Re: Enabling STARTTLS in Exchange 2003 IMAP service?

From: Ben Winzenz [Exchange MVP] (ben_winzenz_at_NOSPAMdotmessageonedotcom)
Date: 01/12/05 

Date: Wed, 12 Jan 2005 08:56:30 -0600

But also, as I indicated earlier, if you enable and require TLS for logins,
if you try to connect with a client, it will return a response indicating
that the server requires TLS. You must then set up the client for Secure
Password Authentication (Outlook Express and Outlook). Once you do this,
the login credentials should be encrypted. My guess is that most IMAP
clients will have some way to support that, though there are obviously some
that won't.

Also, per my question earlier, what type of response do you get when you
issue commands via telnet to port 143? You may not receive a response
indicating it supports the STARTTLS verb from a manual telnet connection,
but if you have configured the client and server as indicated, the login
information should be encrypted. If you are using the clients mentioned
above, this is not an issue. It is only a problem when you use a 3rd party
IMAP client that specifically requires the STARTTLS verb to be advertised,
which apparently Exchange does not. But don't take that to mean that
Exchange will not support encrypted logins. It does, it just doesn't
apparently advertise the STARTTLS verb. You might take a look on MSDN, or
post in the outlook or outlook express forums to see if someone can indicate
exactly how those clients are able to take advantage of TLS for logins,
because they certainly can. 

-- 
Ben Winzenz
Exchange MVP
"Andrew Biggs" <dreamcoder@yahoo.com> wrote in message 
news:41E48399.9020008@yahoo.com...
> Perfect - this is *exactly* what I needed.  Thanks!!!
>
> neo [mvp outlook] wrote:
>> To answer you question quite simply, Exchange 2003 does not support what 
>> you are trying to do out of the box.  However, this was sent to me a few 
>> weeks back by a fellow MVP that runs the www.slipstick.com website.  I 
>> think this is what you are after even though the RFC #'s are throwing me 
>> a curve at the moment.
>>
>> IMAP Proxy was written to increase the security of the Microsoft Exchange 
>> IMAP implementation. Specifically, SYMBIAN based client devices require 
>> the implementation of RFC2595 in order to allow a secure connection for 
>> IMAP between the device and Exchange. Microsoft does not implement 
>> RFC2595 (STARTTLS) in their IMAP implementation. By Steven Sporen and 
>> Darryl Beckett.
>> http://www.slipstick.com/files/imapproxysvc.zip
>>
>>
>>
>>
>> "Andrew Biggs" <dreamcoder@yahoo.com> wrote in message 
>> news:41E450D8.8090509@yahoo.com...
>>
>>>Thanks again for your response Ben.  Let me see if I can clarify the 
>>>problem a bit.  The goal is simply to administer Exchange 2003 in such a 
>>>way as to allow secure IMAP connections using TLS.  My understanding 
>>>(which changes by the minute) is that there are two ways in which this 
>>>can be done...
>>>
>>>One, which appears to be common though non-standard, is for a message 
>>>store to listen on port 993 for IMAP-over-TLS connections.  In this case, 
>>>I believe the client and server negotiate the secure TLS channel 
>>>immediately after connection is established.  Following that, ordinary 
>>>IMAP traffic is transported across the secure channel.  Its common for 
>>>IMAP clients to then be configured to connect to port 993 rather than 
>>>143, with the expectation that they will begin the connection with a TLS 
>>>negotiation, and talk IMAP only after the TLS channel is established.
>>>
>>>The other approach, which is described in the IMAP spec, involves a 
>>>client connecting to the server via the standard IMAP port 143, and 
>>>subsquently "upgrading" the connection to be secure using the STARTTLS 
>>>command.  A client can only issue the STARTTLS command, though, if the 
>>>server advertises support for it via an appropriate response to the 
>>>CAPABILITY command.  The problem, quite simply, is that Exchange 2003 
>>>will not advertise support for STARTTLS on IMAP connection to port 143, 
>>>even when I have configured a certificate and indicated that it should 
>>>only allow SSL/TLS connections on that VS.
>>>
>>>So now you're wondering, "why don't you just connect to port 993 and be 
>>>done with it?".  That would be a fair suggestion and I'd have no problem 
>>>with doing exactly that, except that the application I am developing 
>>>actually needs to play nicely with other IMAP servers as well.  I am 
>>>therefore highly motivated to follow the standards wherever possible.
>>>
>>>So, in a nutshell, I am really just trying to figure out what kind of 
>>>administrative voodoo is needed to get Exchange to support the STARTTLS 
>>>command described in the IMAP spec.  Or, alternatively, get an 
>>>authoritative opinion from an Exchange Guru that it, "can't be done".
>>>
>>>At this point, I'll take either one :-/.
>>>
>>>
>>>
>>>Ben Winzenz [Exchange MVP] wrote:
>>>
>>>>I guess I'm not exactly clear on what your goal is.  Do you just want 
>>>>the login information to be encrypted, or do you want the entire 
>>>>conversation to be encrypted?  They are totally separate.
>>>>
>>>>For the first, if you simply want to enable encrypted logins, then once 
>>>>you have made change to the IMAP VS (as it appears you have), you must 
>>>>then configure the client.  For example, in Outlook Express, you must 
>>>>tell it to "Log on using Secure Password Authentication".  Outlook has a 
>>>>similar option.  What is the current result when you initiate a manual 
>>>>telnet on port 143?  I guess I don't understand the need to have that 
>>>>command listed. If you are requiring TLS/SSL for logins, and you attempt 
>>>>to login from a client such as OE, you will be informed that the server 
>>>>requires TLS/SSL for logins.  That is perhaps a better test.
>>>>
>>
>>

Relevant Pages

  • Re: Enabling STARTTLS in Exchange 2003 IMAP service?
    ... But also, as I indicated earlier, if you enable and require TLS for logins, ... You must then set up the client for Secure ... My guess is that most IMAP ... Exchange will not support encrypted logins. ...
    (microsoft.public.exchange2000.protocols)
  • Re: Enabling STARTTLS in Exchange 2003 IMAP service?
    ... But also, as I indicated earlier, if you enable and require TLS for logins, ... You must then set up the client for Secure ... My guess is that most IMAP ... Exchange will not support encrypted logins. ...
    (microsoft.public.exchange2000.admin)
  • Re: SSL Sending via IMAP Configuration?
    ... I have my IMAP client working using Netscape Imap and also a Palm ... What is the difference between TLS and SSL? ...
    (microsoft.public.exchange.setup)
  • Re: SSL Sending via IMAP Configuration?
    ... I have my IMAP client working using Netscape Imap and also a Palm ... What is the difference between TLS and SSL? ...
    (microsoft.public.exchange.admin)
  • Re: send email
    ... Yours, the *mail server*, presumably ... The client wants to be able to send ... server via one of two protocols, POP or IMAP. ...
    (alt.os.linux.redhat)