SSL will not
change the way the auth popup
behaves. As to the other security issues, unless you are requiring
mutual
certificate authentication via SSL, server cert only SSL secures your
session
(i.e. session hijacking attacks), but does nothing to prevent other
types
(buffer overflows, etc.) which are not session dependant.
I am
guessing that one of the two above is
the correct interpretation for your question, but if I am still missing
it, let
me know.
Ted Nichols
Ipswitch QA
-----Original
Message-----
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On
Behalf Of Matrosity Hosting
Sent: Monday,
September 25, 2006
11:19 AM
To:
[email protected]
Subject: Re: [IMail
Forum] Results
after Upgrading to Imail 2006.1
What
about using an SSL?
Ted Nichols wrote:
Bruce is correct. Your remotely accessible web sites and/or virtual
directories should never be run with administrator privileges. If the auth
popup is a problem there is only one safe work around. Always login to the
admin from the server itself, and connect to http://localhost/iadmin . What
this does is that it tries to use the credentials of the windows (i.e. the
console session you used to login to windows) user if the IIS user does not
have the necessary permissions. The popup would only happen if both sets
don't have the permissions needed. Remotely, the auth popup is a necessary
evil.
Ted Nichols
Ipswitch QA
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bruce Barnes
Sent: Sunday, September 24, 2006 8:53 AM
To: [email protected]
Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1
For security purposes, the ISS USER should NEVER have administrative
privileges
If you give the ISS user administrative privileges, you open your server up
to being "managed" by every hacker that happens upon your system.
If you are going to run Imail 2006.1, on a DEDICATED BOX, then you can use
IIS for the user.
If you run Imail 2006.1 on a NON-DEDICATED BOX, that is you are also running
web services on the box for web pages, you need to set up a SEPARATE USER
for anonymous Imail use and give that user the necessary privileges for
Imail. If you use the standard IIS user AND have other websites running on
the machine, then you are giving privileges to the other sites that no
standard web access user should have because the IMAIL user has way too many
privileges to be considered secure.
SPECIAL NOTE TO THOSE RUNNING DATABASES FOR WEBSITES OTHER THAN IMAIL: If
you are running BOTH IMAIL and STANDARD WEBSITES with databases, your
databases are wide open to hackers because of the elevated privileges that
IMAIL installs for the IIS user.
If you are running any kind of SECURE DATABASES or SECURE WEBSITES, you are
opening yourself up to even bigger problems.
On a properly secured web server, the STANDARD IIS USER SHOULD NEVER HAVE
ANYTHING MORE THAN ANONYMOUS READ-ONLY ACCESS
Once again, we are still reviewing IMAIL and strongly looking to abandon the
product because of the LACK of SECURITY provided by ISS when IMAIL is
running on a machine that also hosts standard websites.
Bruce Barnes
ChicagoNetTech Inc
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ted Nichols
Sent: Friday, September 22, 2006 16:22
To: [email protected]
Subject: RE: [IMail Forum] Results after Upgrading to Imail 2006.1
The authentication popup happens because WMI, which is used to manage
services in the admin, requires administrator privileges to manage services.
If your IIS user does not have the privileges needed, the authentication
popup will happen. I have not seen 0 length mailbox issue before, but will
investigate.
Ted Nichols
Ipswitch QA
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Martin Schaible
Sent: Friday, September 22, 2006 5:13 PM
To: Ipswitch IMail Mailing List
Subject: [IMail Forum] Results after Upgrading to Imail 2006.1
Hi,
Today we moved a customers site from Imail 8.22 to Imail 2006.1. The Upgrade
was quite relaxing.
The customer has as spare server which he now uses for a few domains with
about 60 Accounts. I was quite surprised to see a Quad Xeon 2.88 GHz from
Compaq. Honestly, it hurts a bit to see a machine like this for a such
really small Imail site. This server will have a really bored life.
I have two open questions:
#1 I think, Imail 2006.1 does not like mailbox files with zero bytes size.
We had tons of messages in the log, complaining that the mail box couldn't
be opened. After deleting the empty mail boxes, the error disappeared. Is
this a bug after migration?
#2 Which this power machine, the webmail runs nearly with warp 9.5, but
accessing the "services", a login window popped up. I had to authentificate
myself with a windows login. I know, that we had the case here and it has do
to with the NTFS security settings. I searched the archives and the KB, but
i couldn't find help. Any idea?
