Icon explained    
Articles marked with this logo are 'subscriber' only articles. Click here to become a subscriber
Small Business Server articles and howto's    

Current Articles | Search

Configuring IMAP over SSL with SBS 2003 Standard
By Eriq Neale :: 2 Comments :: :: Remote Access, Exchange Server 2003, SBS 2003, Public articles, SBS 2003 R2, Securing your SBS 2003 network
TERMS
This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document.
Because of the release of the iPhone, there has been an increase in interest in configuring IMAP and POP3 services on SBS servers. In this author's opinion, providing access to e-mail via IMAP is better than POP3. The approach of IMAP more closely emulates how Exchange provides e-mail services in that messages are maintained on the server, and the IMAP client only pulls down what is needed. There are still security issues with IMAP, however, in that the default protocol still transmits the username and password information across the internet in clear text, and even though fewer sniffers are trained on IMAP ports to try and discover account credentials, the risk is still there.
 
To help protect account credentials, as well as e-mail contents, IMAP can be set up over SSL, which encrypts the entire transaction process, not just username and password. The iPhone and other devices can be easily set up to use IMAP over SSL, but you have to first set up the Exchange server on SBS to provide the secure mail transport. This document covers this implementation with SBS 2003 Standard and no ISA. You will need to configure your firewall to forward the appropriate ports to the SBS server, which is beyond the scope of this document.
 
Co-author: Tim Barrett
 
Configuring IMAP over SSL with SBS 2003 Standard
 
Follow these steps to enable and configure IMAP using SSL.
  1. Enable the IMAP service on SBS 2003
    1. Open the Services control panel (Start -> Run -> services.msc or Start -> All Programs -> Administrative Tools -> Services)
    2. Scroll down to find Microsoft Exchange IMAP4 (see Figure 1).


      Figure 1

    3. Double-click on the service to open the properties.
    4. In the General tab, change the Startup Type to Automatic (see Figure 2).

       
      Figure 2

    5. Click Start to start the IMAP service.
    6. Click OK to close the Properties window.
    7. Confirm that the IMAP service is started and set to Automatic in the services list (see Figure 3).


      Figure 3

  2. Configure IMAP services in Exchange
    1. Open Exchange System Manager (Start -> All Programs -> Microsoft Exchange -> Exchange System Manager).
    2. Expand Servers, your server name, Protocols, and IMAP4.
    3. Select the Default IMAP4 Virtual Server (see Figure 4), right click and select Properties.


      Figure 4

    4. Select the Access tab, then click on the Certificate button under "Secure communication" (see Figure 5).

       
      Figure 5

    5. Go through the Web Server Certificate Wizard. Click Next to start (see Figure 6).


      Figure 6

    6. Select "Assign an existing certificate" and click Next (see Figure 7)


      Figure 7

    7. Select the public certificate name and click Next (see Figure 8).


      Figure 8

    8. Verify the proper certificate has been selected and click Next (see Figure 9).


      Figure 9

    9. Complete the wizard by clicking Finish (see Figure 10).


      Figure 10

    10. Select the "General" tab and click the "Advanced" button (see Figure 11).


      Figure 11

    11. Confirm the ports for IMAP are 143 and 993 (for SSL) and the IP address is "All Unassigned" (see Figure 12).


      Figure 12

    12. Click OK to close the Advanced dialog box, then click OK to close the properties of the IMAP4 Default Virtual Server.
  3. Enable SSL connections for the SMTP service
    1. Open Exchange System Manager.
    2. Expand Servers, your server name, Protocols, SMTP, and select the Default SMTP Virtual Server (see Figure 13).


      Figure 13

    3. Right-click on the Default SMTP Virtual Server and select Properties.
    4. Select the Delivery tab, then click Advanced (see Figure 14).


      Figure 14

    5. In the "Fully-qualified domain name" field, enter the full public DNS name of the server (see Figure 15) and click OK.


      Figure 15

    6. Select the Access tab and click the Certificate button under "Secure communication" (see Figure 16).


      Figure 16

    7. Select "Assign an existing certificate" and click Next (see Figure 17).


      Figure 17

    8. Select the public certificate name, and click Next (see Figure 18).


      Figure 18

    9. Confirm the correct certificate selection and click Next (see Figure 19).


      Figure 19

    10. Click Finish to complete the wizard (see Figure 20).


      Figure 20

    11. In the Access tab, click Communication under "Secure Communication."
    12. In the Security dialog box, ensure that the "Require secure channel" checkbox is turned off (see Figure 21).


      Figure 21

    13. Click OK to close the Security dialog, then click OK to close the Default SMTP Virtual Server properties.

At this point, you are able to make SSL connections to both the IMAP4 service as well as the SMTP service.
Comments
By Fred DeVault @ Friday, December 21, 2007 2:09 AM
I successfully did this today on a new SBS 2003 R2 Sp2 box I'm building out. I gave 4/5 stars because the article didn't say anything about (the somewhat tricky) procedure for installing a 3rd party cert (just a pointer to another article covering that would be fine), nor anything about the discrepancy between the procedures outlined and the ones mentioned by MS in KB823024. MS mentions creating a second virtual SMTP server, but this is not necessary -- the procedure in the article gets the job done while maintaining compatibility. The only concern would be that a client could configure themselves to use unsecured SMTP. If that is not an issue, then using a single virtual SMTP server which allows encryption, but does not require it, as outlined here, is fine.
By Joel Asaro @ Tuesday, April 29, 2008 8:28 AM
I blogged about my experience following these instructions here: http://ittechnotes.wordpress.com/2008/04/27/iphone-via-imap-to-sbsexchange/

I found that the iPhone works fine with the self signed certificate on an SBS 2003 box. I also have a suggestion about creating a new SMTP virtual server on a different port and enforcing SSL encryption.
You must be logged in to post a comment. You can login here
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.2812518 seconds.   :   Terms Of Use   :   Privacy Statement