Link to home
Create AccountLog in
Avatar of wiggymoe
wiggymoe

asked on

settings for POP using SSL on Exchange 2003 (SBS2003)

I am setting up POP using SSL on Exchange 2003 (SBS2003 actually).  I want to make VERY sure no passwords or traffic are being sent in the clear!

I have installed the SSL cert under POP3 Virtual Server > Access and have checked Require Secure Channel and Require 128-bit Encryption under Access > Communication.  However, it will only take my username and password (using Outlook 2003 on XP) if I check Basic Authentication (Password Is Sent In Clear Text) and DON'T check Requires SSL/TLS Encryption under Access > Authentication.

Is the above setting sending my passwords in cleartext?  I've read that Require Secure Channel forces a secure connection before sending credentials, but I've also read that unless Requires SSL/TLS Encryption is checked the password is being sent in cleartext!  I haven't read anything that addresses how the two interact.

Thanks.
Avatar of Michael Worsham
Michael Worsham
Flag of United States of America image

There is a section is the link/article provided (below) that explains the Basic Authentication and Requires SSL/TLS Encryption.

Secure Exchange Server 2003 POP3 Publishing
http://www.msexchange.org/tutorials/securepop3pub.html

Avatar of wiggymoe
wiggymoe

ASKER

Thank you for the quick response.  I guess my question, specifically in terms of the link you provided, is that the article mentions two things:

# Put a checkmark in the both the Require secure channel and Require 128-bit encryption checkboxes. This option forces the POP3 client to negotiate a secure TLS connection before any credentials or data is transferred between the POP3 client and server. Click OK.

AND

Requires SSL/TLS encryption: This setting forces the POP3 client to establish an SSL/TLS connection before credentials are sent to the POP3 server. If the client does not successfully establish a secure connection with the POP3 server, then the connection is dropped without the exchange of credentials. Never allow basic authentication without protecting the connection with TLS security.


The former seems to imply that the latter is moot?  I need to know because checking the latter makes Exchange refuse my username and password.
What are you using for an SSL certificate?
Is it a home grown certificate? Is it trusted by the client?

This sounds like the SSL communication isn't being established.

Simon.
Homegrown but trusted by the client.  I double-checked certificates in MMC on the client.  Also, it is the same certificate installed in IIS for OWA, and OWA works fine on the client without complaining about the cert.

My question is partly based on the EE question at http://209.85.173.104/search?q=cache:i36XGeaGe_kJ:www.experts-exchange.com/Networking/Protocols/Application_Protocols/Email/POP3/Q_22649266.html+site:experts-exchange.com+pop+ssl&hl=en&ct=clnk&cd=2&gl=us
Specifically, SAIonline's comments in the Accepted Solution.
Is the name that you are putting in to the POP3 setup the same name that is on the certificate?

If the certificate is issued to server or server.domain.local and you are putting in server.doamin.com then it will fail.

Not a fan of home grown certificates myself, I would certainly be recommending a switch to a commercial certificate.

Simon.
Thank you for your response.  The name in the POP3 setup does indeed match the certificate, but I didn't mean to sound like I'm asking about a connection problem (not yet).

I'm sorry if I'm not really good at this communicating-with-humans stuff :).  I guess what I'm trying to say is:

1) My question is NOT "why does checking Access > Authentication > Require SSL cause my username and password to fail", but rather

2) My question IS "would someone with more experience please give a yea or nay to my understanding that checking Access > Communication > Require Secure Channel causes credentials going to that virtual server to be secure whether Access > Authentication > Require SSL is checked or not"

My understanding is that checking Access > Communication > Require Secure Channel encrypts the traffic but I can't find a clear answer on whether it starts encrypting before or after the username and password are sent.  Question #1 is moot if question #2 is "yea".

This understanding is based on:
a) SAIonline's accepted answer at https://www.experts-exchange.com/questions/22649266/POP3-SSL-TLS-connection-problems.html
b) The fact that "passwords being transmitted over the network without data encryption" "does not apply to [SSL] connections" with analogous settings for RPC over HTTPS (as in this tutorial http://www.msexchange.org/tutorials/Outlook_2003_Connect_Exchange_2003.html), which seems like it would apply to POP as well
c) other similar articles and discussions I no longer have links to

Again, thank you very much for everyone's help so far.
The whole point of using SSL is to protect the username and password. Therefore the process is to establish the secure channel first, before the username and password is passed across the connection. Unless you do that the process is pointless.

RequireSSL doesn't enable or disable SSL. All it does is require the use of it. You can still use SSL with that option disabled - the client just needs to be enabled to use SSL.

Simon.
So if Outlook is set to use SSL, the username and password are safe?
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks!