Lee - there is one "caveat" to what you have stated... The "question" was what were the security implications of allowing users to use POP3 to access external email servers (not the exchange server and you are correct about POP3 to the exchange server)...
The external email servers should have a different username and password than the internal exchange server to start with - if the external email server supports encrypted (secure POP3) then all the better... personally I would have the external email server forward the email to the user through the exchange server and NOT give them POP-3 access to an outside email server... The reason for this is two-fold: 1. You can setup filters on the firewall and install third-party virus scanners on the exchange server to "trap" malicious attachments on the email and.... 2. Control the use of the email system for business purposes only.... The first one is really the main one!!! Most of the email virus and Trojan attachments getting through to company systems has entered through external POP-3 accounts on internal workstations... Even if you filter at the workstation with virus scanners you may miss some of them (especially the new ones that have not been picked out of the wild and have virus signatures or the workstation is not totally up to date on the signature file). By having the external email routed to the exchange server you can setup third-party filters and virus scanners to "trap" by attachment and content to stop the virus code before it can do damage... Just some thoughts... gm... > -----Original Message----- > From: Burleson, Lee (IA) [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 27, 2002 11:18 PM > To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' > Subject: RE: POP3 > > > Take the following into consideration... > > Given: > * POP3 authentication is clear text > * MS Exchange authenticates against NT/2000 user accounts > > Therefore: > * The POP3 username & password are the same credentials used to > access network resources. > * Compromised POP3 credentials will also compromise the entire > domain. > > Conclusion: POP3 is a bad idea, even in a LAN. > > - Lee > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Saturday, February 23, 2002 4:00 PM > To: [EMAIL PROTECTED] > Subject: POP3 > > > > > My users want me to to give them POP3 access via > the firewall. We have an Exchange Server runnig with > a Checkpoint Firewall. Are there any security issues > that I need to watch out
