Microsoft IIS 6.0Administrator's Consultant

POP3 Service is installed when you add the E-Mail Services Windows component to a system. Click Add Or Remove Programs in Control Panel and then click Add/Remove Windows Components. This starts the Windows Component Wizard. Select E-Mail Services, click Next, and then, when prompted, click Finish. The POP3 e-mail service is installed, as well as any additional components that are required, including SMTP and IIS.

Unlike SMTP, which you manage through the IIS snap-in, you manage POP3 Service through a separate console snap-in. You can access this snap-in, called POP3 Service, from the Administrative Tools menu, or you can add it to any updateable MMC.

When you install E-Mail Services, POP3 Service is installed but no e-mail domains are configured for e-mail receipt and storage. After you’ve planned the necessary modifications to DNS and coordinated with your ISP, you can specify the e-mail domains you want to service. You do this by creating the domains on the server. However, before you do this, you should configure the server properties.

Configuring POP3 E-Mail Client and Server Authentication

When you install the POP3 Service, no default domains are created. You can create and manage e-mail domains as discussed in the section of this chapter entitled “Working with POP3 Domains.” However, before you do this, you should configure the e-mail server authentication method.

You can’t modify the authentication method once you define the e-mail domains that the server will handle. The only way to change the authentication method is by following these steps:

  1. Delete all existing e-mail domains for the POP3 Service.

  2. Change to the desired authentication method.

  3. Recreate the e-mail domains for the POP3 Service and the mailboxes you want to use.

Three authentication methods are available. The best one for you depends on your network’s configuration and how you plan to use e-mail services. The authentication methods are summarized in Table 10-1.

Table 10-1: Authentication Methods for POP3 Servers

AuthenticationMethod

Description

When to Use

Local Windows Accounts

Integrates the POP3 Service with the local system’s Security Accounts Manager (SAM). This has several benefits: when you’re creating mailboxes for users, you can automatically create their user account as well; users can utilize the same account name and password to be authenticated on the system and for POP3; and you can more easily manage accounts. A limitation of this method is that you can’t use the same user name across domains. For example, if dev.microsoft.com and tech. microsoft.com are configured, you can’t have a user account for wrstanek@dev.microsoft.com and a user account for wrstanek@tech. microsoft.com.

If you’re not using Active Directory but want to associate user accounts with mailboxes that you create, use this authentication technique. You’ll then be able to manage accounts associated with mailboxes through the Local Users And Groups node in Computer Management. (This option is available only when the system isn’t part of Active Directory.)

Active Directory Integrated

Integrates the POP3 Service with an Active Directory domain. This mode has the same benefits as the Local Windows Accounts authentication method. Here, you integrate the POP3 Service into your existing Active Directory domain to gain the benefits mentioned previously. As long as the domains are available through Active Directory and are in the same forest, you can use the same user name across domains. For example, if the system services dev.microsoft.com and tech. microsoft.com, you can have a user account for wrstanek@dev.microsoft.com and a user account for wrstanek@tech.microsoft.com.

If the server is a member of an Active Directory domain or a domain controller, use this authentication technique. You’ll then be able to manage accounts associated with mailboxes through Active Directory Users And Computers. (This option is available only when the system is part of Active Directory.)

Encrypted Password File

Instead of managing mailboxes through user accounts, you use encrypted password files to set passwords for mailboxes. This file is stored in the user’s mailbox directory and read during the authentication process. In some cases this might allow you to support a larger number of mailboxes while reducing management overhead, since there are no user accounts. However, the only way to change mailbox passwords is to use the Winpop utility, located in %SystemRoot%\System32.

If you’re not using Active Directory and don’t want to associate user accounts with mailboxes, use this authentication technique. You’ll then use the Winpop utility to reset mailbox passwords.

By default, POP3 is configured to pass the user name and password information as clear text when users attempt to connect to the server. With Local Windows Account authentication and Active Directory Integrated authentication, you can also require Secure Password Authentication (SPA) for all client connections. You can’t require SPA for the Encrypted Password File method, but secure authentication is supported.

To set the server authentication method, follow these steps:

  1. In the POP3 Service snap-in, right-click the icon for the computer you want to work with and then select Properties. This displays the Server Properties dialog box shown in Figure 10-9.

    Figure 10-9: Use the Properties dialog box to configure properties for all POP3 domains on a server.

  2. Use the Authentication Method drop-down list to set the authentication method for the server and all e-mail domains it services. Remember, you can’t modify the method once you define e-mail domains.

  3. If you chose Local Windows Account or Active Directory Integrated authentication, you can also require Secure Password Authentication for all client connections. Select Require Secure Password Authentication (SPA) For All Client Connections. Click OK.

  4. If prompted, click Yes to restart the POP3 Service. Otherwise, right-click the icon for the computer you’re working with, select All Tasks from the shortcut menu, and then click Restart. You should restart the POP3 service in order for these changes to take effect.

Configuring POP3 Port Settings

By default, POP3 responds on TCP port 110. If you want the server to use a different port for all e-mail domains serviced, you can configure this through the server properties dialog box. Follow these steps:

  1. In the POP3 Service snap-in, right-click the icon for the computer you want to work with and then select Properties.

  2. Type the new port number in the Server Port field.

  3. Click OK. Next, right-click the icon for the computer you’re working with, select All Tasks from the shortcut menu, and then click Restart. You should restart the POP3 service in order for this change to take effect.

Configuring the POP3 Root Mail Directory

The Root Mail Directory field sets the physical location used to store mailboxes. Each e-mail domain configured has a separate folder, and within this folder are subfolders for any mailboxes you’ve created for the domain. Individual e-mail messages are stored as flat files within the mailbox folders.

By default, the Root Mail directory is set to Intepub\mailroot\Mailbox. You can change this to any local or remote folder you want if desired. To do this, follow these steps:

  1. In the POP3 Service snap-in, right-click the icon for the computer you want to work with and then select Properties.

  2. In the Root Mail Directory field, type the directory path to the folder in which you want to store mail. If you don’t know the full path for the folder, click Browse and then use the Browse For Folder dialog box to find the folder you want to use. It’s recommended that you use a directory on an NTFS partition.

  3. Click OK to set the new Root Mail directory. If the folder is available and can be used, you’ll see a message stating that the new mail root is set but any existing domains won’t have mail stored properly.

With NTFS, the permissions on the folder are reset so that only local administrators and services accounts have access to the Root Mail directory. If you examine the permissions, you’ll see that Administrators, System, and Network Service are all given full control and any previously assigned access for individual users or groups is removed.

Note

If the folder can’t be found, you’ll see a warning telling you this. To resolve the problem, you’ll need to ensure that the folder is created or shared as necessary, and then repeat this procedure.

  1. Using Windows Explorer, copy any existing domain directories (and all their subdirectories) to the new Root Mail directory. This ensures that mail for any previously defined domains or user mailboxes can be stored properly.

  2. Click OK. If prompted, click Yes to restart the POP3 Service. Otherwise, right-click the icon for the computer you’re working with, select All Tasks from the shortcut menu, and then click Restart. You should restart the POP3 service in order for these changes to take effect.

Working with POP3 Domains

After you configure basic server properties, including the authentication method, you can create and manage e-mail domains. The tasks for creating and managing e-mail domains are examined in the sections that follow.

Viewing Domain Information

Anytime you want to view the currently configured domains, simply select the computer node in the POP3 Service snap-in. If e-mail domains are configured on the server, as shown in Figure 10-10 on the following page, you’ll see the following statistics for each domain:

Creating Domains

The POP3 Service handles top-level domains, such as adatum.com, and second- level domains, such as dev.adatum.com or tech.adatum.com. DNS determines how mail is routed on the Internet and you’ll need to contact your ISP if you want mail for specific domains to be routed to your POP3 server.

Once DNS is configured properly, you’ll need to ensure that the TCP ports for POP3 and SMTP are open to the server. This ensures that the e-mail system will function properly. By default, SMTP is on TCP port 25 and POP3 is on TCP port 110. If your network has a firewall or proxy server, you’ll need to configure these ports so that inbound and outbound connections can be made.

When you install E-Mail Services, POP3 Service is installed but no e-mail domains are configured for e-mail receipt and storage. After you’ve planned the necessary modifications to DNS and coordinated with your ISP, you can specify the e-mail domains you want to service. You do this by creating the domains on the server. However, before you do this, you should configure the server properties.

Once you’ve done the necessary planning and configuration, creating the e-mail domain is easy. Follow these steps:

  1. In the POP3 Service snap-in, right-click the icon for the computer you want to work with, choose New, and then select Domain. This displays the Add Domain dialog box.

  2. In the Domain Name field, type the name of the e-mail domain you want the server to handle. Be sure to use the DNS domain name format, such as adatum.com, rather than adatum.

  3. Click OK to create the domain. A folder is created in the Mailroot directory for the domain. If you examine the permissions for this directory, you’ll see that they’re the same as those assigned to the mail root itself. Administrators, System, and Network Service are all given full control.

Locking and Unlocking Domains

You can restrict access to an e-mail domain temporarily by locking the domain. When the domain is locked, POP3 clients can’t connect to the server to access e-mail in the domain. However, e-mail can still be delivered and routed. You can lock and unlock domains as follows:

Deleting Domains

When you no longer want to support an e-mail domain on a server, you can delete the e-mail domain from the POP3 server. Deleting an e-mail domain permanently removes the domain directory and the complete contents of the associated mail store. As a result, all user mailboxes are deleted, as well as any messages they might contain.

To delete a domain, follow these steps:

  1. In the POP3 Service snap-in, select the icon for the computer you want to work with.

  2. Right-click the domain you want to remove and then select Delete.

  3. When prompted, click Yes to confirm the action. If you’re unsure that this is the desired action, click No.

Deleting an e-mail domain doesn’t stop mail from being routed to the server, nor does it delete the user accounts that might have been created with the mailboxes. To stop mail from being routed to the server, you’ll need to contact your ISP. They’ll need to modify the DNS mail exchange (MX) record to point to a new server or delete the record. To close access to the server, you’ll need to lock or remove user accounts as necessary.

Real World

DNS changes can takes several days or weeks to take effect, depending on the DNS configuration. Because of this, you should contact your ISP several weeks before you plan to make DNS changes. Your ISP can then modify the DNS configuration so that upcoming changes can be more rapidly disseminated.

Working with Mailboxes

Mailboxes are used to store incoming e-mail for users. Each mailbox is created as a separate folder in the mail store. The name of this folder is P3_accountName.mbx, where accountName is the actual name of the mailbox, the user account, or both, associated with the mailbox. When users connect to the server using a POP3 client, such as Microsoft Outlook Express, the mailbox name is the name they must provide to retrieve their e-mail.

With Active Directory Integrated or Local Windows Account authentication, a user account can be associated with the mailbox. This user account has the same name as the mailbox. You can’t create two mailboxes with the same name in a domain. But with Active Directory Integrated and Encrypted Password File authentication, you can use the same user name across domains in the same forest. For example, if dev.microsoft.com and tech.microsoft.com are configured, you could have a mailbox for wrstanek in both domains. The complete e-mail address of these mailboxes would be wrstanek@dev.microsoft.com and wrstanek@tech.microsoft.com, respectively.

In the mailbox directory, individual mail messages are stored as separate files. Mail files are named in the form P3messageNumber.eml, where messageNumber is a unique identifier for the message.

Checking Mailbox Size, Messages, and State

Any time you want to check the size, number of messages, or state of mailboxes in a domain, simply select the domain in the POP3 Service snap-in. You’ll then see the following statistics for each mailbox:

Creating Mailboxes

When you use Active Directory Integrated or Local Windows Account authentication, you should always create an associated user account with new mailboxes. In this way you can manage the user account to control access and privileges on the server. You can also use the standard techniques for locking accounts and changing passwords to control access to the mailbox. To help ensure that user accounts are created when these authentication methods are used, follow these steps:

  1. In the POP3 Service snap-in, right-click the icon for the computer you want to work with and then select Properties.

  2. In the server properties dialog box, select Always Create An Associated User For New Mailboxes.

  3. Click OK. Now user accounts will be created with mailboxes by default.

Another thing to consider before creating mailboxes is the naming scheme you want to use. When you’re using Local Windows Accounts authentication, mailbox names can be up to 20 characters. Mailbox names can be up to 64 characters when you’re using Encrypted Password File or Active Directory Integrated authentication. The minimum length for a mailbox name is one character. You should follow the same naming conventions as those for domain accounts— even if you don’t plan on creating user accounts for mailboxes. Having a defined naming structure for mailboxes makes it easier to manage the POP3 server.

The naming schemes I recommend for mailboxes are the same as the ones I recommend for user accounts. Guidelines for naming schemes you might want to use include:

When you’re ready to create mailboxes, follow these steps:

  1. In the POP3 Service snap-in, select the e-mail domain you want to work with. A complete list of mailboxes in this domain is displayed.

  2. If the mailbox you want to create doesn’t already exist in the domain, click Add Mailbox. This displays the Add Mailbox dialog box shown in Figure 10-11.

    Figure 10-11: Use the Add Mailbox dialog box to create mailboxes for the e mail domain. Mailboxes should follow the same naming and strict password requirements as any other type of account.

  3. In the Mailbox Name field, type a name for the mailbox. When you’re using Local Windows Accounts authentication, mailbox names can be up to 20 characters. Mailbox names can be up to 64 characters when you’re using Encrypted Password File or Active Directory Integrated authentication. The minimum length for a mailbox name is one character, and it can’t be the same as any other mailbox already created in the domain.

    Note

    With Local Windows Account authentication, the mailbox name must be unique across all domains. For example, if dev.microsoft.com and tech.microsoft.com are configured, you can’t have a mailbox for wrstanek in both domains.

    Tip

    The e-mail address for the mailbox is the mailbox name + @ + the e-mail domain name. For example, if the mailbox name is tomg and the e-mail domain name is adatum.com, the e-mail address for sending messages to this mailbox is tomg@adatum.com.

  4. With Active Directory Integrated or Local Windows Account authentication, you’ll want to create a user account with the mailbox, so Create Associated User For This Mailbox should be selected.

  5. Type and confirm the password for the mailbox. With Active Directory Integrated or Local Windows Account authentication, the password is set for the user account, which means that authentication of the password is against the user account. With Encrypted Password File authentication, the password is set in an encrypted file and the only way to change or reset this password is to use the Winpop utility.

  6. Click OK to create the mailbox. A folder is created in the e-mail domain directory for the mailbox. If you examine the permissions for this directory, you’ll see that they’re the same as those assigned to the mail root itself. Administrators, System, and Network Service are all given full control. Any user account associated with this directory doesn’t need direct access. The POP3 Service itself manages the files in this directory.

Locking and Unlocking Mailboxes

You can temporarily restrict access to a mailbox by locking it. When the mailbox is locked, POP3 clients can’t connect to the mailbox. However, e-mail messages can still be delivered to the mailbox. You can lock and unlock mailboxes as follows:

Resetting or Changing Mailbox Passwords

With Active Directory Integrated or Local Windows Account authentication, user accounts should have been associated with the mailbox. The user account password is the mailbox password, and in this case you can use Active Directory Users And Computers snap-in or the Local Users And Groups node on the Computer Management console, respectively, to manage mailbox passwords.

If you’re using Encrypted Password File authentication, you use the Winpop utility to change the mailbox password. Follow these steps:

  1. Click Start and then select Run. In the Run dialog box, type cmd and then click OK. This starts a command prompt.

  2. Type cd %SystemRoot%\system32\pop3server and then type winpop changepwd mailboxName@domainName newPassword, where mailboxName@domainName specifies the e-mail address for the mailbox and newPassword is the password you want to use.

Deleting Mailboxes

When a mailbox is no longer needed, you can delete it from the POP3 server. Deleting a mailbox permanently removes the mailbox and all the messages it contains.

To delete a mailbox, follow these steps:

  1. In the POP3 Service snap-in, select the domain you want to work with.

  2. Right-click the mailbox you want to remove and then select Delete.

  3. A prompt is displayed asking you to confirm the action. If a user account was associated with the mailbox, you also have the opportunity to delete that account. If desired, select Also Delete The User Account Associated With This Mailbox.

  4. Click Yes.

Категории