|
Tom Decaluwé -> PoP3 security (18.Sep.2003 10:55:00 AM)
|
Hi, I have a question on security regarding Active Directory / exchange and pop3.
Situation is simpel, i have an win2k domain with an Exchange2k. At the office we use mapi or whatever the standard outlook <=> exchange protocol is called. This securely authenticates my users to the exchange system if i'm not mistaken.
Now form there homes i setup the system so they can use pop3 to the server as most of them are using Outlook express or other simpel mail clients on a mix of win/mac/linux clients. I made mini manuals so they now how to apply leave messages on server so no big issue there. All is fine with this system except that i'm having security thoughts.
When using pop3 the are acutally authenticating using there AD username and password that is sent in clear text and thus can easily be sniffed.
What are your thoughts about this? One password for office and home is nice but than again i don't link the idea of sending my domain paswords over the internet. Especially now that we are thinking of publishing a Terminal server on there web. Siffing out a pop3 would give anyone access to our TS server.
Question is:
1) Can you split the passwords on exchange => so for internal use they have there domain paswords,... but give pop a different pasword are is the AD password always also going to be PoP3 password?
2) what whould you propose to do towards this issue? Stop using pop3 and switching to OWA over SSL? Or should ik stop PoP3 and move to imap/mapi for secure login?
Sorry for the long post but i was wondering what you experts think about this issue?
kind regards,
Tom
|
|
|
|