How to secure Exchange 2003 SMTP server for POP Clients

We are running Exchange 2003 and would like to enforce secure access by POP clients from the outside.  For POP, it was simple, just select require SSL/TLS under Access Control and Require Secure Channel under Secure communication.

If we do the same for the SMTP server, including turning off anonymous access, all incoming emails are disabled.  How do you force/require email clients to authenticate and use TLS, but still allow other SMTP servers on the internet to connect and deliver incoming mail normally (i.e. no authentication or SSL)?
arms145Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Satya PathakLead Technical ConsultantCommented:
Go through as per your requirement may be help you.
http://www.msexchange.org/tutorials/securepop3pub.html
0
arms145Author Commented:
Thank you but the article only addresses securing the POP3 server, which we've done and works, need guidance on securing the SMTP server for POP clients while still allowing normal connections from SMTP servers so that incoming mail for internal users is delivered.
0
Cris HannaSr IT Support EngineerCommented:
Why not use Outlook Anywhere instead of POP3 and you wouldn't have this issue and users could still have offline email if needed?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

arms145Author Commented:
Some users need POP3 (mobile phones, preferred email clients at home, etc.)
0
Cris HannaSr IT Support EngineerCommented:
How to help secure SMTP client message delivery in Exchange 2003
http://support.microsoft.com/kb/823019 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arms145Author Commented:
I've read that but it is not clear how to deal with my problem.  I think it says to create a new SMTP server, doesn't mention the port or what changes are needed on the existing SMTP server to prevent POP clients from connecting to it without security.
0
arms145Author Commented:
No one knows how to implement this?  This is a very common need, there must be a relatively straightforward way.  I simply need to setup a secure SMTP server to require POP clients to authenticate and use TLS for sending emails through the SMTP server.
0
Cris HannaSr IT Support EngineerCommented:
Well, to be honest, I simply wouldn't do this for my clients.   With SBS 2003/Exchange 2003 you get licenses for Outlook 2003 for all users, so they would either use Outlook Anywhere configuration, OR OWA (Outlook Web Access).  With rare exception, everyphone out there today has ExchangeActiveSync.   Even BlackBerries can sync via OWA or other technologies.
Another option is to use a 3rd party providing secured smtp services regardless of the client  http://www.dyndns.com/services/mailhop/outbound.html
 
0
arms145Author Commented:
There must be a way to set this up in Exchange 2003 without paying for a 3rd party tool.  Simply not doing it is not a viable option.
0
Cris HannaSr IT Support EngineerCommented:
you are certainly welcome to ask the moderators to try to get more responses or to ask for a refund since the question is not answered to your satisfaction.
Making additional configurations to Exchange to support POP3 is just not something I would do, when there are alternatives just using native SMTP
0
arms145Author Commented:
Anyone else on how to setup secure authenticated SMTP on Exchange server 2003?  I'm just trying to setup what virtually all email providers have, is no one using Exchange to provide secure SMTP for POP and IMAP clients?
0
Cris HannaSr IT Support EngineerCommented:
Well I'm the only one that seems to be listening...a month has gone by and no other responses.
In a previous reply you said "Some users need POP3 (mobile phones, preferred email clients at home, etc.)"  
Don't know about you, but I would never, and I mean never (I'd drop the customer) allow them to configure a pop3 client on a home PC to download email from the server and store on their home pc.  They can either install Outlook which you have licenses for because of SBS and run Outlook Anywhere or they can use Outlook Web Access to handle mail.
 And if they need email access on their phone, they should have a smart phone (windows mobile, Android, Iphone, or worst case blackberry) that is capable of communicating via exchange Active Sync.
Being so insistent on using POP3, I almost get the impression to that you're trying to use SBS /Exchange to be an ISP and provide email services not associated with a business network
 
 
0
arms145Author Commented:
The process started with POP3 client access but the question/issue isn't about POP3.  It is simply about how to secure the SMTP server so that authentication is required when any type of client wants to use it to send (relay) mail.  When we do that (require auth/SLL, disable anonymous access), incoming mail from the outside for the local domain is not delivered.  Is there a way to differentiate between a client trying to connect to use it as an SMTP server to send mail to the internet vs another SMTP server trying to connect to deliver mail to our domain?
0
Cris HannaSr IT Support EngineerCommented:
I completely understand where you are coming from.   The solution is simple.  return you configuration to the default and either use OWA or Outlook Anywhere when outside the domain LAN.   Mobile phones use Exchange Active Synch over https.   Using POP3 clients to inherently risks opening your Exchange Server to becoming an Open Relay because passwords are sent in Clear Text.   I understand that you clients may want to use POP3 clients outside the LAN.  sometimes it's our job to protect the customer from themselves
I understand you're not happy with the answer.  You can ask a moderator to delete the question  or send it for further responses.
0
arms145Author Commented:
I guess the answer is to create a separate SMTP server on port 587 and secure that.  Still unclear how to reject unsecure client connections to default SMTP server on port 25.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.