You should only allow supervisor-equivalent user accounts direct access to the queue directories. End-users of the mail system do not need to have direct access to the mail system files, as they will use their POP3 clients to retrieve and delete messages. The login mechanisms in the POP3 server will perform all of the filesystem services on behalf of the user, and will only perform these services on the specific user’s mailbox.
WARNING: If you allow end-users to have "read" access to these directories, they can read other users’ mailboxes. If you allow end-user to have "read-write" access, they can delete or otherwise corrupt the mail system.
There are two common methods for setting these restrictions:
The instructions presented here will use Windows NT 4.0’s Explorer for illustration purposes.
NOTE: Both of these scenarios require you to be logged into the network as a supervisor-equivalent user.
If you have not relocated the POP3 and SMTP mail directories, then you can make all of the necessary changes to the SYS:USR directory alone, and any directories below it will inherit the restrictions you place on it. If you have relocated the POP3 and SMTP mail directories then you will need to modify the SYS:USR directory as well as the directories containing the POP3 and SMTP mail files.
To edit the access rights to the SYS:USR directory, start Windows NT’s explorer, and select the SYS:USR directory on the NetWare server that is hosting Unoverica Message Transport. Figure 6.15 below illustrates this procedure:
Figure 6.15: Viewing the Properties of SYS:USR with Windows NT's EXPLORER.
Select File/Properties from the menu bar. You will be presented with a dialog box similar to the following:
Figure 6.16: Viewing the properties of the SYS:USR directory in Windows NT's EXPLORER.
Click on the "IntranetWare Rights" or "NetWare Rights" tab. This tab will be different between the major NetWare releases, but will have the same basic functionality. The "Rights" tab will display the current access rights to the SYS:USR directory, and will look something like the following:
Figure 6.17: Viewing the access rights of the SYS:USR directory using Windows NT's EXPLORER.
Depending on whether the host server is NetWare 3.x or 4.x, the information displayed will vary somewhat. However, the objective is the same: you will want to explicitly deny access to the SYS:USR directory to all users.
On NetWare 4.x servers, you would want to explicitly define no rights for the PUBLIC, ROOT, and Organization objects. Figure 6.18 below shows that the PUBLIC object has been added as a trustee to the SYS:USR directory, with all rights explicitly denied. This effectively denies the PUBLIC object’s access to this directory and any files or sub-directories contained within it. This same process would need to be repeated for the ROOT and Organization objects.
Figure 6.18: Denying PUBLIC access to SYS:USR using Windows NT's EXPLORER.
On NetWare 3.x servers, you would want to select the group named EVERYONE and add them to the list of trustees, and then explicitly deny all access privileges for the EVERYONE group. This will effectively deny all user’s access to any files or sub-directories contained within the SYS:USR directory tree. The completed dialog would look something like the following:
Figure 6.19: Denying PUBLIC access to SYS:USR using Windows NT's EXPLORER.
NOTE: If you have relocated the POP3 and SMTP mail directories, you will need to define these trustee restrictions on those directories explicitly.
STEP: To continue with the configuration process, go to section 6.3.3 Enabling PURGE IMMEDIATE on the POP3 and SMTP Mail Directories.
Copyright 1997 Unoverica Corporation, All Rights Reserved page
Send comments to docs@unoverica.com