RE: [IMail Forum] Results after Upgrading to Imail 2006.1

[Ted Nichols]

SSL will not change the way the auth popup behaves. As to the other security issues, unless you are requiring mutual certificate authentication via SSL, server cert only SSL secures your session (i.e. session hijacking attacks), but does nothing to prevent other types (buffer overflows, etc.) which are not session dependant. I am guessing that one of the two above is the correct interpretation for your question, but if I am still missing it, let me know.   Ted Nichols Ipswitch QA   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matrosity Hosting Sent: Monday, September 25, 2006 11:19 AM To: Imail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] Results after Upgrading to Imail 2006.1   What about using an SSL? Ted Nichols wrote: Bruce is correct. Your remotely accessible web sites and/or virtual directories should never be run with administrator privileges. If the auth popup is a problem there is only one safe work around. Always login to the admin from the server itself, and connect to http://localhost/iadmin . What this does is that it tries to use the credentials of the windows (i.e. the console session you used to login to windows) user if the IIS user does not have the necessary permissions. The popup would only happen if both sets don't have the permissions needed. Remotely, the auth popup is a necessary evil.   Ted Nichols Ipswitch QA   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bruce Barnes Sent: Sunday, September 24, 2006 8:53 AM To: Imail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1   For security purposes, the ISS USER should NEVER have administrative privileges   If you give the ISS user administrative privileges, you open your server up to being "managed" by every hacker that happens upon your system.   If you are going to run Imail 2006.1, on a DEDICATED BOX, then you can use IIS for the user.   If you run Imail 2006.1 on a NON-DEDICATED BOX, that is you are also running web services on the box for web pages, you need to set up a SEPARATE USER for anonymous Imail use and give that user the necessary privileges for Imail.  If you use the standard IIS user AND have other websites running on the machine, then you are giving privileges to the other sites that no standard web access user should have because the IMAIL user has way too many privileges to be considered secure.   SPECIAL NOTE TO THOSE RUNNING DATABASES FOR WEBSITES OTHER THAN IMAIL: If you are running BOTH IMAIL and STANDARD WEBSITES with databases, your databases are wide open to hackers because of the elevated privileges that IMAIL installs for the IIS user.   If you are running any kind of SECURE DATABASES or SECURE WEBSITES, you are opening yourself up to even bigger problems.   On a properly secured web server, the STANDARD IIS USER SHOULD NEVER HAVE ANYTHING MORE THAN ANONYMOUS READ-ONLY ACCESS   Once again, we are still reviewing IMAIL and strongly looking to abandon the product because of the LACK of SECURITY provided by ISS when IMAIL is running on a machine that also hosts standard websites.   Bruce Barnes ChicagoNetTech Inc   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ted Nichols Sent: Friday, September 22, 2006 16:22 To: Imail_Forum@list.ipswitch.com Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1   The authentication popup happens because WMI, which is used to manage services in the admin, requires administrator privileges to manage services. If your IIS user does not have the privileges needed, the authentication popup will happen. I have not seen 0 length mailbox issue before, but will investigate.   Ted Nichols Ipswitch QA   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Martin Schaible Sent: Friday, September 22, 2006 5:13 PM To: Ipswitch IMail Mailing List Subject: [IMail Forum] Results after Upgrading to Imail 2006.1   Hi,   Today we moved a customers site from Imail 8.22 to Imail 2006.1. The Upgrade was quite relaxing.   The customer has as spare server which he now uses for a few domains with about 60 Accounts. I was quite surprised to see a Quad Xeon 2.88 GHz from Compaq. Honestly, it hurts a bit to see a machine like this for a such really small Imail site. This server will have a really bored life.   I have two open questions:   #1 I think, Imail 2006.1 does not like mailbox files with zero bytes size. We had tons of messages in the log, complaining that the mail box couldn't be opened. After deleting the empty mail boxes, the error disappeared. Is this a bug after migration?   #2 Which this power machine, the webmail runs nearly with warp 9.5, but accessing the "services", a login window popped up. I had to authentificate myself with a windows login. I know, that we had the case here and it has do to with the NTFS security settings. I searched the archives and the KB, but i couldn't find help. Any idea?