RE: Security Question: External POP3 Clients Using Outlook Express

From: Tony Su (TonySu_at_discussions.microsoft.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 22:05:02 -0800

Steve,
Let's start off by saying that POP3 is fundamentally an unsecure protocol.
You're passing credentials in clear text and in the case of Exchange accounts
these credentials are User Account credentials.

Better is IMAP, but better yet is if you secure using an encrypted
protocol... such as S-POP, IMAPS or RPC/HTTP (which is actually HTTPS). Yes,
those options require configuring certificate(s) on the Server, modifying the
FW ports to permit (they're different than unencrypted protocols) and
configuring the clients appropriately.

As for your current POP3 configuration, if you go into the mail account's
advanced properties you will find a setting where the receiving credentials
will also be used for sending.

HTH,
Tony

"Steve" wrote:

> I was able to configure our sbs2003 std exchange/sp1 server to provide pop3
> access. The Outlook Express client can send and receive emails.
>
> I have all of the authentication options set to 'default' on the server,
> including Anonymous access in the POP3 Virtual Server settings.
>
> In the SMTP Virtual Server settings, The only ip addresses allowed to relay
> are the server and the 127.0.0.1(by default). and also checked is 'Allow all
> computers which successfully authenticate to relay, regardless of the list
> above'.
>
> If I try to change any settings, I lose email functionality.
>
> The Outlook Express clients are not configured to use user names and
> passwords to send emails.
>
> How do I know if my server is safe, or not? Right now everything works, but
> does it now work for the hackers too?
>
> I see options for SSL, certificates and such but have no idea how to
> implement them, or if they would be of any use?
>
>
>
>

Relevant Pages

  • Re: GSS-API routine for renewing credentials
    ... GSS-API routine for renewing credentials ... you have to establish a new security context. ... is it a standard protocol? ...
    (comp.protocols.kerberos)
  • Re: Exchange cant send mail due to the ISP server authentication requirement
    ... Anyone person's authentication should work for the entire firm. ... I am using POP3 side connector to collect the mail and that works just fine, but my users can not reply or send e-mail since ISP server complains that they are not authenticated. ... Basic, using one of the Users' credentials, that user can mail out but ...
    (microsoft.public.windows.server.sbs)
  • Re: POP3 risk over the internet
    ... This risk is not exclusive to POP3, although POP sends the credentials ... which exchange clear-text credentials). ... > be able to glean the username and password of users. ...
    (comp.security.firewalls)
  • Re: SBS 2003 POP3 - Admin account collects fine, user accounts fail
    ... collecting via POP3. ... If a user attempts to connect using Outlook ... How are you entering the credentials in your POP client? ... OWA - even IMAP is better than POP. ...
    (microsoft.public.windows.server.sbs)
  • MS RAS (pptp + MSCHAPv1)
    ... numbers with pptp protocol handled by Microsoft RAS ... Trying to take advantage of this vulnerability: ... can't try man in the middle attacks (decrypting ... credentials or implement a fake server to steal ...
    (Pen-Test)