Configuring IMAP over SSL with SBS 2003 Premium and ISA 2004

By Eriq Neale :: 1 Comments ::

:: Remote Access, Exchange Server 2003, ISA Server 2004, SBS 2003, Public articles, SBS 2003 R2, Securing your SBS 2003 network

TERMS

This document and what comes with it are provided as-is with blunt warning: Use at your own risk, buyer beware. You break your system; you own the resolution as well. We have no liability for what you do, or can't do, or fail to do with this information. Your entire protection is to start over again with a protected backup, or from protected system. If you don't want to accept this idea, please don't use this document.

Because of the release of the iPhone, there has been an increase in interest in configuring IMAP and POP3 services on SBS servers. In this author's opinion, providing access to e-mail via IMAP is better than POP3. The approach of IMAP more closely emulates how Exchange provides e-mail services in that messages are maintained on the server, and the IMAP client only pulls down what is needed. There are still security issues with IMAP, however, in that the default protocol still transmits the username and password information across the internet in clear text, and even though fewer sniffers are trained on IMAP ports to try and discover account credentials, the risk is still there.

To help protect account credentials, as well as e-mail contents, IMAP can be set up over SSL, which encrypts the entire transaction process, not just username and password. The iPhone and other devices can be easily set up to use IMAP over SSL, but you have to first set up the Exchange server on SBS to provide the secure mail transport. This document covers this implementation with SBS 2003 and ISA 2004. A separate document has been created for the process to follow with SBS 2003 Standard.

Co-author: Tim Barrett

Configuring IMAP over SSL with SBS 2003 Premium and ISA 2004

Follow these steps to enable and configure IMAP using SSL.

Enable the IMAP service on SBS 2003
1. Open the Services control panel (Start -> Run -> services.msc or Start -> All Programs -> Administrative Tools -> Services)
2. Scroll down to find Microsoft Exchange IMAP4 (see Figure 1).
  
  Figure 1
3. Double-click on the service to open the properties.
4. In the General tab, change the Startup Type to Automatic (see Figure 2).
  
  Figure 2
5. Click Start to start the IMAP service.
6. Click OK to close the Properties window.
7. Confirm that the IMAP service is started and set to Automatic in the services list (see Figure 3).
  
  Figure 3
Configure IMAP services in Exchange
1. Open Exchange System Manager (Start -> All Programs -> Microsoft Exchange -> Exchange System Manager).
2. Expand Servers, your server name, Protocols, and IMAP4.
3. Select the Default IMAP4 Virtual Server (see Figure 4), right click and select Properties.
  
  Figure 4
4. Select the Access tab, then click on the Certificate button under "Secure communication" (see Figure 5).
  
  Figure 5
5. Go through the Web Server Certificate Wizard. Click Next to start (see Figure 6).
  
  Figure 6
6. Select "Assign an existing certificate" and click Next (see Figure 7)
  
  Figure 7
7. Select the public certificate name and click Next (see Figure 8).
  
  Figure 8
8. Verify the proper certificate has been selected and click Next (see Figure 9).
  
  Figure 9
9. Complete the wizard by clicking Finish (see Figure 10).
  
  Figure 10
10. Select the "General" tab and click the "Advanced" button (see Figure 11).
  
  Figure 11
11. Confirm the ports for IMAP are 143 and 993 (for SSL) and the IP address is "All Unassigned" (see Figure 12).
  
  Figure 12
12. Click OK to close the Advanced dialog box, then click OK to close the properties of the IMAP4 Default Virtual Server.
Enable SSL connections for the SMTP service
1. Open Exchange System Manager.
2. Expand Servers, your server name, Protocols, SMTP, and select the Default SMTP Virtual Server (see Figure 13).
  
  Figure 13
3. Right-click on the Default SMTP Virtual Server and select Properties.
4. Select the Delivery tab, then click Advanced (see Figure 14).
  
  Figure 14
5. In the "Fully-qualified domain name" field, enter the full public DNS name of the server (see Figure 15) and click OK.
  
  Figure 15
6. Select the Access tab and click the Certificate button under "Secure communication" (see Figure 16).
  
  Figure 16
7. Select "Assign an existing certificate" and click Next (see Figure 17).
  
  Figure 17
8. Select the public certificate name, and click Next (see Figure 18).
  
  Figure 18
9. Confirm the correct certificate selection and click Next (see Figure 19).
  
  Figure 19
10. Click Finish to complete the wizard (see Figure 20).
  
  Figure 20
11. In the Access tab, click Communication under "Secure Communication."
12. In the Security dialog box, ensure that the "Require secure channel" checkbox is turned off (see Figure 21).
  
  Figure 21
13. Click OK to close the Security dialog, then click OK to close the Default SMTP Virtual Server properties.
Configure ISA 2004 to accept connections for IMAP SSL
1. Open the ISA 2004 Management Console.
2. Select Firewall Policy in the left pane, then select the Tasks tab in the right pane (see Figure 22).
  
  Figure 22
3. Click the Create New Server Publishing Rule task to start the wizard.
4. Name the new rule and click Next (see Figure 23).
  
  Figure 23
5. Enter the internal IP address of the SBS server as the Server IP Address and click Next (see Figure 24).
  
  Figure 24
6. In the Select Protocol page, select IMAPS Server from the drop-down list and click Next (see Figure 25).
  
  Figure 25
7. In the IP Addresses page, select the External checkbox and click Next (see Figure 26).
  
  Figure 26
8. Review the settings (see Figure 27) and click Finish to complete the wizard.
  
  Figure 27
9. Click Apply to accept the updates (see Figure 28), then close the ISA 2004 Management Console.
  
  Figure 28