Published: September 17, 2004
This document provides sample procedures for deploying and configuring the E-Mail Services included with the Microsoft Windows Server 2003 operating system. In conjunction with Microsoft Certificate Services, E-Mail Services build a foundation of support for digitally signing and encrypting e-mail traffic within, or external to, an organization.
On This Page
Introduction
Step-by-Step Guides
The Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the configuration of Active Directory®, the installation of a Windows XP Professional workstation, and finally the addition of this workstation to a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow this common network infrastructure, you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.
Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional requirements will be noted in the specific step-by-step guide.
Microsoft Virtual PC
The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are designed to increase operational efficiency in software testing and development, legacy application migration, and server consolidation scenarios.
The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment, although most configurations can be applied to a virtual environment without modification.
Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.
Important Notes
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for any organization.
Overview
Increasingly, individuals and organizations are using e-mail as a tool for sending confidential information. Given the sensitive nature of the data, e-mail systems must provide mechanisms to safeguard the data from alteration while providing the confidence that messages are not intercepted and read by anyone other than the intended recipient.
By using digital IDs with Microsoft Outlook or Outlook Express, you can prove your identity in electronic transactions in a way that is similar to showing your driver's license when you cash a check. You can also use a digital ID to encrypt messages, keeping them private. Digital IDs incorporate the Secure/Multipurpose Internet Mail Extensions (S/MIME) specification for secure electronic e-mail.
How Digital IDs Work
A digital ID is composed of a public key, a private key, and a digital signature. When messages are digitally signed, a digital signature and a public key are added to the message. The combination of a digital signature and public key is called a certificate. With Outlook or Outlook Express, a certificate may be specified for use by others attempting to send encrypted messages to you. This certificate can be different from your signing certificate.
E-mail recipients use a digital signature to verify a sender’s identity. E-mail originators use a public key to encrypt e-mail, which only the intended recipient can read with the corresponding private key. To send encrypted messages, the Address Book must contain digital IDs for the recipients. That way, e-mail senders can use the recipient’s public key to encrypt a message. When recipients receive an encrypted message, their private key is used to decrypt the message for reading.
Before sending digitally signed messages, you must obtain a digital ID. If you are sending encrypted messages, your Address Book must contain a digital ID for each recipient.
How To Obtain Digital IDs
Digital IDs are issued by independent certification authorities (CAs) and may be obtained for business or personal use. When applying for a digital ID at a CA's Web site, the applicant’s identity is verified before an ID is issued. There are different classes of digital IDs, each certifying to a different level of trustworthiness. For more information, see the Where to Get Your Digital ID Web site.
How To Verify a Digital Signature
With revocation checking, e-mail recipients can verify the validity of a digitally signed message. When verifying a digital signature’s validity, the Outlook client requests information about the digital ID from the appropriate CA. The CA sends back information on the status of the digital ID, including whether the ID has been revoked. CA’s keep track of certificates that have been revoked due to loss or termination.
Prerequisites
Configuring E-Mail Services
With E-Mail Services, you can install components on your computer to configure it as a mail server. E-Mail Services include the Post Office Protocol 3 (POP3) service and the Simple Mail Transfer Protocol (SMTP) service, which retrieve and transfer e-mail, respectively. To provide e-mail services to users, such as sending and receiving e-mail, administrators can create mailboxes on the server.
POP3
The POP3 service is an e-mail service that retrieves e-mail. Administrators can use the POP3 service to store and manage e-mail accounts on the mail server. When the POP3 service is installed on the mail server, users can connect to the mail server and retrieve e-mail to their local computer using an e-mail client that supports the POP3 protocol (such as Outlook or Outlook Express). The POP3 service is used with the SMTP service, which sends outgoing e-mail.
SMTP
SMTP controls the way e-mail is transported and delivered across an organization or the Internet to a destination server. SMTP receives and sends e-mail between servers. The SMTP service is automatically installed on the computer where the POP3 service is installed to allow users to send outgoing e-mail. When you create a domain using the POP3 service, the domain is also added to the SMTP service to allow mailboxes in that domain to send outgoing e-mail. The SMTP service on the mail server receives incoming mail and transfers the e-mail to the mail store.
Setting up E-Mail Services
To install E-Mail Services
| 1. | Log on to HQ-CON-DC-01 as the Administrator@contoso.com. |
| 2. | Click the Start button, click Control Panel, and then click Add or Remove Programs. |
| 3. | Click Add/Remove Windows Components, select the E-mail Services check box, and then click Next. (Note that you may need to provide your installation CD to continue.) |
| 4. | After the Windows Components Wizard completes, click Finish, and then close the Add or Remove Programs screen. |
To configure E-Mail Services
| 1. | Click the Start button, point to All Programs, point to Administrative Tools, and then click POP3 Service. |
| 2. | In the left tree under POP3 Service, click HQ-CON-DC-01. |
| 3. | Click the New Domain link, type contoso.com for the Domain Name, and then click OK. |
| 4. | In the right pane, double-click contoso.com. The tree in the left pane will expand under HQ-CON-DC-01 showing the contoso.com domain. Click the Add Mailbox link. |
| 5. | On the Add Mailbox screen, type mike for the Mailbox Name, clear the Create associated user for this mailbox check box, click OK, and then click OK again once the POP3 Service confirmation screen displays. |
| 6. | Click the Add Mailbox link again and repeat step 5 to create a mailbox for the Administrator. Note: Since Active Directory accounts were established prior to the installation of E-Mail Services, the manual configuration of mailboxes is required. The POP3 service configuration will update the Active Directory user information with an associated e-mail address provided the logon and mailbox names are identical. The POP3 service does provide for the automatic creation of a user account when defining a new mailbox. |
| 7. | Minimize the POP3 Service MMC. |
To test basic e-mail functionality
| 1. | Click the Start button, point to All Programs, and then click Outlook Express. |
| 2. | On the Internet Connection Wizard screen, type Contoso Administrator for Display name, and then click Next. |
| 3. | Type administrator@contoso.com for E-mail address, and then click Next. |
| 4. | For both the Incoming mail and Outgoing mail server, type HQ-CON-DC-01, and then click Next. |
| 5. | On the Internet Mail Logon screen, change the logon name to administrator@contoso.com, provide the password for the Administrator account, and then click Next. |
| 6. | Click Finish. |
| 7. | Click the Send/Receive button to ensure successful interaction with the e-mail server. |
| 8. | Click Create Mail, address the mail to mike@contoso.com, type Test Mail for the Subject, and then click Send. |
| 9. | Maximize the POP3 Service MMC. |
| 10. | In the right-side results pane, under the HQ-CON-DC-01 tree, verify that the Mailbox for mike has one message, and then close the POP3 Service MMC. |
Getting Digital IDs
Many organizations install their own CAs and issue certificates to internal devices, services, and employees to create a more secure computing environment. Large organizations may have multiple CAs set up in a hierarchy that leads to a trusted root CA. Thus, employees of an organization may have a multitude of certificates in their certificate store that have been issued by a variety of internal CAs, all sharing a trust connection via the certification path to the root CA.
In the sections that follow, e-mail signing certificates are issued to domain members from the Contoso CA which, in the examples provided, does not have a trust connection to a commercial root CA. In other words, within the Contoso environment, secure e-mail will be based on certificates issued by the Contoso CA and will be verifiable if used within the Contoso network. However, any secure e-mail sent outside of the Contoso organization will not be verifiable until a trust is established from the Contoso CA to a commercial root CA.
You may purchase a certificate from a commercial CA, such as Verisign, for individual or organizational use. Once you have purchased a certificate and you use it to digitally sign an e-mail message, any message recipient can verify that a message has not been altered during transit and that the message came from you—assuming, of course, that the message recipient trusts the CA that issued your certificate.
Note: Personal certificates procured from a commercial root CA may be used in the following sections as an alternative to certificates issued by the Contoso CA to extend this example beyond the Contoso namespace.
Obtaining a Digital ID from the Contoso CA
Certificate requests must be made by the user, computer, or service that has access to the private key associated with the public key that will be part of the certificate. There are two primary ways to explicitly request certificates in a Windows Server 2003 operating system.
| • | Request certificates using the Certificate Request Wizard When you request certificates from a Windows Server 2003 enterprise CA, you can use the Certificate Request Wizard located in the Certificates snap-in. |
| • | Request certificates using the Windows Server 2003 Certificate Services Web pages Each CA that is installed on a computer running Windows Server 2003 has Web pages that users can access to submit basic and advanced certificate requests. By default, these pages are located at http://servername/certsrv, where servername is the name of the computer running Windows Server 2003. To request a certificate using the Certificate Request Wizard |
| 1. | On HQ-CON-DC-01, click the Start button, click Run, type certmgr.msc, and then click OK. |
| 2. | Under Certificates – Current User, click the plus sign (+) next to Personal to expand the folder. |
| 3. | Right-click Certificates, point to All Tasks, and then click Request New Certificate. On the Certificate Request Wizard welcome screen, click Next. |
| 4. | Click User under Certificate types, and then click Next. |
| 5. | Type Digital ID for the Friendly name, and then click Next. |
| 6. | Verify that the settings for the certificate request are the same as shown in Figure 1, and then click Finish.  Figure 1. A Certificate Request |
| 7. | Click OK to confirm the successful certificate request. |
| 8. | Close the Certificate Manager MMC. |
Configuring Certificate Services for Autoenrollment
Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.
To configure certificate auto-enrollment
| 1. | Click the Start button, point to All Programs, point to Administrative Tools, and then click Group Policy Management. |
| 2. | Click the plus sign (+) next to Forest:contoso.com, click the plus sign (+) next to Domains, right-click the Domain Password Policy under the contoso tree, and then click Rename. Note: Verify that you are working under the contoso.com root domain. |
| 3. | Change the Domain Password Policy to Domain Password and Certificate Policy, and then press Enter. |
| 4. | Right-click Domain Password and Certificate Policy, and then click Edit. |
| 5. | Under Computer Configuration, expand the Windows Settings tree, expand the Security Settings tree, and then click Public Key Policies. |
| 6. | In the right-side results pane, double-click Autoenrollment Settings. |
| 7. | Under Enroll certificates automatically, select both check boxes as shown in Figure 2, and then click OK.  Figure 2. Certificate Autoenrollment |
| 8. | Repeat steps 5 through 7 to configure certificate autoenrollment for the User Configuration section of the Domain Password and Certificate Policy. |
| 9. | Close the Group Policy Object Editor, and then close the Group Policy Management window. |
| 10. | Click the Start button, click Run, type certsrv.msc, and then click OK. |
| 11. | Under the Certification Authority tree, click the plus sign (+) next to ContosoCA, right-click Certificate Templates, and then click Manage. |
| 12. | Right-click the User template, and then click Duplicate Template. |
| 13. | For Template display name, type Autoenrolled User, and then click the Security tab. |
| 14. | Under Group or user names, click to highlight Domain Users. |
| 15. | Under Permissions for Domain Users, select the check box for Allow next to Autoenroll as shown in Figure 3, and then click OK.  Figure 3. Certificate Template Security. |
| 16. | Close the Certificate Template Manager, right-click Certificate Templates, point to New, and then click Certificate Template to Issue. |
| 17. | Double-click Autoenrolled User, and then click to highlight Issued Certificates. In the next section, autoenrolled certificates will be verified. |
To obtain an autoenrolled certificate
| 1. | Log on to HQ-CON-WRK-01 as mike@contoso.com. Note: Mike will receive an autoenrolled user certificate in approximately 90 seconds. This can be verified on the Issued Certificates screen in the Certificate Manager console on HQ-CON-DC-01. If Mike does not receive an autoenrolled certificate within a few minutes, you can run gpupdate /force from the command prompt to accelerate a Group Policy refresh. |
Digitally Signing and Encrypting E-Mail
To configure Outlook Express on HQ-CON-WRK-01
| 1. | On HQ-CON-WRK-01, click the Start button, point to All Programs, and then click Outlook Express. |
| 2. | On the Internet Connection Wizard screen, type Mike for Display name, and then click Next. |
| 3. | Type mike@contoso.com for E-mail address, and then click Next. |
| 4. | For both the Incoming mail and Outgoing mail server, type HQ-CON-DC-01, and then click Next. |
| 5. | On the Internet Mail Logon screen, change the logon name to mike@contoso.com, provide the password for Mike, and then click Next. |
| 6. | Click Finish. |
| 7. | Click the Send/Receive button to ensure successful interaction with the e-mail server, and then click the Inbox. There should be an e-mail from the Contoso Administrator. |
To configure Outlook Express for Digital IDs
| 1. | On HQ-CON-WRK-01 within Outlook Express, click Tools, and then click Options. |
| 2. | Click the Security tab, and then click the Advanced tab. |
| 3. | At the bottom of the Advanced Security Settings screen, under Revocation Checking, select Only when online for Check for revoked Digital IDs as shown in Figure 4.  Figure 4. Outlook Express Advanced Security Settings |
| 4. | Click OK twice. |
Sending Digitally Signed E-Mail
Digitally signed e-mail allows an e-mail recipient to verify your identity. Encrypting an e-mail message prevents other people from reading it when it is in transit.
To send a Digitally Signed e-mail
| 1. | Click Create Mail. |
| 2. | In the To: address line, type administrator@contoso.com, and then type Test Signed Email for the Subject. |
| 3. | Click the Tools menu, click Digitally Sign, and then click Send. |
Reading and Verifying Digitally Signed E-Mail
You can read digitally signed or encrypted messages like any other message. Outlook and Outlook Express display a Help screen the first time you open or preview a digitally signed message or an encrypted message.
If you receive a secure message that has a problem (for example, the message was tampered with or the digital ID of the sender has expired), you will see a security warning that details the problem before you are allowed to view the contents of the message. Based on the information in the warning, you can decide whether to view the message.
After you send a digitally signed message to a contact, you can read an encrypted message from that person the same way you read a regular message.
To read and verify a Digitally Signed e-mail
| 1. | Switch to HQ-CON-DC-01, access Outlook Express, and then click the Send/Receive button. |
| 2. | Double-click the Test Signed Email from Mike. |
| 3. | In the upper-right corner of the e-mail, click the Red Certificate icon. Verify that the contents have not been altered and that the signature is trusted as shown in Figure 5, and then click OK. At the bottom of the open e-mail message from Mike, click Continue, and then close the e-mail message from Mike.  Figure 5. Verifying a Digital ID Note: Revocation checking is not enforced for the Administrator’s Digital ID security settings. |
| 4. | Click Tools, and then click Options. |
| 5. | Click the Security tab, and then click the Advanced tab. |
| 6. | At the bottom of the Advanced Security Settings screen, under Revocation Checking, select Only when online for Check for revoked Digital IDs as shown in Figure 4. |
| 7. | Click OK twice. |
To send a Digitally Signed and encrypted e-mail
| 1. | On HQ-CON-DC-01, right-click the e-mail message from Mike, and then click Reply to Sender. |
| 2. | Click the Tools menu, and then click Encrypt. |
| 3. | Click Send. |
| 4. | Switch to HQ-CON-WRK-01, open the e-mail reply from the Contoso Administrator, and confirm the e-mail properties. They should be similar to those shown in Figure 6.  Figure 6. Verifying a Digitally Signed and Encrypted E-Mail |
Additional Resources
For more information, see the following resources.
Important
Note
Comments
Thank you - Great
Thank you - Donald
Thanks.. ^^;
Thx
I'll give this a try.
Ad Weterings - The Netherlands
http://microsoftwatcher.spaces.live.com/
Thanks
.NET Framework Version
Awesome effort here, by the way.
Disk Setup
Could not install SP2
I am running on Vista, but VPC 2007 is supposed to support it.
Any ideas?
Domain Controller needed?
Does the windows server need to be a domain controller? Are all local accounts ok.
thanks for posting this!
-gezelle
RE:.NET Framework 2.0, it wasn't listed among the possibilities
download it from msft
Doain ontroller
\anders
Which version of VPC?
How big should my virtual disk be when making this VPC image?
Answers to .NET Framework. VPC Version, W2K3 Version
Download .NET Framework 2.0 from http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5&DisplayLang=en
I have used both. Been using VPC 2007 with WSS 3/MOSS 2007 images for the last 10 months.
W2K3. Minimum on a VPC is Standard. In production you could use Web Edition in the WFE.
Dave B
How big a VPC drive.
I have found a 25 gig split in two 15 and 10. I keep VHD's dynamic.
With 15 gig you have enough room for all of the updates. You can install MOSS on Drive D which is a best practice in production.
If you get the size wrong on the second partition you can use VhdResizerto resize. Cann't resize the boot partition. Oh yes VhdResizer is freeware. ANDit works.
Dave