from Exchange?  All you would need to do is create a CONTACT in Active Directory with the external address you want to forward messages to set as an SMTP email address.  Then on the Properties dialogue of the user click the Exchange General TAB > Delivery Options...  and then enter the Forwarding information.

I would never run the POP3 service for retreiving messages from a SBS.... it's too insecure and takes up too many resources.

Jeff
TechSoEasy

Author

Commented:
TecSoEasy,
That was my first thought and we have done this but beceause  (I have been working on this problem for a long time) of some problems on other side of the email setup ( that even MS says is the other group fault) we get multiple emails messages (such as five to one sometimes) we have to do it this way. Like I said I don't control the other side of the equation so I can only work with what I have. And the other people swear that it's our fault. Typicle stuff but I still have to find a way to make it work.



GlennT
Having used that forwarding solution on numerous occasions I would definitely say it is the other side that is causing the problem, can you not set the user up with a different pop3 account a free one, hotmail or something and forward all mail to that as jeff says.

THe problem you have is that how do you lock down something when most of your constraints are going to be at the other end. Your security weakness lies in the very method you are using rather than in your configuration of that method so I would revist the other end. Normally if a solution is not presented to people then they can't suggest you use it, therefore you don't put yourself in a position where you are using a weak solution to cater for others incompetence.

I would get back onto the other side of this equation and discuss your options or just use a hotmail or something then you don't need to worry about any pop3 business just get exchange to forward (this works like a charm)

Michael

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Exactly... do what I suggested with the CONTACT, and forward the mail to a GMail account which will give you FREE POP3 access.  Then, the user can pull mail from the GMail account.

Jeff
TechSoEasy

Author

Commented:
I thought about doing that also, it seems against my grain to have to go through some many hoops to do this. I am sure that there is a way to control the user rights on an account to really lock this whole thing down. But is it worth the time and effort.


Glennn T
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014
Commented:
Yes, there is, but I don't think it's worth the time and effort.  And it's not any additional hoops... Essentially you are still forwarding to a separate email account for POP3 retrieval.  It's just a GMail account instead of an internal one.  The added benefit of doing it this way is that you won't have the POP3 service running on your machine.

Jeff
TechSoEasy
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.