Administering SMTP, IMAP4, and POP3

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : September 4, 2001

from Chapter 13, Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek.

Microsoft Exchange 2000 Server supports Simple Mail Transfer Protocol (SMTP), Internet Message Access Protocol 4 (IMAP4), and Post Office Protocol 3 (POP3). These protocols play an important role in determining how mail is delivered and transferred both within and outside the Exchange organization.

  • SMTP is the native mail protocol for mail submission and mail transport. This means that clients use SMTP to send messages and Exchange servers use SMTP to deliver messages and message data.

  • IMAP4 is a protocol for reading mail and accessing public folders on remote servers. Clients can log on to an Exchange server and use IMAP4 to download message headers and then read messages individually while online.

  • POP3 is a protocol for retrieving mail on remote servers. Clients can log on to an Exchange server and then use POP3 to download their mail for offline use.

Each of these protocols has an associated virtual server. You use virtual servers to specify configuration information and to control access. You can create additional virtual servers as well.

The following sections examine the key tasks you'll use to manage SMTP, IMAP4, and POP3.

On This Page

Working with SMTP, IMAP4, and POP3 Virtual Servers
Mastering Core SMTP, IMAP4, and POP3 Administration

Working with SMTP, IMAP4, and POP3 Virtual Servers

SMTP, IMAP4, and POP3 services are hosted on separate virtual servers. A virtual server is a server process that has its own configuration information, which includes an IP address, a port number, and authentication settings. If you installed SMTP, IMAP4, and POP3 using the default options:

  • The default SMTP virtual server is configured to use any available IP address on the server and respond on port 25. SMTP virtual servers replace and extend the Internet Mail Connector (IMC) and Internet Mail Service (IMS) that were used in previous versions of Exchange Server. To control outbound connections and message delivery, you configure the default SMTP virtual server for the organization.

  • The default IMAP4 virtual server is configured to use any available IP address on the server and respond on ports 143 and 993. Port 143 is used for standard communications, and port 993 is used for Secure Sockets Layer (SSL) communications. IMAP4 virtual servers allow Internet clients to download message headers and then read messages individually while online.

  • The default POP3 virtual server is configured to use any available IP address on the server and respond on ports 110 and 995. Port 110 is used for standard communications, and port 995 is used for SSL communications. POP3 virtual servers allow Internet clients to download mail for offline use.

You can change the IP address and port assignment at any time. In most cases you'll want the messaging protocol to respond on a specific IP address. For SMTP, this is the IP address or addresses you've designated in the Domain Name System (DNS) mail exchanger records for the domains you're supporting through Exchange Server. For IMAP4 and POP3, this is the IP address or IP addresses associated with the fully qualified domain name of the Exchange servers providing these services.

While a single Exchange server could provide SMTP, IMAP4, and POP3 services, you can install these services on separate Exchange servers. Here are some typical scenarios:

  • In a moderately sized enterprise, you may want one Exchange server to handle SMTP and another to handle IMAP4 and POP3. You install Server A as the SMTP server and then update the domain's mail exchanger (MX) record so that it points to Server A. Next, you install Server B as the POP3 and IMAP4 server. Afterward, you configure Internet mail clients so that they use Server B for POP3/IMAP4 (incoming mail) and Server A for SMTP (outgoing mail).

  • In a large enterprise, you may want a different Exchange server for each protocol. You install Server A as the SMTP server and then update the domain's MX record so that it points to Server A. Next, you install Server B as the POP3 server and Server C as the IMAP4 server. Afterward, you configure POP3 clients so that they use Server B for POP3 (incoming mail) and Server A for SMTP (outgoing mail). Then you configure IMAP4 clients so that they use Server C for IMAP4 (incoming mail) and Server A for SMTP (outgoing mail).

  • When mail exchange is critical to the enterprise, you may want to build fault tolerance into the Exchange organization. Typically, you do this by installing multiple Exchange servers that support each protocol. For example, to ensure fault tolerance for SMTP, you could install Server A, Server B, and Server C as SMTP servers. Then, when you create the domain's MX records, you set a priority of 10 for Server A, a priority of 20 for Server B, and a priority of 30 for Server C. In this way, any one of the servers can be offline without affecting mail submission and delivery in the organization.

A single virtual server can provide messaging services for multiple domains. You can also install multiple virtual servers of the same type. You can use additional virtual servers to help provide fault tolerance in a large enterprise or to handle messaging services for multiple domains. When you create multiple SMTP virtual servers, you must also create additional MX records for the servers.

Mastering Core SMTP, IMAP4, and POP3 Administration

Regardless of whether you're working with SMTP, IMAP4, or POP3, you'll perform a common set of administrative tasks. These tasks are examined in this section.

Starting, Stopping, and Pausing Virtual Servers

Virtual servers run under a server process, which you can start, stop, and pause much like other server processes. For example, if you're changing the configuration of a virtual server or performing other maintenance tasks, you may need to stop the virtual server, make the changes, and then restart it. When you stop a virtual server, it doesn't accept connections from users, and you can't use it to deliver or retrieve mail.

An alternative to stopping a virtual server is to pause it. Pausing a virtual server prevents new client connections, but it doesn't disconnect current connections. When you pause a POP3 or IMAP4 virtual server, active clients can continue to retrieve mail. When you pause an SMTP virtual server, active clients can continue to submit messages and the virtual server can deliver existing messages that are queued for delivery. No new connections are accepted, however.

The master process for all virtual servers is the Microsoft Windows 2000 service under which the virtual server process runs—either SMTP, Microsoft Exchange IMAP4, or Microsoft Exchange POP3. Stopping the master process stops all virtual servers using the process and halts all message delivery for the service. Starting the master process restarts all virtual servers that were running when the master process was stopped.

You can start, stop, or pause a virtual server by completing the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3, and then right-click the virtual server you want to manage. You can now

    • Select Start to start the virtual server.

    • Select Stop to stop the virtual server.

    • Select Pause to pause the virtual server.

    Note: The metabase update service is responsible for processing and replicating configuration changes. This service reads data from Active Directory directory service and enters it into the virtual server's local metabase. Exchange Server uses the service to make configuration changes to virtual servers on remote systems without needing a permanent connection. When the service updates a remote server, it may need several minutes to read and apply the changes.

You can start, stop, or pause the master process for virtual servers by completing the following steps:

  1. From the Administrative Tools program group, start Computer Management.

  2. In the console tree, right-click the Computer Management entry, and from the shortcut menu, choose Connect To Another Computer. You can now choose the Exchange server whose services you want to manage.

  3. Expand the Services And Applications node by clicking the plus sign (+) next to it, and then choose Services. The SMTP, Microsoft Exchange IMAP4, and Microsoft Exchange POP3 services control SMTP, IMAP4, and POP3, respectively.

  4. Right-click the service you want to manipulate, and then select Start, Stop, or Pause as appropriate. You can also choose Restart to have Windows stop and then start the service after a brief pause. Also, if you pause a service, you can use the Resume option to resume normal operation.

Configuring Ports and IP Addresses Used by Virtual Servers

Each virtual server has an IP address and a TCP port configuration setting. The default IP address setting is to use any available IP address. On a multihomed server, however, you'll usually want messaging protocols to respond on a specific IP address and to do this, you need to change the default setting.

What the default port setting is depends on the messaging protocol being used and whether SSL is enabled or disabled. Table 13-1 shows the default port settings for key protocols used by Exchange 2000 Server.

Table 13-1. Standard and Secure Port Settings for Messaging Protocols

Protocol

Default Port

Default Secure Port

SMTP

25

 

HTTP

80

443

IMAP4

143

993

POP3

110

995

NNTP (Network News Transfer Protocol)

119

563

To change the IP address or port number for a virtual server, complete the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3. Right-click the virtual server you want to manage, and then select Properties.

  4. In the General tab, use the IP Address selection list to select an available IP address. Select (All Unassigned) to allow the protocol to respond on all unassigned IP addresses that are configured on the server.

    Tip If the IP address you want to use isn't listed and you want the server to respond on that IP address, you'll need to update the server's TCP/IP network configuration. For details, see "Assigning a Static IP Address" in Chapter 15 of Microsoft Windows 2000 Administrator's Pocket Consultant (Microsoft Press, 2000).

  5. In the General tab, click Advanced. As Figure 13-1 shows, the Advanced dialog box shows the current TCP port settings for the protocol. You can assign ports for individual IP addresses and for all unassigned IP addresses.

    Cc722528.exch1301(en-us,TechNet.10).gif

    Figure 13-1: . Use the Advanced dialog box to configure TCP ports on an individual IP address basis or for all unassigned IP addresses.

  6. Use the following options in the Advanced dialog box to modify port settings:

    • Add Adds a TCP port on a per IP address basis or all unassigned IP address basis. Click Add, and then select the IP address you want to use.

    • Edit Allows you to edit the TCP port settings for the currently selected entry in the Address list box.

    • Remove Allows you to remove the TCP port settings for the currently selected entry in the Address list box.

    Note: The IP address/TCP port combination must be unique on every virtual server. Multiple virtual servers can use the same port as long as the servers are configured to use different IP addresses.

  7. Click OK twice.

Controlling Incoming Connections to Virtual Servers

You can control incoming connections to virtual servers in several ways. You can

  • Grant or deny access using IP addresses or Internet domain names.

  • Require secure incoming connections.

  • Require authentication for incoming connections.

  • Restrict concurrent connections and set connection time-out values.

Each of these tasks is discussed in the sections that follow.

Note: With SMTP, you can configure both incoming and outbound connections. To learn how to configure outbound connections for SMTP, see the section of this chapter entitled "Configuring Outgoing Connections."

Securing Access by IP Address, Subnet, or Domain

By default, virtual servers are accessible to all IP addresses, which presents a security risk that may allow your messaging system to be misused. To control use of a virtual server, you may want to grant or deny access by IP address, subnet, or domain.

  • Granting access allows a computer to access the virtual server but doesn't necessarily allow users to submit or retrieve messages. If you require authentication, users still need to authenticate themselves.

  • Denying access prevents a computer from accessing the virtual server. As a result, users of the computer can't submit or retrieve messages from the virtual server—even if they could have authenticated themselves with a user name and password.

As stated earlier, POP3 and IMAP4 virtual servers control message retrieval by remote clients and SMTP virtual servers control message delivery. Thus, if you want to block users outside the organization from sending mail, you deny access to the SMTP virtual server. If you want to block users from retrieving mail, you deny access to POP3, IMAP4, or both.

Note: You can also restrict access by e-mail address. To do this, you must set a filter and then enable the filter on the SMTP virtual server. For details, see the section of Chapter 11 entitled "Setting Message Filters."

To grant or deny access to a virtual server by IP address, subnet, or domain, follow these steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3. Right-click the virtual server you want to manage, and then select Properties.

  4. Click Connection in the Access tab. As shown in Figure 13-2, the Computers list shows the computers that currently have connection controls.

    Cc722528.exch1302(en-us,TechNet.10).gif

    Figure 13-2: . Use the Connection dialog box to control connections by IP address, subnet, or domain.

  5. To grant access to specific computers and deny access to all others, click Only The List Below.

  6. To deny access to specific computers and grant access to all others, click All Except The List Below.

  7. Create the grant or deny list. Click Add, and then in the Computer dialog box specify Single Computer, Group Of Computers, or Domain.

    • For a single computer, type the IP address for the computer, such as 192.168.5.50.

    • For groups of computers, type the subnet address, such as 192.168.5, and the subnet mask, such as 255.255.0.0.

    • For a domain name, type the fully qualified domain name, such as eng.domain.com.

    Caution: When you grant or deny by domain, Exchange Server must perform a reverse DNS lookup on each connection to determine whether the connection comes from the domain. These reverse lookups can severely affect Exchange Server's performance, and this performance impact increases as the number of concurrent users and connections increases.

  8. If you want to remove an entry from the grant or deny list, select the related entry in the Computers list, and then click Remove.

  9. Click OK.

Controlling Secure Communications for Incoming Connections

By default, mail clients pass connection information and message data through an insecure connection. If corporate security is a high priority, however, your information security team may require mail clients to connect over secure communication channels. You have several options for configuring secure communications including smart cards, SSL, and PGP. In an environment where you need to support multiple transfer protocols, such as HTTP and SMTP, SSL offers a good solution.

You configure secure SSL communications by completing the following steps:

  1. Create a certificate request for the Exchange server that you want to use secure communications. Each server (but not necessarily each virtual server) must have its own certificate.

  2. Submit the certificate request to a certificate authority (CA). The certificate authority will then issue you a certificate (usually for a fee).

  3. Install the certificate on the Exchange server. Repeat Steps 1-3 for each Exchange server that needs to communicate over a secure channel.

  4. Configure the server to require secure communications on a per virtual server basis.

Following this procedure, you could create, install, and enable a certificate for use on a virtual server by completing the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3. Right-click the virtual server that you want to use secure communications, and then select Properties.

  4. In the Access tab, click Certificate. This starts the Web Certificate Wizard. Use the wizard to create a new certificate. For additional virtual servers on the same Exchange server, you'll want to assign an existing certificate.

  5. Send the certificate request to your certificate authority. When you receive the certificate back from the CA, access the Web Certificate Wizard from the virtual server's Properties dialog box again. Now you'll be able to process the pending request and install the certificate.

  6. When you're finished installing the certificate, don't close the Properties dialog box. Instead, on the Access tab, click Communication.

  7. In the Security dialog box, click Require Secure Channel. If you've also configured 128-bit security, select Require 128-bit Encryption.

  8. Click OK twice.

    Note: For worldwide installations, you'll want to use 40-bit encryption. The 128-bit encryption level is available only in the United States and Canada.

Controlling Authentication for Incoming Connections

Exchange 2000 Server supports two authentication methods:

  • Basic Authentication With basic authentication, users are prompted for logon information. When it's entered, this information is transmitted unencrypted across the network. If you've configured secure communications on the server as described in the section of this chapter entitled "Controlling Secure Communications for Incoming Connections," you can require clients to use SSL. When you use SSL with basic authentication, the logon information is encrypted before transmission.

  • Integrated Windows Authentication With integrated Windows authentication, Exchange Server uses standard Windows security to validate the user's identity. Instead of prompting for a user name and password, clients relay the logon credentials that users supply when they log on to Windows. These credentials are fully encrypted without the need for SSL, and they include the user name and password needed to log on to the network.

Both authentication methods are enabled by default for SMTP, IMAP4, and POP3. Because of this, the default logon process looks like this:

  1. Exchange Server attempts to obtain the user's Windows credentials. If the credentials can be validated and the user has the appropriate access permissions, the user is allowed to log on to the virtual server.

  2. If validation of the credentials fails or no credentials are available, the server uses basic authentication and tells the client to display a logon prompt. When the logon information is submitted, the server validates the logon. If the credentials can be validated and the user has the appropriate access permissions, the user is allowed to log on to the virtual server.

  3. If validation fails or the user doesn't have appropriate access permissions, the user is denied access to the virtual server.

As necessary, you can enable or disable support for these authentication methods. You can do that by completing the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3. Right-click the virtual server that you want to work with, and then select Properties.

  4. In the Access tab, click Authentication. This displays the Authentication dialog box shown in Figure 13-3.

    Cc722528.exch1303(en-us,TechNet.10).gif

    Figure 13-3: . You can use the Authentication dialog box to enable or disable authentication methods to meet the needs of your organization. With basic authentication, it's often helpful to set a default domain as well.

  5. Select or clear Basic Authentication to enable or disable this authentication method. If you disable basic authentication, keep in mind that this may prevent some clients from accessing mail remotely. Clients can log on only when you enable an authentication method that they support.

  6. A default domain isn't set automatically. If you enable basic authentication, you can choose to set a default domain that should be used when no domain information is supplied during the logon process. Setting the default domain is useful when you want to ensure that clients authenticate properly.

  7. Select or clear Integrated Windows Authentication to enable or disable this authentication method.

  8. Click OK twice.

Restricting Incoming Connections and Setting Time-Out Values

You can control incoming connections to a virtual server in two ways. You can set a limit on the number of simultaneous connections and you can set a connection time-out value.

Virtual servers normally accept an unlimited number of connections, and in most environments this is an acceptable setting. However, when you're trying to prevent a virtual server from becoming overloaded, you may want to limit the number of simultaneous connections. Once the limit is reached, no other clients are permitted to access the server. The clients must wait until the connection load on the server decreases.

The connection time-out value determines when idle connections are disconnected. Normally, connections time out after they've been idle for 30 minutes. In most situations a 30-minute time-out is sufficient. Still, there are times when you'll want to increase the time-out value, and this primarily relates to clients who get disconnected when downloading large files. If you discover that clients get disconnected during large downloads, the time-out value is one area to examine. You'll also want to look at the Message Transfer Agent settings as discussed in Chapter 12.

You can modify connection limits and time-outs by completing the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3. Right-click the virtual server that you want to work with, and select Properties. This displays the Properties dialog box as shown in Figure 13-4.

  4. To remove connection limits, clear Limit Number Of Connections To. To set a connection limit, select Limit Number Of Connections To, and then type the limit value.

  5. The Connection Time-Out field controls the connection time-out. Type the new time-out value in minutes. In most cases, you'll want to use a time-out value between 30 and 90 minutes.

  6. Click OK.

    Cc722528.exch1304(en-us,TechNet.10).gif

    Figure 13-4: . Use the Properties dialog box to configure connection limits and time-outs. Enabling these options can help reduce server load and be used to help troubleshoot connection problems.

Viewing and Ending User Sessions

A user session is started each time a user connects to a virtual server. The session lasts for the duration of the user's connection. Each virtual server tracks user sessions separately. By viewing the current sessions, you can monitor server load and determine which users are logged on to a server as well as how long users have been connected. If an unauthorized user is accessing a virtual server, you can terminate the user's session, which immediately disconnects the user. You also have the option of disconnecting all users who are accessing a particular virtual server.

To view or end user sessions, complete the following steps:

  1. Start System Manager. If administrative groups are enabled, expand the administrative group in which the server you want to use is located.

  2. In the console tree, navigate to the Protocols container. Expand Servers, expand the server you want to work with, and then expand Protocols.

  3. In the console tree, expand SMTP, IMAP4, or POP3, and then double-click the virtual server that you want to work with.

  4. You should now see a node called Current Sessions. Select this node in the console tree. The details pane displays current sessions.

  5. To disconnect a single user, right-click a user entry in the details pane, and then select Terminate.

  6. To disconnect all users, right-click any user entry in the details pane, and then select Terminate All.

from Microsoft Exchange 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.

Link
Click to order