Pegasus Mail & Mercury

Hello Community,

We are using Pegasus 4.41 in connection with Mercury 4.52.  Pegasus is working in Network and Local Mode, that means different Users can use Pegasus at different computers and the file "pmgate.sys" shows Pegasus the local mail directories of Mercury at the server. Because different users have their mail account at the server engine we would like to protect the single mail accounts by using passwords. Therefore we have set the PW at Mercury in the area "Manage Local Users" -> "Mail Passwords". These passwords are being requested when accessing via IMAP from remote. But when accessing via a local Pegasus Installation from different computers at our office, everybody can access to the mail account of each other without PW request. He only need to know the user name. How can we solve this problem?

 

regards from Germany

Joerg
 

You can do it by settings the proper NTFS rights on each user's mailbox directory. You can also avoid the user to be prompted his/her username by setting the ev pmuser to %username%, the users must have the same username under windows and under Pegasus Mail.

---

Philippe Chartier
French translation team leader

Good Afternoon to Paris, Phil,

 Thanks for your reply. I have already test the solution with the NTFS rights yesterday. Firstly it is not very convenient, because I have to set the NTFS rights for so many different users and user groups. And finally it doesn't work properly. If I deny the access of an user to the NTFS directory of another user (that means any user has any read/write permissions only in his own mail folder), he is also not longer able to send local emails (from one local user to another local user within the office) by typing only the user name into the email address field. In such case an error message appears that he has not enough rights. It seems whilst using only the local user name as an address, Pegasus tries to write the email directly into the receipients NTFS folder, isn't it?

 

regards

Joerg 

> Hello Community,
>
> We are using Pegasus 4.41 in connection with Mercury 4.52.  Pegasus is
> working in Network and Local Mode, that means different Users can use
> Pegasus at different computers and the file "pmgate.sys" shows Pegasus
> the local mail directories of Mercury at the server. Because different
> users have their mail account at the server engine we would like to
> protect the single mail accounts by using passwords. Therefore we have
> set the PW at Mercury in the area "Manage Local Users" -> "Mail
> Passwords". These passwords are being requested when accessing via IMAP
> from remote. But when accessing via a local Pegasus Installation from
> different computers at our office, everybody can access to the mail
> account of each other without PW request. He only need to know the user
> name. How can we solve this problem?

There is no way to use passwords in Pegasus mail unless running Novell.  This is not possible until the actual mail files and folders are encrypted, and I. do not know when this will happen. The files currently are simply ASCII files and can be read with a word processor.  A password for Pegasus Mail would be worse than useless, it would provide an indication of security, without providing any protection at all. If you are using a server for the users mail directories then you can do the following:

1.     Turn off all local delivery and force all mail through Mercury/32.  You run pconfig.exe from the program directory an edit the "Mercury" User Defined Gateway.    

2.    Set a local environment variable PMUSER=<Pegasus Mail user name>.  Personally I use a PMUSER=%USERNAME$ so the Pegasus Mail and Windows username is the same.

3.    Set the rights to each users mail directory so that the other users have no rights to the other users mail directories.  The users (and the Mercury/32 user) must have all rights and the other users should have not rights to any users mail directory.

Now when the users run WinPMail they will not be queried for a user name but WinPMail will automatically open as the specified user in the PMUSER variable. This may be a pain to setup but it does provide the security required, a password would provide no security at all.
 
>  
>
> regards from Germany
>
> Joerg

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

Joerg:

Good Afternoon to Paris, Phil,

 Thanks for your reply. I have already test the solution with the NTFS rights yesterday. Firstly it is not very convenient, because I have to set the NTFS rights for so many different users and user groups. And finally it doesn't work properly. If I deny the access of an user to the NTFS directory of another user (that means any user has any read/write permissions only in his own mail folder), he is also not longer able to send local emails (from one local user to another local user within the office) by typing only the user name into the email address field. In such case an error message appears that he has not enough rights. It seems whilst using only the local user name as an address, Pegasus tries to write the email directly into the receipients NTFS folder, isn't it?

 

regards

Joerg 

You don't need to do this. Add the Administrator account, the Everyone account and the account of the person whose mail is in that folder to the permissions list. Give the Administrator account and the owner's account Full Control. Set the Everyone account permissions to Write and nothing else. Once you have done this, click the Advanced button and reset all permissions. Repeat for each user's folder.

If anyone who does not have permission to read the mail (in the example above, does not have 'Full Control'), tries to access someone elses account Pegasus Mail will not start.

Joerg:

Good Afternoon to Paris, Phil,

 Thanks for your reply. I have already test the solution with the NTFS rights yesterday. Firstly it is not very convenient, because I have to set the NTFS rights for so many different users and user groups. And finally it doesn't work properly. If I deny the access of an user to the NTFS directory of another user (that means any user has any read/write permissions only in his own mail folder), he is also not longer able to send local emails (from one local user to another local user within the office) by typing only the user name into the email address field. In such case an error message appears that he has not enough rights. It seems whilst using only the local user name as an address, Pegasus tries to write the email directly into the receipients NTFS folder, isn't it?

 

regards

Joerg 

 

Good afternoon to Germany, Joerg,

I don't know how many users you have on your server but if they are too numerous you can script the ntfs righs (thats what I do here). In addition : if a user has he right "modify" on another user's mailbox directory he can change his/her pop3/imap password, delete his/her pmail.ini file, read his/her emails : he can do everything.

Regards

 

---

Philippe Chartier
French translation team leader

Dear Thomas,

 Unfortunately your proposal is not the final solution which we prefer. Many of our users should have the opportunity to get access to the mail folder of other users, e.g. when they are in vacation, on a business trip or sick. Normally every user starts his Pegasus Mail by using a program link at desktop. Therein Pmail will be started with the option "-i <username>". In that way every user starts his own mail account only. And by the way - mostly of them do not know, where these option to find or what it mean  ;-). So they are unable to change an user. But of course this is not very securely. If an insider (e.g. secretary should check the account of the boss on his behalf) would like to check another account, he doesn't start Pmail by his Program Link at desktop but with the ordinary start link from the Windows Program Folder. Then Pmail requests an User Name - and you are able to check another account. in general this is a very simple and sufficient solution for us (everybody trust each other)

But we have also some users (or user groups in an active directory environment) which should be prevented from getting access to other accounts (apprentices, trainees, ...). You wrote we should set the right permissions or withdraw the write/read permissions respectively from the corresponding mail folder. Only the Pmail User and the Mercury User at the server should get access to an mail folder. - That is what we have carried out. Only the corresponding user (or user group) as well as the System Account (the system account starts Mercury as a service on start-up of the server) had access to an user mail folder. And this runs in general. But in case anybody would like to send local emails to another user where the email folder of the receipient granted no access, an error message occurs. So it seems an email folder needs more permissions than right/write rights for the own user and the Mercury User.

regards

Joerg 

Hi Greenman,

It seems the Everyone Account Permission to Write is the Key. This should allow to send messages to everyone but withou reading his mails. This could run. I will test it.

regards

Joerg 

Unfortunately your proposal is not the final solution which we prefer. Many of our users should have the opportunity to get access to the mail folder of other users, e.g. when they are in vacation, on a business trip or sick. Normally every user starts his Pegasus Mail by using a program link at desktop.

 Then give the users that need this access to the other user accounts the proper rights to the other users accounts and then they can use "Add mailbox to List" or use a WinPMail commandline options to run as that user.

Again, you turn off the local mail delivery, mail to another user (or group) goes via Mercury/32 for delivery as SMTP mail. 

 

---

Thomas R. Stephenson
San Jose, California
Member of Pegasus Mail Support Team

Greenman:

... If anyone who does not have permission to read the mail (in the example above, does not have 'Full Control'), tries to access someone elses account Pegasus Mail will not start.

Dear all,

Thanks a lot for your hints. It seems setting the right NTFS permissions is the best way to achieve this goal. After setting the right permissions (Admin, System and current User get all rights, other users whose should not get access get only write permissions) Pmail still works (also the local mail transport) and restricted users are not able to start Pmail with another user account than their own account.

But in case an user starts his own account after a restricted user has tried to open it without success, the current user gets the standard Pmail message, that this account is may be in use by another user - "Cancel" or "Continue". This means the Lock file has been set into the user's account directory.

Joerg:

Greenman:

... If anyone who does not have permission to read the mail (in the example above, does not have 'Full Control'), tries to access someone elses account Pegasus Mail will not start.

Dear all,

Thanks a lot for your hints. It seems setting the right NTFS permissions is the best way to achieve this goal. After setting the right permissions (Admin, System and current User get all rights, other users whose should not get access get only write permissions) Pmail still works (also the local mail transport) and restricted users are not able to start Pmail with another user account than their own account.

But in case an user starts his own account after a restricted user has tried to open it without success, the current user gets the standard Pmail message, that this account is may be in use by another user - "Cancel" or "Continue". This means the Lock file has been set into the user's account directory.

 

Normal, the user has the right to add file so the mailboxp.lck is created but as the user can't read the pmail.ini file he can't open Pegasus Mail.

You should try the solution given by Thomas to force the mails to be processed by Mercury whatever the address is (within or without a '@domain'). And also to give rights to the user mail directory only to the administrator (full control), the user (modify) and to the mercury account if it runs on another computer (modify).  You can also give modify rights on a user mailbox to another user who'll be able to process the mails when the owner is out of the office (take care to the privacy statements), he'll do it by adding a mailbox within his/her Pegasus Mail session. Add to this the use of the pmuser ev and all will run just like you want to.

---

Philippe Chartier
French translation team leader

Hello Phil, hello Thomas,

How should I force the emails to be processed by Mercury only? I'm not able to find how to disable the local mail delivery. Is this an adjustment in Pmail or Mercury?

And Phil, how should I add another mailbox within a current mailbox session when getting access to another user mailbox. Until now we have always start a new Pmail session with the other user account after finishing the own session firstly.

Joerg:

Hello Phil, hello Thomas,

Hello Joerg

How should I force the emails to be processed by Mercury only? I'm not able to find how to disable the local mail delivery. Is this an adjustment in Pmail or Mercury?

In Pegasus Mail: Tools/Internet options... Sending (SMTP), check the box 'Use for all outgoing mail, regardless of address' , I think that you need also to tune Mercury to process the mail without any '@domain' portion as local addresses (I'm not sure of it and I've not access to my Mercury server at the moment, asap I'll have a look to it and let you know).

And Phil, how should I add another mailbox within a current mailbox session when getting access to another user mailbox. Until now we have always start a new Pmail session with the other user account after finishing the own session firstly.

 Folders/Add mailbox to list...

Regards 

---

Philippe Chartier
French translation team leader

Phil:

In Pegasus Mail: Tools/Internet options... Sending (SMTP), check the box 'Use for all outgoing mail, regardless of address' , I think that you need also to tune Mercury to process the mail without any '@domain' portion as local addresses (I'm not sure of it and I've not access to my Mercury server at the moment, asap I'll have a look to it and let you know).

 Folders/Add mailbox to list...

The Internet Options are always disabled in our installation because we are connected to the Internet via company LAN -> Router -> Internet.  In Tools -> Settings -> Extended Settings -> Load WSOCK32.dll (Load Windows Internet Services) is set to "never" because Windows should never establish an internet connection by itself. So the Internet Settings are not available.

The "Add Mailbox" in the menu Folders has been found. I did not find it because it is not available as soon as one of the mail folders is activated (focus).Once I have set the focus to the folder administration window, the Folder Menu changed and I could found the Add Mailbox item.

Thanks

Joerg 

 

Using NTFS permissions is the best way to secure your mail. It also means that it is all achieved through Windows domain security - one logon and password and nothing further is required.

If anyone should need access to another persons mail then you simply add their account and give them full control, enabling them to read, write, reply etc on that person's behalf.

Keep the administrator account in all mail folders and make sure it has full control. If you need to copy/move these folders off the server, then you logon as administrator and copy them. Log on as anyone else, even as someone with administrator rights, and you will get access denied error messages when trying to copy/move them.

Assuming you only want to configure access the mail folders there is no need to configure Mercury or Pegasus further than neccessary.