A built-in mail server alternative
The new Windows Server 2003 POP3 service, in conjunction with the SMTP service, lets you use email clients such as Microsoft Outlook and QUALCOMM's Eudora to send and receive email through a Windows server without using Microsoft Exchange Server or a third-party server product. This is good news if you need a basic email solution for your network but don't require all the extra functionality that full-fledged mail-server products provide. Read on to learn the basics of installing, configuring, and administering the Windows 2003 POP3 and SMTP services.
Planning and Installation
You can install the POP3 and SMTP services on a Windows 2003 standalone server, a domain controller (DC), or a member server in an Active Directory (AD) environment. To install the services, run the Configure Your Server Wizard and select Mail server (POP3, SMTP), as Figure 1 shows. (You can use the Control Panel Add/Remove Programs applet to add the POP3 service manually, but this article assumes that you'll use the wizard to configure the mail server. Be aware in advance that to remove the mail server role, you can use the Manage Server Wizard—which will remove the POP3 and SMTP services as well as any mail domains and mailboxes you created using the POP3 service—or you can use the Add/Remove Programs applet to remove the POP3 and SMTP services without removing the mailboxes and mail domains.) The wizard leads you through the steps to install the POP3 and SMTP services and to configure several server options. If you've installed Windows 2003's Remote Administration (HTML) tool—aka Web Interface for Remote Administration—on the mail server, installing the POP3 service also installs the HTML plugin for mail server management.
The wizard instructs you to enter the name of the mail domain that the POP3 service will host. You should enter the Fully Qualified Domain Name (FQDN) of the mail domain. For example, if the POP3 service will host mail accounts for the certtutor.net domain, enter the FQDN for certtutor.net in the Domain Name box. For mail to route successfully from the Internet to this new domain, you must update the DNS MX record for certtutor.net to point to the IP address of your Windows 2003 system.
The wizard also requires you to choose the authentication method that the POP3 service will use to authenticate mail users. Depending on the type of Windows 2003 server on which you install the mail services, you can choose one of three authentication methods: Local Windows Accounts on the mail server (on a standalone server or an AD member server), an Encrypted Password File (on a standalone server, a DC, or an AD member server), or AD (on a DC or an AD member server). Be aware that when you use the wizard to install the mail services, you can't alter your chosen authentication method later without deleting all mail domains—and in turn, all mailboxes—on the server.
Configuring the POP3 Service
To configure the POP3 service, install the Microsoft Management Console (MMC) POP3 Service snap-in, which Figure 2 shows. The snap-in displays the mail-server name, mail domain name, authentication method, number of mailboxes, and amount of disk space used. This information provides a good summary of the state of each mail domain.
You can use the Server Properties option (in the snap-in's right pane) to view or change the server port, the logging level, and the root mail directory in which mail is stored. By default, POP3 clients use port 110. If you want to change this setting, first ensure that the applications you deploy can accept a nonstandard port. The logging level ranges from None, which produces no log, to Maximum, which logs all critical, warning, and informational events to the mail server's Application log. And if you plan to host many mailboxes, consider creating a separate partition and redirecting the root mail directory to that partition. This step simplifies the backup process and prevents the OS partition from filling up if the mailboxes grow beyond a manageable size (see the sidebar "Configuring Quotas" for methods for controlling mailbox size). If no mail domains are present (e.g., if you used the Add/Remove Programs applet to add the POP3 service and haven't yet created a mail domain), you can also use the Server Properties option to configure an authentication method. If mail domains already exist on the server, however, you can't change this setting.
By default, the POP3 service sends authentication information in plaintext. In the case of AD authentication, plaintext authentication credentials that pass across the network are vulnerable to interception, which could give third parties access to a user's Windows 2003 domain account. If you choose the Encrypted Password File authentication method, you can use only plaintext authentication. If, however, you choose the Local Windows Accounts or AD authentication method, you can configure the POP3 service to enforce Secure Password Authentication. SPA requires that the username and password be sent through a secure method that you can configure for both Local Windows Accounts and AD authentication. (If you want to use SPA, you must also configure your mail clients to support it.)
To use the snap-in to add a new mail domain, you can either click the New Domain option in the snap-in's right pane or right-click the mail server object in the left pane and select Properties, New, Domain. (Allocated hard disk space is the only factor that limits the number of domains that you can add to the mail server.) You must configure all the relevant DNS MX records to point to the correct IP address for the new domain. For each new mail domain, the system creates a subdirectory (with the same name as the new domain) in the root mailbox directory.
To remove a domain, highlight the domain object and click the Delete shortcut (or right-click the object and select Delete from the context menu). Be aware that when you remove a domain, you remove all the mailboxes that the domain hosts. If you delete a domain that uses Encrypted Password File authentication, the names of all hosted mail accounts in that domain will be lost. If the domain uses the Local Windows Accounts or AD authentication method, the accounts will remain on the server or in AD. If you want to move a domain, you must stop the POP3 service, copy the domain to the new root mail location, then update the root mail location in the Server Properties dialog box. Note that all mail domains must reside in the same location—you can't store them on different partitions.
To add a mailbox, select the correct domain, click New Mailbox (or right-click the domain and select Properties, New, Mailbox) to display the Add Mailbox dialog box, which Figure 3 shows. If you use the Local Windows Accounts or AD authentication method and want to create an associated user account to accompany the mailbox, select the Create associated user for this mailbox check box. If the user for whom you're creating a mailbox already has a local or AD account, clear the check box. In the latter case, the user account name and mailbox name must be the same.
Be aware that mailboxes are subdirectories of the hosting mail domain directory. For example, if you create a mailbox called Rooslan in the certtutor.net mail domain, that mailbox's messages reside in the \%mailroot%\certutor.net \p3_rooslan.mbx directory. Therefore, the POP3 service doesn't handle the use of one mail prefix across multiple domains as well as other mail services (e.g., Exchange). If you need to use one mail prefix for multiple domains, consider a solution other than the Windows 2003 POP3 service.
Configuring the SMTP Service
The POP3 service lets clients receive mail. The partner to this service is the SMTP service, which lets users send mail. The SMTP service, unlike the POP3 Service, isn't new to Windows 2003 and has accompanied earlier versions of Microsoft IIS. You can use the MMC IIS snap-in to access the SMTP service.
Each time you use the POP3 Service snap-in to create a mail domain, you also create an associated SMTP domain. The properties of the SMTP service are central, and you must configure them by editing the properties of the SMTP virtual server, as Figure 4 shows. Administrators need to ensure that the SMTP service isn't configured as an open relay, which spammers can exploit.
You can configure the SMTP service to accept communication only from a specific set of IP addresses or domain names. You can also configure the service to limit the number of messages per session and the number of recipients per session to discourage spammers, who prefer to send thousands of messages, from using your server. Also consider configuring the SMTP service to deny mail relay and to require authentication from clients who attempt to send email. Be sure to test whether a server passes a relay check before exposing it to the Internet. In line with the Microsoft Trustworthy Computing initiative, administrators typically configure the Windows 2003 SMTP service to be secure and to prevent an open relay.
Using the Remote Administration Tool
If you've installed the Web Interface for Remote Administration, you can use a standards-compliant Web browser to access the functions of the POP3 Service snap-in. Some of the HTML remote administration tools require Microsoft Internet Explorer (IE) running on a Windows platform because they use a special ActiveX plugin, but you can run the POP3 server section of the tools from Netscape Navigator or Mozilla.org's Mozilla on various platforms.
The URL for the remote administration tools is https://servername:8098. You can use the Web interface to configure the Mail Server Port, Logging Level, Root Mail Directory, and Authentication Method server properties. As with MMC, you can alter the authentication method only if no domains are present on the server.
On the Domains and Mailboxes tab, which Figure 5 shows, you can add, delete, lock, and unlock mail domains. On this tab, you can view the properties of individual mailboxes. The display includes the size of a user's mailbox, the number of messages stored, and whether the mailbox has been locked. You can also add new mailboxes, delete old ones, and lock or unlock current mailboxes.
The HTML remote administration tools provide a close mirror of MMC functionality. The only drawback is that if errors do appear when completing tasks, they're more difficult to diagnose because the messages are less verbose than the messages the MMC alternative presents.
Using the Command Line
The Winpop command-line tool (winpop.exe) lets you administer the POP3 service from the command line. This option lets you script many common tasks. Using a batch file to add 100 users is far less cumbersome than using the POP3 Service snap-in to accomplish the same task. In fact, with the appropriate switches, you can use winpop.exe to do almost everything I discuss in this article. For example,
- The Winpop List domainname command lists all the mailboxes within a mail domain on a server. Using the Winpop List command without specifying a domain lists all the currently configured mail domains on the server.
- The Winpop Add domainname and Winpop Del domainname commands add or delete mail domains from a particular mail server, respectively. Be careful when using the Winpop Del command because it removes all the mailboxes and mail within the specified domain without issuing a warning.
- The Winpop Add user@domainname and Winpop Del user@domainname commands add a user's mailbox to or delete a user's mailbox from a particular domain, respectively. Be careful; this switch doesn't seek your approval before carrying out its task.
- The Winpop Lock domainname and Winpop Lock user@ domainname commands stop all users in a domain or a particular user in the specified domain from retrieving mail. You can use the Winpop Unlock domainname and Winpop Unlock user@domainname commands to unlock restricted mailboxes. No mailboxes are lost by using this command, and locked mailboxes can still receive incoming traffic. Locking domains is useful for backing up and restoring mail, but you might prefer to stop the POP3 service during a scheduled backup. To do so, you can use the Net Stop command
Net Stop Microsoft POP3 Service
To restart the service, use the Net Start command
Net Start Microsoft POP3 Service
- The Winpop Stat domainname command lists all user mailboxes within a domain, the number of messages stored, and the amount of disk space used. You can use this command within a script that appends the output to a text file so that you can track mailbox use over time.
- The Winpop Migratetoad user@domainname command takes a username and password combination from the encrypted password file and transfers it to the AD database. This action doesn't migrate the domain authentication model, and you can migrate only unique usernames to AD. For example, if you migrate firstname.lastname@example.org and later attempted to migrate email@example.com, the second account won't migrate because the Oksana account name is already taken.
Minimal but Worthy
The POP3 service provides minimal mail functionality. But for administrators who want to set up several mailboxes that simply let users send and receive email, this addition to the server product has been a long time coming. Administrators who desire more advanced options will need to look beyond this service to Exchange or a third-party mail-server solution.