Re: Exchange 5.5 and remote access using IMAP4

  • From: Danny <nocmonkey@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 1 Mar 2005 15:36:19 -0500

On Tue, 1 Mar 2005 09:07:38 -0800, Jason Davis <JDavis@xxxxxxxxxx> wrote:
> Hello all,
> Recently, I setup remote access to our Exchange Server for IMAP4 by opening
> port 143 on our Cisco box.

Protocol (IMAP4) or just port (143) based on your "Cisco box"?
> Although this is tremendously convenient for our users to access their
> office email from home, I'm concerned about the security risks.

Any port you open allowing unrestricted access to your LAN should
cause concern and will increase vulnerability to attack.

In an ideal world, if you were set on IMAP4, you would implement the following:

-Protocol based port forwarding, rather than just forwarding a port number
-Placing the server - responding to the NAT'd traffic - in the DMZ
-Source IP restrictions -- home users IP addresses
-Anti-malware scanning at the firewall level
-An encrypted tunnel between the client and server, such as IPSec VPN,
SSH, SSL, etc.
-Home user anti-malware and host-based firewall software compliance

These are just a few things, but they would all help to substantially
decrease the risk associated with forwarding the traffic, but, of
course would not eliminate the risks associated with plugging into a

> Most of our users are using Outlook Express from home to access their mail
> from the Exchange Server.  I noticed that there is an option for "My Server
> Requires Authentication" for Outgoing Mail.  Is there anything I need to
> setup on Exchange Server 5.5 to increase the security and require that the
> users authenticate for Outgoing Mail?

IMAP4 is a mail retrieval protocol; you cannot send.  Therefore, the
Outgoing Mail settings in Outlook Express do not apply; your users
will probably need to use the SMTP server of the ISP they are
connected to.

> Any other words of wisdom, in terms of securing Exchange Server 5.5 for
> remote email access?

1) Encrypt traffic where possible; lots of options out there, even free ones
2) Scan for malware when possible; the more layers and different AV
vendors the better
3) Restrict access to your information assets; opening port 143 to the
world is not essential
4) Block unessential and potentially malicious email attachments
before they reach your Exchange server; there are free tools available
for this
5) Educate your users; best practices


Other related posts: