How to secure Exchange 2003 SMTP server for POP Clients

We are running Exchange 2003 and would like to enforce secure access by POP clients from the outside.  For POP, it was simple, just select require SSL/TLS under Access Control and Require Secure Channel under Secure communication.

If we do the same for the SMTP server, including turning off anonymous access, all incoming emails are disabled.  How do you force/require email clients to authenticate and use TLS, but still allow other SMTP servers on the internet to connect and deliver incoming mail normally (i.e. no authentication or SSL)?
arms145Asked:
Who is Participating?
 
Cris HannaConnect With a Mentor Commented:
How to help secure SMTP client message delivery in Exchange 2003
http://support.microsoft.com/kb/823019 
0
 
Satya PathakLead Technical ConsultantCommented:
Go through as per your requirement may be help you.
http://www.msexchange.org/tutorials/securepop3pub.html
0
 
arms145Author Commented:
Thank you but the article only addresses securing the POP3 server, which we've done and works, need guidance on securing the SMTP server for POP clients while still allowing normal connections from SMTP servers so that incoming mail for internal users is delivered.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Cris HannaCommented:
Why not use Outlook Anywhere instead of POP3 and you wouldn't have this issue and users could still have offline email if needed?
0
 
arms145Author Commented:
Some users need POP3 (mobile phones, preferred email clients at home, etc.)
0
 
arms145Author Commented:
I've read that but it is not clear how to deal with my problem.  I think it says to create a new SMTP server, doesn't mention the port or what changes are needed on the existing SMTP server to prevent POP clients from connecting to it without security.
0
 
arms145Author Commented:
No one knows how to implement this?  This is a very common need, there must be a relatively straightforward way.  I simply need to setup a secure SMTP server to require POP clients to authenticate and use TLS for sending emails through the SMTP server.
0
 
Cris HannaCommented:
Well, to be honest, I simply wouldn't do this for my clients.   With SBS 2003/Exchange 2003 you get licenses for Outlook 2003 for all users, so they would either use Outlook Anywhere configuration, OR OWA (Outlook Web Access).  With rare exception, everyphone out there today has ExchangeActiveSync.   Even BlackBerries can sync via OWA or other technologies.
Another option is to use a 3rd party providing secured smtp services regardless of the client  http://www.dyndns.com/services/mailhop/outbound.html
 
0
 
arms145Author Commented:
There must be a way to set this up in Exchange 2003 without paying for a 3rd party tool.  Simply not doing it is not a viable option.
0
 
Cris HannaCommented:
you are certainly welcome to ask the moderators to try to get more responses or to ask for a refund since the question is not answered to your satisfaction.
Making additional configurations to Exchange to support POP3 is just not something I would do, when there are alternatives just using native SMTP
0
 
arms145Author Commented:
Anyone else on how to setup secure authenticated SMTP on Exchange server 2003?  I'm just trying to setup what virtually all email providers have, is no one using Exchange to provide secure SMTP for POP and IMAP clients?
0
 
Cris HannaCommented:
Well I'm the only one that seems to be listening...a month has gone by and no other responses.
In a previous reply you said "Some users need POP3 (mobile phones, preferred email clients at home, etc.)"  
Don't know about you, but I would never, and I mean never (I'd drop the customer) allow them to configure a pop3 client on a home PC to download email from the server and store on their home pc.  They can either install Outlook which you have licenses for because of SBS and run Outlook Anywhere or they can use Outlook Web Access to handle mail.
 And if they need email access on their phone, they should have a smart phone (windows mobile, Android, Iphone, or worst case blackberry) that is capable of communicating via exchange Active Sync.
Being so insistent on using POP3, I almost get the impression to that you're trying to use SBS /Exchange to be an ISP and provide email services not associated with a business network
 
 
0
 
arms145Author Commented:
The process started with POP3 client access but the question/issue isn't about POP3.  It is simply about how to secure the SMTP server so that authentication is required when any type of client wants to use it to send (relay) mail.  When we do that (require auth/SLL, disable anonymous access), incoming mail from the outside for the local domain is not delivered.  Is there a way to differentiate between a client trying to connect to use it as an SMTP server to send mail to the internet vs another SMTP server trying to connect to deliver mail to our domain?
0
 
Cris HannaCommented:
I completely understand where you are coming from.   The solution is simple.  return you configuration to the default and either use OWA or Outlook Anywhere when outside the domain LAN.   Mobile phones use Exchange Active Synch over https.   Using POP3 clients to inherently risks opening your Exchange Server to becoming an Open Relay because passwords are sent in Clear Text.   I understand that you clients may want to use POP3 clients outside the LAN.  sometimes it's our job to protect the customer from themselves
I understand you're not happy with the answer.  You can ask a moderator to delete the question  or send it for further responses.
0
 
arms145Author Commented:
I guess the answer is to create a separate SMTP server on port 587 and secure that.  Still unclear how to reject unsecure client connections to default SMTP server on port 25.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.