Community Discussions and Support
User Permissions

[quote user="Deagol"] In order to be able to connect to an administrative share like C$ you need to be an administrator on the box you are connecting to. Regular users by default can't connect to a system via administrative shares. The only 'backdoor' in this case would be the users who do have administrative rights to the mail server. A problem could arise if you decide to create another share through which the Mercury environment *is*  accessible to users. The Mercury system can be secured by setting the correct NTFS permissions.

I am running  a Mercury 4.62 system to which users connect using a web interface (so no direct pmail integration). Mercury is running as a service in the context of a specific service account.. Only this service account, a specifically appointed Mercury mail administrator and the system account are granted access to the Mercury files and directories. This setup works fine and will deny users, if they somehow manage to get access to the mailserver (i.e. access through another share) from browsing through the mail system and from reading mail from other users.[/quote]

This is the same approach we use. An AD-user called mailserver1...n is assigned the login right and is the sole reader/writer of the Mercury directories on the local drive (RAID-5), as well as the windows service account. The setup makes the Mail Servers fairly "isolated". We've also removed the windows file-sharing protocol from these servers as well as netbios. The main MTA's (all running Mercury) has since Y2K never been infected or caused any trouble, as well as being extremely stable.

[quote user="Deagol"] In order to be able to connect to an administrative share like C$ you need to be an administrator on the box you are connecting to. Regular users by default can't connect to a system via administrative shares. The only 'backdoor' in this case would be the users who do have administrative rights to the mail server. A problem could arise if you decide to create another share through which the Mercury environment *is*  accessible to users. The Mercury system can be secured by setting the correct NTFS permissions. <P>I am running  a Mercury 4.62 system to which users connect using a web interface (so no direct pmail integration). Mercury is running as a service in the context of a specific service account.. Only this service account, a specifically appointed Mercury mail administrator and the system account are granted access to the Mercury files and directories. This setup works fine and will deny users, if they somehow manage to get access to the mailserver (i.e. access through another share) from browsing through the mail system and from reading mail from other users.[/quote]</P> <P>This is the same approach we use. An AD-user called mailserver1...n is assigned the login right and is the sole reader/writer of the Mercury directories on the local drive (RAID-5), as well as the windows service account. The setup makes the Mail Servers fairly "isolated". We've also removed the windows file-sharing protocol from these servers as well as netbios. The main MTA's (all running Mercury) has since Y2K never been infected or caused any trouble, as well as being extremely stable.</P>

Hi

I would like to know if Mercury Server will allow User Permissions

Example
Admin = Full Control
User1 = Read Email Allowed, Cannot Delete Email, Forward Email Permissions
User2 = Read Email Allowed, Cannot Delete Email, Cannot Print Email, Cannot Send Emails
User3 = Deactivated.

I want to be able to control - who can view emails, who can print them, who can forward them, who can delete them, Disable Accounts, Enable Accounts
I do not want emails saved to client Desktop, All Emails Saved on the Server, for Any Admin to view.
I want users to access their mail from the Server - thru a WebMail Interface - Can Pegasus Mail serve as such.

Can Mercury Server provide this functionality ???

Thank you
Walt

 

<P>Hi </P> <P>I would like to know if Mercury Server will allow User Permissions</P> <P>Example Admin = Full Control User1 = Read Email Allowed, Cannot Delete Email, Forward Email Permissions User2 = Read Email Allowed, Cannot Delete Email, Cannot Print Email, Cannot Send Emails User3 = Deactivated.</P> <P>I want to be able to control - who can view emails, who can print them, who can forward them, who can delete them, Disable Accounts, Enable Accounts I do not want emails saved to client Desktop, All Emails Saved on the Server, for Any Admin to view. I want users to access their mail from the Server - thru a WebMail Interface - Can Pegasus Mail serve as such.</P> <P>Can Mercury Server provide this functionality ???</P> <P>Thank you Walt</P> <P mce_keep="true"> </P>

[quote user="icenews"]

Hi

I would like to know if Mercury Server will allow User Permissions

Example
Admin = Full Control
User1 = Read Email Allowed, Cannot Delete Email, Forward Email Permissions
User2 = Read Email Allowed, Cannot Delete Email, Cannot Print Email, Cannot Send Emails
User3 = Deactivated.

I want to be able to control - who can view emails, who can print them, who can forward them, who can delete them, Disable Accounts, Enable Accounts
I do not want emails saved to client Desktop, All Emails Saved on the Server, for Any Admin to view.[/quote]

These functions are mainly controlled by the OS rather than a mail server, and most mail systems allow a user to do anything with their own mail.  Filtering may allow you to do some of these with Mercury.

[quote]I want users to access their mail from the Server - thru a WebMail Interface - Can Pegasus Mail serve as such.[/quote]

Pegasus Mail is a normal mail client and can access the mail on the server via POP or IMAP protocols.  If you want to use a webmail client, there are a few choices that people use, Squirrelmail, Horde, Roundcube etc. that are all compatible with Mercury using the IMAP interface.


[quote user="icenews"]<p>Hi </p> <p>I would like to know if Mercury Server will allow User Permissions</p> <p>Example Admin = Full Control User1 = Read Email Allowed, Cannot Delete Email, Forward Email Permissions User2 = Read Email Allowed, Cannot Delete Email, Cannot Print Email, Cannot Send Emails User3 = Deactivated.</p> <p>I want to be able to control - who can view emails, who can print them, who can forward them, who can delete them, Disable Accounts, Enable Accounts I do not want emails saved to client Desktop, All Emails Saved on the Server, for Any Admin to view.[/quote]</p><p>These functions are mainly controlled by the OS rather than a mail server, and most mail systems allow a user to do anything with their own mail.  Filtering may allow you to do some of these with Mercury. </p><p>[quote]I want users to access their mail from the Server - thru a WebMail Interface - Can Pegasus Mail serve as such.[/quote]</p><p>Pegasus Mail is a normal mail client and can access the mail on the server via POP or IMAP protocols.  If you want to use a webmail client, there are a few choices that people use, Squirrelmail, Horde, Roundcube etc. that are all compatible with Mercury using the IMAP interface.</p>

Hi

Thank you for your reply

But isn't there a way to prevent users from deleting mail
Is there away to keep all mail on the local server

Thanks
Walt

<P>Hi</P> <P>Thank you for your reply</P> <P>But isn't there a way to prevent users from deleting mail Is there away to keep all mail on the local server</P> <P>Thanks Walt</P>

> But isn't there a way to prevent users from deleting mail
> Is there away to keep all mail on the local server

Not without making all the files on the server read only and PMail cannot handle read-only folders.  You might be able to do something with a web application like Squirrel Mail to do this though.  Squirrel Mail would access the PMail folders via Mercury/32 and IMAP4.

> But isn't there a way to prevent users from deleting mail > Is there away to keep all mail on the local server Not without making all the files on the server read only and PMail cannot handle read-only folders.  You might be able to do something with a web application like Squirrel Mail to do this though.  Squirrel Mail would access the PMail folders via Mercury/32 and IMAP4.

[quote user="icenews"]But isn't there a way to prevent users from deleting mail[/quote]

I don't know any mail client that stops this.  You can always copy the users' mail on the server so that you have a backup copy. 

[quote]Is there away to keep all mail on the local server[/quote]

Well that's how IMAP and all the webmail services based on it work, but it doesn't stop the determined user from storing mail locally.


<p>[quote user="icenews"]But isn't there a way to prevent users from deleting mail[/quote]</p><p>I don't know any mail client that stops this.  You can always copy the users' mail on the server so that you have a backup copy. </p><p>[quote]Is there away to keep all mail on the local server[/quote]</p><p>Well that's how IMAP and all the webmail services based on it work, but it doesn't stop the determined user from storing mail locally.</p>

Hi

This is such a fundamental security issue - I cannot believe that such permissions are allowed and there are no provisions for it.

In an office atmosphere, you get all kinds of individuals, who can be mischievious.

This is one of the reasons, We are looking for a mail server, to allow individuals to share an email such as sales@whatever.com, and control the bad behavior.
You get all sorts of results from people deleteing other people's emails, to general horsing around and theft.

I haven't visited an office yet, that does not have such problems.

Anyway - Thank you for your help, and I hope your director decides to continue with development of his software, and forum members agree to
a miniscule yearly donation.  When I saw Mercury Mail and Pegasus Mail about a week or two ago, I was astounded how sophisticated the software was,
and yet it was free, and his request for $95 for a small office is more than reasonable.

Good luck guys

Thank you for your reply
Walt

<P>Hi</P> <P>This is such a fundamental security issue - I cannot believe that such permissions are allowed and there are no provisions for it.</P> <P>In an office atmosphere, you get all kinds of individuals, who can be mischievious.</P> <P>This is one of the reasons, We are looking for a mail server, to allow individuals to share an email such as <A href="mailto:sales@whatever.com">sales@whatever.com</A>, and control the bad behavior. You get all sorts of results from people deleteing other people's emails, to general horsing around and theft.</P> <P>I haven't visited an office yet, that does not have such problems.</P> <P>Anyway - Thank you for your help, and I hope your director decides to continue with development of his software, and forum members agree to a miniscule yearly donation.  When I saw Mercury Mail and Pegasus Mail about a week or two ago, I was astounded how sophisticated the software was, and yet it was free, and his request for $95 for a small office is more than reasonable.</P> <P>Good luck guys</P> <P>Thank you for your reply Walt </P>

This is such a fundamental security issue - I cannot believe that

such permissions are allowed and there are no provisions for it.

In an office atmosphere, you get all kinds of individuals, who can be mischievious.

They do not last long where I've worked.  ;-)

This is one of the reasons, We are looking for a mail server, to allow individuals to share an email such as sales@whatever.com, and control the bad behavior.
You get all sorts of results from people deleteing other people's emails, to general horsing around and theft.

Normally you would use a mailing list for this.  All the members of the support team would be members of the list and get a copy of the messages sent to  sales@whatever.com. The members of the team reply both to the sender and the list so that all know a messages has been processed and how it was processed.  

I addition, all mail going in and out of the system would be passed to an "Archive" user so you know what mail has come in and how it was handled for legal purposes.  Mercury makes this quite easy to do with an "Always" type filter.

I haven't visited an office yet, that does not have such problems.

When I was the manager these sort of problems did not exist for long.  ;-)  Anyone trying to fool with the inbound and outbound mail would be caught quite quickly.  Actually I've only had this problem once in over 25 years managing a program.  The guy was caught and walked out the door the same day.

 

<blockquote>This is such a fundamental security issue - I cannot believe that such permissions are allowed and there are no provisions for it.<p>In an office atmosphere, you get all kinds of individuals, who can be mischievious.</p></blockquote><p>They do not last long where I've worked.  ;-) </p><blockquote><p>This is one of the reasons, We are looking for a mail server, to allow individuals to share an email such as <a href="mailto:sales@whatever.com">sales@whatever.com</a>, and control the bad behavior. You get all sorts of results from people deleteing other people's emails, to general horsing around and theft.</p></blockquote><p>Normally you would use a mailing list for this.  All the members of the support team would be members of the list and get a copy of the messages sent to  <a href="mailto:sales@whatever.com">sales@whatever.com</a>. The members of the team reply both to the sender and the list so that all know a messages has been processed and how it was processed.   </p><p>I addition, all mail going in and out of the system would be passed to an "Archive" user so you know what mail has come in and how it was handled for legal purposes.  Mercury makes this quite easy to do with an "Always" type filter. </p><blockquote><p>I haven't visited an office yet, that does not have such problems.</p></blockquote><p>When I was the manager these sort of problems did not exist for long.  ;-)  Anyone trying to fool with the inbound and outbound mail would be caught quite quickly.  Actually I've only had this problem once in over 25 years managing a program.  The guy was caught and walked out the door the same day. </p><p> </p>

This very near what I'm asking about... but at a deeper level. Access to the "mail" subfolder defaults to 'everyone'.

That means anyone with a modicum of computer savvy or a google ability could figure out how to see the root C$

and then get to "Mercury/mail" and potentially read in a text editor other's emails? No? Yes? Did I miss something 

upon Mercury 4.62 install (well, we're licensed and love Merc since way back)... many thanks

<p>This very near what I'm asking about... but at a deeper level. Access to the "mail" subfolder defaults to 'everyone'.</p><p>That means anyone with a modicum of computer savvy or a google ability could figure out how to see the root C$</p><p>and then get to "Mercury/mail" and potentially read in a text editor other's emails? No? Yes? Did I miss something </p><p>upon Mercury 4.62 install (well, we're licensed and love Merc since way back)... many thanks </p>

In order to be able to connect to an administrative share like C$ you need to be an administrator on the box you are connecting to. Regular users by default can't connect to a system via administrative shares. The only 'backdoor' in this case would be the users who do have administrative rights to the mail server. A problem could arise if you decide to create another share through which the Mercury environment *is*  accessible to users. The Mercury system can be secured by setting the correct NTFS permissions.

I am running  a Mercury 4.62 system to which users connect using a web interface (so no direct pmail integration). Mercury is running as a service in the context of a specific service account.. Only this service account, a specifically appointed Mercury mail administrator and the system account are granted access to the Mercury files and directories. This setup works fine and will deny users, if they somehow manage to get access to the mailserver (i.e. access through another share) from browsing through the mail system and from reading mail from other users.

<P>In order to be able to connect to an administrative share like C$ you need to be an administrator on the box you are connecting to. Regular users by default can't connect to a system via administrative shares. The only 'backdoor' in this case would be the users who do have administrative rights to the mail server. A problem could arise if you decide to create another share through which the Mercury environment *is*  accessible to users. The Mercury system can be secured by setting the correct NTFS permissions.</P> <P>I am running  a Mercury 4.62 system to which users connect using a web interface (so no direct pmail integration). Mercury is running as a service in the context of a specific service account.. Only this service account, a specifically appointed Mercury mail administrator and the system account are granted access to the Mercury files and directories. This setup works fine and will deny users, if they somehow manage to get access to the mailserver (i.e. access through another share) from browsing through the mail system and from reading mail from other users.</P>

Right... I understand that... I will make the changes. We have a bit of 'administrator' envy and I wanted to lock down the files so I guess we'll use 'deny'. Thanks

Right... I understand that... I will make the changes. We have a bit of 'administrator' envy and I wanted to lock down the files so I guess we'll use 'deny'. Thanks
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Cancel
Delete
Pending draft ... Click to resume editing
Discard draft