The Internet is a fascinating mix of old and new technologies. For every new application or protocol such as Asynchronous JavaScript and XML (AJAX), an old technology is quietly soldiering on in the background. SMTP is a great example. I doubt SMTP's designers ever envisioned how prevalent and important it would become when they invented it more than 30 years ago, but it's still a crucial part of every major messaging system, and Exchange 2007 provides excellent support for it. Likewise, POP and IMAP are still widely used to provide message access to a variety of clients, including Microsoft Office Outlook, Outlook Express, Windows Live Mail, Microsoft Entourage, Apple Mail, and smartphones running Microsoft Windows Mobile software, Palm OS, and Symbian OS (to say nothing of dozens of lesser-known clients for various OSs.)
Exchange has supported IMAP and POP since Exchange 5.5. The way that support is implemented has changed greatly over time, and the way you manage and configure the protocols has changed too. The RTM version of the Exchange 2007 Management Console doesn't include support for managing POP and IMAP implementations. In Exchange 2007, you can still support IMAP and POP, but to do so you'll have to master the Exchange Management Shell.
POP and IMAP Explained
If you're used to supporting rich Messaging API (MAPI), WWW Distributed Authoring
and Versioning (WebDAV), or Exchange ActiveSync clients, you might not be familiar
with IMAP and POP. Both are fairly simple protocols, and they share some similarities.
However, they have some significant differences from each other and from other
protocols you might be used to working with.
POP is by far the simpler of the two protocols; it supports reading, downloading, and deleting messages in a single inbox folder, along with setting a few properties (e.g., the read and unread status of a message). POP doesn't support multiple folders, moving messages, search, rules, or most other semi-modern mail-client features. For that reason, almost all POP clients create a local cache of messages and perform operations against it. This leads to a common problem in which a user reports that messages are disappearing; the problem happens when you leave a POP client running and set it to download messages then delete them. When new messages come in, they end up in the POP client's local mailbox instead of on the mail server, so they seem to have disappeared. This problem is exacerbated if you use POP on multiple machines because messages can become scattered across the machines.
POP is typically carried over TCP port 110, whereas IMAP uses TCP port 143. Both protocols can (and should) be secured with SSL, in which case POP uses port 995 and IMAP uses port 993. The Exchange implementation of both protocols supports several authentication methods, including plain credentials and GSSAPI, which can be used for Kerberos-based logons.
Get Started
As in earlier Exchange versions, IMAP and POP services in Exchange 2007 are
provided by two Windows services. The Microsoft Exchange IMAP4 service (whose
short name is MSExchangeIMAP4) and Microsoft Exchange POP3 service (MSExchangePOP3)
are installed by default, but they're turned off, and their service state is
set to manual. Before you can provide POP or IMAP access to your users, you
have to start the service you need and set its service startup state to automatic.
You can easily do this through the Services console in Windows, but it's just
as easy to do it with the Exchange Management Shell, and I recommend that you
give it a try. The commands are simple: Start-service MSExchangeIMAP4 will
start the service, and Set-Service MSExchangeIMAP4 –startupType automatic
will set the startup type.
Why do I recommend using Exchange Management Shell? Because you'll need to use it to manage all of the other settings for the services, and starting and stopping services is a safe way to practice. There's no provision in the release version of the Exchange Management Console for managing the settings on these services, so if you're going to use them you'll have to get familiar with the Get-IMAPSettings and Set-IMAPSettings Exchange Management Shell commands (and their POP equivalents). You'll need to use these tasks to make any sort of change to the IMAP and POP settings. Microsoft has announced that the Exchange Management Console will support a graphical interface for managing POP and IMAP settings when Exchange 2007 SP1 releases, but that won't be until sometime in late 2007.
However, you might find that you don't need to do much. When you install Exchange 2007, it generates a self-signed certificate that you can use to secure your network traffic with Secure Sockets Layer (SSL). By default, this certificate will be assigned to the IMAP and POP services, and those services will automatically use it, which means you'll have to use IMAP and POP clients that are compatible with self-signed certificates. The most common customization for Exchange 2007 IMAP and POP servers is replacing these default certificates with certificates issued by third-party Certificate Authorities (CAs).
Replace the Default Certificates
To modify the certificates assigned for use with Exchange services, you have
to use the Enable-ExchangeCertificate task in Exchange Management Shell. Once
you've obtained the certificate you want to use, you must install it on the
Exchange 2007 client access server where you'll be using it. The installation
steps will vary somewhat according to the CA you're using to issue the certificates.
However, once you install the certificate, you'll need to view the certificate
properties to get its thumbprint. The thumbprint uniquely identifies each certificate
on the system; you can think of it like a GUID. Here's what to do:
- Log on to the Exchange 2007 client access server through an account that has administrative privileges.
- Launch Microsoft Management Console (mmc .exe).
- Select File, Add/Remove Snap-in; in the Add/ Remove Snap-in dialog box, click Add.
- Select the Certificates snap-in and click Add.
- Select Computer account, then click Next.
- Select Local computer (the computer this console is running on), and click Finish.
- Expand the Certificates (Local Computer) node, then the Personal node, then the Certificates node.
- Select the certificate you want to use from the right-hand pane, right-click it, and choose the Properties command.
- Click the Details tab.
- Scroll down to the bottom of the properties list, where you'll see the thumbprint listed.
- Select Thumbprint from the list, then select and copy the thumbprint when it appears in the text box.
- Click OK.
Once you have the thumbprint, you can use it as input to the Enable-ExchangeCertificate task. You'll need to specify the thumbprint and the services you want to use. For example,
Enable-ExchangeCertificate –thumbprint A922380 5480A3A89943A6D834E5EB391A50CFD7A –services "IMAP,POP"
will make the certificate with the specified thumbprint available for use with IMAP and POP without changing the certificate bindings for unified messaging, IIS, or SMTP. You can change certificate bindings at any time.
Control User Access
You can control which users have access to IMAP and POP by using the Set-CASMailbox
task in Exchange Management Shell. The RTM version of Exchange 2007 doesn't
have a way to enable or disable access to these protocols from within Exchange
Management Console, which is a downgrade from Exchange 2003. However, Set-CASMailbox
has a major benefit: It's easy to change settings on groups of users by using
the Get-DistributionGroupMembership task, which works only with mail-enabled
distribution or universal security groups. By using that task and piping its
output to Set-CASMailbox, you can quickly grant or deny POP or IMAP access to
groups of users. For example,
Get-DistributionGroupMembership "Field Engineers" | Set-CASMailbox –IMAPEnabled $true –POPEnabled $false
will enable IMAP and disable POP for all your field engineers. You can also use Set-CASMailbox on individual mailboxes. Thus,
Set-CASMailbox "Robichaux\paulr" – IMAPEnabled $true
will turn on IMAP for only my mailbox. Interestingly, the built-in administrator account is explicitly blocked from using IMAP and POP.
Set Options on IMAP and POP Servers
IMAP and POP servers have options that you can configure to control how users
interact with the servers and what features are available. These features are
described in the Exchange 2007 documentation for the GetIMAPServer and Get-POPServer
Exchange Management Console tasks. Many of these settings have counterparts
in Exchange 2003, but some either aren't adjustable in earlier versions or require
editing the metabase or registry instead of making a straightforward configuration
change.
For example, you can set the banner that the service displays when a client connects by using the Banner switch, like this:
Get-IMAPSettings | Set-IMAPSettings –banner "Welcome to my IMAP server"
Notice that this example used Get-IMAPSettings to get the IMAP instance for a single server, then piped the results to Set-IMAPSettings to apply the same settings plus a single change on that instance. You can also modify settings on individual servers by specifying the server name (assuming you know it, or can find it).
You might consider changing three other options under some conditions:
- The LoginType switch controls the authentication methods users can use to log on to the server. By default, the switch is set to use secure logon with NTLM or Kerberos first. You can set this switch to 1 (for plain-text only logons, which pass the credentials in plain text) or 2 (for plain-text authentication, using obfuscation to hide the credentials). It's a good idea to leave this setting at its default and change your clients to require secure authentication if possible.
- The MaxConnections switch controls how many connections the server will accept at once. The default, 2000, is generous. You might want to consider reducing the number if you don't have many POP or IMAP users.
- The MaxConnectionsFromSingleIP setting controls how many simultaneous connections are allowed from a single client IP. The default of 20 is adequate for most situations, although you might need to allow more connections if you have clients who are behind a firewall that uses Network Address Translation (NAT) and thus appear to Exchange to have only 1 IP address between them.
Specify Port Numbers
Another common configuration change that administrators make to IMAP and POP
servers is to the default set of ports the protocols use. Some administrators
view this as a security measure (although it's more of an obscurity measure),
whereas others want to change the standard port numbers to provide interoperability
or consistency with past deployments. You do this by using two switches:
- UnencryptedOrTLSBindings sets the port number for unencrypted connections or connections that use the Transport Layer Security (TLS) protocol.
- SSLBindings controls the port number for SSL-protected connections.
You can set these switches independently of each other and independently on each service. However, if you do change the switches, remember that your mail clients will have to be configured to use the correct port numbers.
Proxy Access
In Exchange 2003 and 2000, a front-end server would automatically proxy IMAP
and POP traffic. In Exchange 2007, the proxy mechanism is slightly different;
the client access server still proxies IMAP and POP access, but you can control
whether the client access server is allowed to send proxy requests to Exchange
2003 mailbox servers. Doing so lets you use the CAS to hit both Exchange 2007
and Exchange 2003 mailboxes through POP or IMAP, which is useful if you want
to restrict users with Exchange 2003 mailboxes to accessing those mailboxes
through an existing Exchange 2003 server. You'll also need to understand the
proxy mechanism if your Exchange 2003 servers are using non-standard ports for
IMAP or POP.
In either case, you use the ProxyTargetPort switch with Set-IMAPSettings or Set-POPSettings. Specify a proxy target port of 0 to turn off proxy requests altogether, or specify the port number you want to use for proxy requests. In other words, if you want to block IMAP or POP users from connecting to an Exchange 2003 mailbox through an Exchange 2007 CAS, set the ProxyTargetPort value on the CAS to 0. Bear in mind that Exchange 2007 won't use SSL to proxy IMAP or POP traffic to an Exchange 2003 server; you need to use IPsec if you want to encrypt that traffic to protect against eavesdropping and tampering.
Provide Message Transport
Remember that POP and IMAP are both client protocols. They let clients
retrieve and manage messages, but clients can't use them to send messages back
to the outside world. For that, you still need SMTP. In previous versions of
Exchange, you generally have to set up a separate SMTP virtual server or connector
that allows relaying for authenticated users.
Many administrators pick their own random, non-standard port number for these services. However, the Internet Engineering Task Force (IETF) has established port 587 as the preferred port for secure SMTP connections for IMAP and POP clients, and Exchange 2007 provides a receive connector for these clients by default. You can still choose to let clients directly connect to your Edge Transport or Hub Transport servers by using SMTP port 25 (preferably with authentication), but using port 587 instead gives you better security because those connections are automatically protected with SSL and with authentication required.
Conclusion
Many early reviews of Exchange 2007 have complained about the fact that IMAP
and POP settings can be managed only through the Exchange Management Shell.
It's true that this is a regression in functionality from Exchange 2003, but
it shouldn't be a major problem for two reasons. First, Exchange Management
Shell commands that manage IMAP and POP are dead simple to use. Anyone who can
use the standard Windows command line to run ipconfig should be able to manage
Exchange Management Shell commands. Second, POP and IMAP servers typically require
little configuration because Microsoft has specified a reasonably secure and
useful set of defaults. (For more information about Exchange 2007 management,
see "Introducing Windows PowerShell," August 2006, InstantDoc ID 50565 and "Coming
Out of Your Shell," a Windows IT Pro Web-exclusive, InstantDoc ID 95715.)
| SOLUTIONS
SNAPSHOT |
|
SOLUTIONS
SNAPSHOT solution steps: 1.Start the IMAP or POP service you want. 2.Replace default self-signed certificates. 3.Configure appropriate user access. 4.Set options for user interaction and features. 5.Specify port numbers. 6.Set proxy access. |
