I. Overview
As you know, the mail server system consists of three components, the POP3 service, the Simple Mail Transfer Protocol (SMTP) service, and the e-mail client. The POP3 service is used in conjunction with the SMTP service, POP3 provides the user with a mail download service, while SMTP is used to send messages and to deliver messages between servers. e-mail clients are software used to read, compose, and manage e-mail messages.
The new POP3 service component of the Windows Server 2003 operating system enables users to build a mail server without the use of any tool software. With an e-mail service, you can install the POP3 component on a server computer to configure it as a mail server, and an administrator can use the POP3 service to store and manage e-mail accounts on the mail server. Let's discuss the configuration and management of the mail server.
Second, configure POP3 mail server
After the initial installation of Windows Server 2003, the POP3 service component was not installed. Therefore, before you configure the POP3 service, you must first install the appropriate components before you can work with settings such as authentication methods, mail store settings, domain, and mailbox management.
The POP3 service provides three different authentication methods to authenticate users connected to the mail server. Before you create any e-mail domain on the mail server, you must select an authentication method. You can change the authentication method only if there is no e-mail domain on the mail server.
1. Local Windows account authentication
If the mail server is not a member of the Active Directory domain and you want to store the user account on the local computer where the mail service is installed, you can use the local Windows account authentication method to authenticate users of the mail service. Local Windows account authentication integrates messaging services into the local computer's security account Manager (SAM). By using the security Account manager, users who have user accounts on the local computer can use the same user name and password that are authenticated by the POP3 service or the local computer.
Local Windows account authentication can support multiple domains on one server, but user names on different domains must be unique. For example, a user named webmaster@ghq.net and webmaster@jscei.com cannot exist on a single server at the same time.
If you create a mailbox with the appropriate user account, the user account is added to the POP3 users local group. Members of the POP3 Users group cannot log on to the server locally even if they have the same user account on the server. Using the computer's local security policy can increase the limit on local logons, so only authorized users have local logon rights, which can improve the security of the server. In addition, if the user cannot log on locally to the server, it does not affect their use of the POP3 service.
Local Windows account authentication also supports e-mail client authentication for plaintext and Secure Password Authentication (SPA). PlainText authentication is not recommended in which plaintext transmits user data in an unsecured and unencrypted format. Spa requires that e-mail clients use secure authentication to transmit user names and passwords, so this method is recommended instead of plaintext authentication.
2. Active Directory integrated Authentication
If the server that installs the POP3 service is a member of the Active Directory domain or is an Active Directory domain controller, you can use Active Directory-integrated authentication. Also, with Active Directory-integrated authentication, you can integrate the POP3 service into an existing Active Directory domain. If you create a mailbox that corresponds to an existing Active Directory user account, users can use an existing Active Directory domain user name and password to send and receive e-mail.
You can use Active Directory-integrated authentication to support multiple POP3 domains so that you can establish the same user name in different domains. For example, you can use a user named Webmaster@ghq.net and a user named webmaster@jscei.com.
When you are using Active Directory-integrated authentication and have multiple POP3 e-mail domains, when creating a mailbox, make sure that you consider whether the name of the new mailbox is the same as the name of an existing mailbox in another POP3 e-mail domain. Each mailbox corresponds to an Active Directory user account.
Active Directory-integrated authentication supports both plaintext and Secure Password Authentication (SPA) e-mail client authentication.
If you upgrade a mail server that is using local Windows account authentication to a domain controller, you must follow these steps:
(1) Delete all existing e-mail accounts and domains in the POP3 service.
(2) Create the Active Directory.
(3) Change the local Windows account authentication method to the Active Directory integrated authentication method.
(4) Recreate the domain and the corresponding mailbox.
It should be noted that if you do not follow the above recommended upgrade process, it is possible that the POP3 service will not work properly. In addition, when using Active Directory-integrated authentication, to manage the POP3 service, you must log on to the Active Directory domain instead of logging on to the local computer.
Using the Active Directory domain of the two authentication mechanisms, you can implement the authentication mechanism for client connections. Right-click the computer name in the POP3 Services console and select the Properties menu item to display the Computer Properties dialog box. Select the "Require Secure Password Authentication (SPA) for all client connections" check box to enable authentication for all e-mail clients in the domain. Spa supports only Active Directory-integrated authentication and local Windows account authentication. If Spa is enabled, the user's e-mail client must also be configured to use SPA. Configuring the mail server requires Secure Password authentication, which affects only the POP3 service and does not affect the Simple Mail Transfer Protocol (SMTP) service.
3, encryption password file authentication
Encrypted password file authentication is ideal for large deployments where the Active Directory is not yet installed and you do not want to create a user on the local computer, and you can easily manage a large number of accounts that may exist from a single local computer.
Encrypted password file authentication uses the user's password to create an encrypted file that is stored in the directory of the user's mailbox on the server. During the user's authentication process, the user-supplied password is encrypted and then compared to the encrypted file stored on the server. If the encrypted password matches the encrypted password stored on the server, the user is authenticated. If you are using encrypted password file authentication, you can use the same user name in different domains.