Tag Archives: cisco firewall

Secure EMail and Exchange 2003

I’m not a fan of Outlook. I think it is bloated, slow, and prone to any number of issues. That’s me. I like a nice, compact, fast email client that lets me get through all my email quickly. I’ve always liked Outlook Express and wondered why more people don’t pay any attention to it.

I work in linux a lot as well these days. I’m just finding after years of Microsoft that I really like linux. It is my base OS and I run VMWare or RDP sessions to manage my Microsoft shop.

I’ve been wanting to use a simple POP or IMAP client to check my mail when I’m traveling, have poor connectivity, etc. My company has many people overseas on very slow and highly contended VSAT connections. I don’t like passing my credentials in plain text.

I applied a secure certificate to the virtual POP3, IMAP, and SMTP servers on our Exchange 2003 front ends. I opened the appropriate firewall ports, and voila we had secure IMAP and POP3. SMTP was a little weird.

Exchange does not use a separate port for secure SMTP. It uses port 25 for everything. This works out fine. When you configure your client, choose TLS and not SSL. Make sure it is port 25. You can confirm your email was sent encrypted by looking at the header (send yourself a test). It will say the email was received by your smtp server in an encrypted session.

One last gotcha – the secure SMTP worked inside the firewall and not outside. When using telnet into the mail server on port 25 from the inside, an EHLO issued a full string of options, including STARTTLS. Outside the firewall, these options were only a string of XXXX’s. Cisco firewalls using inspect ESMTP statements filter out the STARTTLS option. This also causes the client to fail with an error stating the STARTLS is not offered. Remove the ip inspect esmtp statement and all will be well.

Outlook and Outlook Express use SMTP 25 and the SSL option, not TLS. Any other client, choose TLS.

Clients tested: Thunderbird, Evolution, Outlook Express

Note: if you are using Outlook or Evolution you might consider using the rpc/https built into these two clients.