Windows Integrated Authentication

[nicksimpson]

Dear Sir,

A very useful addition would be to enable windows integrated authentication to pass through to Ability Mail Server web frontend, so that a single sign-on to a domain would enable automatic login to the email application, without further passwords.

Kind Regards,

Nick.

[Code Crafters]

We are currently working on Ability Mail Server 3 which among other things will include Active Directory to allow users to be added and authenticated based on Windows user account login credentials.

[nicksimpson]

Thanks Chris. Do you have a very general indication when this will be released, and some kind of idea whether this will be a free or chargeable upgrade for your existing customers?

[Code Crafters]

Ability Mail Server 3 should be launched next year but I can't make any promises of when exactly. There is still a lot of work to be done and Ability Mail Server 2 updates have to be done too. The upgrade to version 3 from version 2 should be either free or a very small fee like with version 1 to version 2 which was only $30.

[m1byo]

Also on a similar line to this, it would very nice if webmail could integrate into IIS so that webmail could use host-headers to determine when it should be viewed and share port 80 with other IIS websites.

I currently run about 5 small websites and the mailserver from the 1 IP address, it would be very nice to include the webmail into this rather than having to select a different port in internet explorer every time!

Thanks very much

Ian

[Code Crafters]

WebMail uses a custom scripting that only Abiltiy Mail Server's web server can identify with which is why this hasn't been done so far although we have several times considered a .NET scripted WebMail for IIS. You don't have to run both web servers on different ports. The other option is to run them on different IP addresses on the computer (e.g. 2 network cards or 2 NICs on the same network card). If you select to bind AMS / IIS services to different IPs each on port 80 you have to also set a startup delay of about 30 seconds in the general settings of AMS since IIS has a bug whereby it wrongly grabs all IPs, binds to its IPs then releases the others for other applications. Obviously doing this you would need host headers or some routing software to send certain domains to each of the appropriate IPs.

[m1byo]

Thank you very much for that suggestion, I had not considered that approach before, however the router from the internet will still only forward port 80 to 1 network IP which will not allow the implimentation of that idea.

for a bit more of a heath-robinson solution, I am looking at using no-ip.com with the port 80 redirect and I can then add some records into my dns zone file for the solution!

Thank you very much for all your help!

Ian

[Code Crafters]

The other option you have is to host your website on the WebMail server if you don't use any complicated server side scripting. I also believe that you can forward all connectiosn to IIS and it can use host headers to redirect certain domains to another IP.

[m1byo]

Hello Chris,

Thank you very much for your input, at the moment I am using an IIS redirect which forwards the webmail host header to the secure webmail login and I have moved the IIS Secure pages to a different port as they are not really being used for anything other than test sites.

All of the websites at the moment are using ASP and PHP on the server so it is probably not possible to run on the webmail server.

Thanks

Ian

[Code Crafters]

ASP and PHP are not currently supported by Ability Mail Server but we may build in an ASP version of WebMail in the future so that it can be run on IIS directly. For now though, it sounds like you have everything set up fine and all should work ok.

[jazzy]

WebMail uses a custom scripting that only Abiltiy Mail Server's web server can identify with which is why this hasn't been done so far although we have several times considered a .NET scripted WebMail for IIS. You don't have to run both web servers on different ports. The other option is to run them on different IP addresses on the computer (e.g. 2 network cards or 2 NICs on the same network card). If you select to bind AMS / IIS services to different IPs each on port 80 you have to also set a startup delay of about 30 seconds in the general settings of AMS since IIS has a bug whereby it wrongly grabs all IPs, binds to its IPs then releases the others for other applications. Obviously doing this you would need host headers or some routing software to send certain domains to each of the appropriate IPs.

After beating my brains out over this, there is another way:

http://support.microsoft.com/kb/813368/EN-US/

Do httpcfg set iplisten -i xxx.xxx.xxx.xxx, where xxx.xxx.xxx.xxx is the IP you want IIS to use. Don't add Ability Mail Server's IP address to the list. (IIS will bind to all the IPs you supply through that command.)Then restart everything!

[Code Crafters]

We've come accross this before and I was going to mention it but didn't know the details of the exact command. Doing this is the solution to fixing the IIS binding bug so that you don't need the startup delay in the general settings.

[Pugglewuggle]

What I've actually done is develop a login/signup system for AMS that runs in IIS. It's basically a set of ASP scripts that interface directly with the AMS database (if you're using ODBC, of course).

Because I'm using my own system to handle this stuff, I'm able to maintain all user information in the database for easy management (As apposed to klunky INI files ). I've got lots of additional fields in the DB and can even track a user's login history (times,dates,IPs,GEOGRAPHIC LOCATION [using IP2Location], etc.), run my own account-locking for a period (if password fails too many times), run my own password-reset system, run my own signup form with custom fields and still have AMS clone a dummy account for all other settings, and a bunch of other things. The system I've created even has 2-way password encryption using the xICE algorithm so the user's password is always secure (in cookies and in the DB). I've also created a "Remember Me" feature that allows the user to login just once on their personal computer so they don't have to type everything out all the time (it times out after 2 weeks for security, of course).

All in all, the only thing we're missing is an completely IIS webmail interface for AMS! I'm working on that too....

I guess what I'm trying to say is that by doing this, I can have a different webmail UI for every domain where users can login and the system can work independent of AMS on any port/IP address as long as the system has access to the AMS database... pretty cool, I think.

[Code Crafters]

You have been busy. Of course you can already access the database via the remote admin facility but obviously this has to run on our internal web server. You'll be happy to hear however that in Ability Mail Server 3 we're adding a remotely installable dialog GUI that will use a console protocol interface which will also obviously allow you to access via a console or scripts of your own to do anything with the settings you want, not just the user table in the database. The system already has a 2 way encryption if you choose to use it but we will look into the xICE algorithm too. We are also adding multi-language compatibility to WebMail and eventually the remote admin interface in version 3 and may even eventually add an ASP interface although we have currently avoided this mainly due to the limitations of needing .NET runtime libraries installed making the download from 6MB to nearer 30MB and also then makeing it no longer a "runs out of the box" software. Thanks for all your comments. I will discuss your ideas with the team to see if we can further improve any parts of the WebMail and remote admin interfaces already being enhanced for version 3. Be warned though that external changes to INI files are only updated in the system every periodic sync cyle (specified in general settings) and trying to manipulate mails via your own WebMail interface may cause problems.

[Pugglewuggle]

I will definitely keep that in mind.

I can't wait for AMS 3! Now that you've let it out of the can as far as how the management system will work, I'm drooling! That's a fantastic idea that will really help AMS.

Cheers!
JB

[m1byo]

It is all getting very exciting!

Are there any potential dates for AMS 3 yet?

Ian

[Pugglewuggle]

Yes, regarding the xICE encryption (sorry I forgot to mention it earlier), it is a very powerful tool that can allow administrators to create their own keys for the encryption system. Basically, it has 2 arguments: the password/whatever you want encrypted, and a definable key. This could potentially be really good for both administrative ease and database security because it would give admins more flexibility when working with the database as apposed to the current AMS password encryption which uses a Code-Crafters-defined key that admins can't get at and thus cannot decode the passwords if needed. Also, xICE, when used with an 8 character password provides 320-bit encryption. This encryption level gets higher and higher as more characters are used in the password.

All in all, it could allow the AMS password system to run on admin-defined keys. This eliminates you guys from having to mess with the security system and write your own encryption algorithm and allows admins more elbow room. Also, this increases security, because if any one key was EVER broken (we all know how long it would take for present day computers to crack a 128-bit or 256-bit encryption pattern), damage would be limited to that one server and that particular key (instead of EVERY SINGLE AMS server, as it is now, because all AMS installations use the same encryption) and would protect AMS from legal backlash because they wouldn't be responsible for every one of their customers' systems possibly being compromised.

Just an idea.

[m1byo]

I like your ideas and I am very impressed with what you have done for the system.

Whilst doing some backup bits the other day, I accidentally stumbled accross the solution for *if* you do ever need to get a user account password from AMS, even though they are all stored in an encrypted format!

If you go into the AMS application > Tools and click the Export CSV, all the user information including unencrypted passwords will be exported into the CSV and then you can just read it at your leisure!

[Code Crafters]

No release dates on AMS 3 yet as there's still a long way to go with its implementation and testing. We will consider the xICE encryption and have already considered the idea of having an admin controlled key for our or other encryption and may implement this in a future update. As per m1byo's comment about exporting via CSV showing plain text passwords, CSV files have to have the unencrypted password as this is intended for transfering accounts to other mail servers. The idea is that if your mail server computer can be accessed by others you should use an admin interface password (general settings) to protect unauthorised access.

[bas]

Right now I'm in the process of evaluating new mail server software. For some reason I keep coming back to the code crafters site, but I'm still missing 1 important feature in the webmail software.

I want to host the webmail on the IIS server I'm running on (I need to have webmail available under port 80). Is there going to be an option for IIS webmail in the AMS 3.0 release? You don't need to ship the .NET framework with the software (you can mention it in the prerequisites of the software).

a bit off topic: Suppose I purchase the current 2.61 version of AMS right now, will I be eligable for a free upgrade to version 3.x??