Security & Permission Guide lines
Document #:10104
Applies To:
- MailSite
4.x - 5.x
- Express
4.x - 5.x
Synopsis:
Suggested guidelines to securing your server running MailSite and/or Express
More Information:
The best recommend setup of MailSite, is to run all the MailSite services under a Local NT account or Domain account.
The installer for MailSite 5.x allows you to choose which NT account to login all the MailSite services under.
If you have not already created an NT account for MailSite, the predefined account is called: MailSite-User
This account needs access only to the following folders with the corresponding access rights:
MailSite program folder and all sub-directories = Read & Execute
Express directory if located outside of the MailSite folder = Read & Execute
The Express\ Cache-temp folder = disable execute scripts
The Spool and Box directories must have FULL Access
Working with Express, it is recommended changing the default Directory Security account from gLOCAL_IUSRh to the gMailSite-Userh account.
Note: If using a Domain NT user account, be sure to enter the password and do not check the box to allow IIS to control the password. This only works with local NT accounts, which the password will be pulled from the local registry.
The "IUSR & IWAM_USR" accounts need to have FULL Access to the Express/Web/Cache and Express/Temp folders
*Securing MailSite in this fashion enables you to specify a UNC path for the BOX and/or the SPOOL directories. This is important if using a Network Storage Appliance or remote share on a network file storage server
After you have made these changes verify you can send and receive email. If you have not already removed the unnecessary NT accounts from the above said directories it is recommend you do so to help secure access to those resources and helps reduce the risk of a hacker breaking into your system or being vulnerable to unknown viruses.
Related:
See these other knowledge base documents:
Last revised 2006-10-2