Secure the Protocols
After you've enabled the necessary protocols (e.g., IMAP) on your servers and have decided on which servers you need to install the server certificates, the next step in securing the protocols is to generate certificate requests. The procedure varies slightly depending on whether your servers run Exchange 2000 or Exchange 5.5.
Exchange 2000. For Exchange 2000 installations, open the ESM console. (Each protocol uses the same method to activate SSL; I'll use IMAP as an example.) Expand the Protocols container of the server you're configuring, then expand the IMAP4 container to display the IMAP4 virtual server.
Right-click the IMAP4 virtual server, choose Properties from the context menu, and go to the Access tab in the virtual server's Properties dialog box. Click Certificate in the tab's Secure communication section to launch the IIS Certificate Wizard. This wizard guides you through actions such as requesting, installing, and renewing certificates. On the wizard's Server Certificate screen, which Figure 3 shows, select Create a new certificate. The wizard prompts you to provide information such as your organization's legal name, country, and region. The wizard also prompts you to specify the certificate request's bit length, which determines the public-key encryption and signing strength. (I suggest you use 1024 bits because known vulnerabilities exist with 512-bit keys.) Finally, you specify a common name (CN) for the server; the CA will encode this CN into the server certificate. The CN must be the same name configured on your server, or users will receive warnings about a mismatch between the name encoded in the certificate and the host name their email clients used to locate the server. When the wizard is completed, it saves the certificate request as a text file.
Next, you need to send the text file, as well as official identification, to the CA. (Most CAs maintain a Web page through which you can upload this information. See "Related Reading," for more information about this process.) The required credentials depend on the CA, but most US CAs accept a business license, a Congressional Act establishing a government organization, or a Dun & Bradstreet D-U-N-S Number. On average, the CA takes 2 to 3 days to process your request and generate a certificate file.
When you have the certificate file, follow the steps I presented earlier to open the IIS Certificate Wizard. This time, the wizard recognizes the existence of a pending certificate request and presents a new set of options. Select the option to Process the pending request and install the certificate. To install the certificate on the server, simply specify the path to the certificate file and click Finish.
Now you need to enforce the use of SSL for the protocols. Again, open the ESM console, open the IMAP4 virtual server's Properties dialog box, and go to the Access tab. Click Communication in the Secure communication section to display the Security dialog box. Select the Require secure channel check box, and click OK. Users who access their mailboxes through IMAP must now use SSL.
Exchange 5.5. For an Exchange 5.5 server, you use the IIS Key Manager to request and install the certificate. To access Key Manager open the Internet Services Manager (ISM). Next, open the Properties dialog box for the Default Web Site, go to the Directory Security tab, and click Key Manager. You can also run Key Manager from a command line. Open a command prompt and type
C:\winnt\system32\inetsrv\keyring.exe
As in Exchange 2000, the procedure for requesting and installing certificates is the same for all protocols, so I'll use IMAP4 as an example again. In Key Manager, which Figure 4 shows, right-click the IMAP4 object and select Create New Key from the context menu to open the Key Request Wizard. This wizard prompts you to provide the same information I described for the IIS 5.0 Certificate Wizard, as well as a name for the key request and a password (you'll need to use this password later, so don't lose it). When the wizard finishes, it creates a key request text file and a pending key request object (which Figure 4 displays as the object IMAPkey) below the IMAP4 object. As I described earlier, submit the key request file and your identifying information to the CA. When you receive the certificate file from the CA, use Key Manager to install the certificate on your Exchange 5.5 server. Open Key Manager, right-click the pending key request object, and select Install Certificate. To process a Key Manager—generated request, supply the path to the certificate file and the password you used when you generated the request. When you click Finish on the wizard's final page, the certificate will be installed and ready to use in SSL sessions.
To enforce SSL for POP, IMAP, and HTTP, use the Microsoft Exchange Administrator program to access the protocol container. Open the protocol's Properties dialog box and select the Authentication tab. Select the Basic (Clear Text) using SSL check box and clear the other five check boxes on the tab. Click OK; users of the protocol must now use SSL. To configure SMTP to require encryption, open the IMS's Properties dialog box and go to the Connections tab. In the Accept Connections section, which Figure 5 shows, select Only from hosts using and choose Encryption from the drop-down list. To enforce this setting, you need to stop and restart the IMS.
Remember that requiring SSL on your default SMTP virtual server (for Exchange 2000) or your default SMTP server (for Exchange 5.5) forces any server that attempts to connect and deliver mail to use SSL—preventing you from receiving mail from some servers.
Rest Secure
Configuring your servers to require SSL for Internet protocol—based communications with your email clients definitely helps protect your sensitive information as it moves between clients and servers. Be sure to carefully consider the relevant factors before you begin the configuration process, and monitor your network afterward to confirm that communications are running smoothly.