Page 1 of 1

Saving attachments to a network location ?

Posted: 2020-03-27 00:36
by testuser.demouser
I have an application in C# which downloads the attachments and saves it to a local folder. However, I would like to save these attachments to another location on the network. When I call attachment.SaveAs(path_to_network_location) it does not work. I tried running the hMailServer service with a specific user who has permission to access the specified network location but it did not work either. Can anyone please tell me how can I achieve this ?
Any suggestions / help would be highly appreciated. Thank you.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 03:02
by mikedibella
How about using a local temporary file path and name for the parameter to the SaveAs COM method, then copy/move it using .net or win library functions?

Re: Saving attachments to a network location ?

Posted: 2020-03-27 14:04
by mattg
testuser.demouser wrote:
2020-03-27 00:36
...how can I achieve this?
This is likely caused by the fact that the user than runs the hMailserver SERVICE doesn't have credentials to the network storage

Re: Saving attachments to a network location ?

Posted: 2020-03-27 15:40
by Dravion
Network Security Credentials in Windows Active Directory Domains are shared by Kerberos Security Tokens.
You have local Machine permissions (required to run a Windows Service on a specific Computer) and you have Domain Administrator
Account permissions, maintained by Active Directory to grant permissions Network wide.

1) Create a Local Computer User account on your hMailserver Computer which is Member of the local Computers Administrators group
2) Grant permissions via Local Security Policy Editor to "act as service".
3) Change hMailServers Service User to your new created User
4) You hMailServer Computer must memeber of your Active Directory domain
5) Add your local User to the Active Directory Administrator group as well

Re: Saving attachments to a network location ?

Posted: 2020-03-27 17:44
by mikedibella
When a machine is domain joined, the LocalSystem account (NT AUTHORITY\SYSTEM) has the same permission on the network as the computer account (paragraph 3: https://docs.microsoft.com/en-us/window ... em-account)

So, to write a file from the LocalSystem context on a domain member, the Share that is the target for the SaveAs must have the Computer account added to the ACL with Change permission, and the Computer account must be added to the target directory Security tab ACL with Modify permission.

However, I stick with my original recommendation. Run you COM client in your desired security context and just copy the file from the local drop.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 19:01
by RvdH
mikedibella wrote:
2020-03-27 17:44
However, I stick with my original recommendation. Run you COM client in your desired security context and just copy the file from the local drop.
+1

Re: Saving attachments to a network location ?

Posted: 2020-03-27 20:11
by Dravion
mikedibella wrote:
2020-03-27 17:44
When a machine is domain joined, the LocalSystem account (NT AUTHORITY\SYSTEM) has the same permission on the network as the computer account (paragraph 3: https://docs.microsoft.com/en-us/window ... em-account)

So, to write a file from the LocalSystem context on a domain member, the Share that is the target for the SaveAs must have the Computer account added to the ACL with Change permission, and the Computer account must be added to the target directory Security tab ACL with Modify permission.

However, I stick with my original recommendation. Run you COM client in your desired security context and just copy the file from the local drop.
Completely wrong

Quote:
In particular, a service running as LocalSystem on a domain controller (DC) has unrestricted access to Active Directory Domain Services
The local Service account user has only unrestricted permissions on a Active Directory Domain Controller IF THE SERVICE in question is installed
itself on the Active Directory Domain Controller.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 20:21
by mikedibella
Dravion wrote:
2020-03-27 20:11
Completely wrong
You are misreading the article. The section you cite has to do with the specific use case of running services on a Domain Controller.

I think most would agree that running services such as hMailServer on a Domain Controller should only be done as a last resort.

The relevant part of the article is this:
When a service runs under the LocalSystem account on a computer that is a domain member [emphasis mine], the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 21:05
by Dravion
mikedibella wrote:
2020-03-27 20:21
When a service runs under the LocalSystem account on a computer that is a domain member [emphasis mine], the service has whatever network access is granted to the computer account, or to any groups of which the computer account is a member.
And thats why i provided my solution to address exactly this issue.

Get your facts straight.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 21:12
by mikedibella
Dravion wrote:
2020-03-27 15:40
1) Create a Local Computer User account on your hMailserver Computer which is Member of the local Computers Administrators group
Sorry, but a Local Computer Account will have no network access at all, regardless of the group membership.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 21:39
by Dravion
mikedibella wrote:
2020-03-27 21:12
Dravion wrote:
2020-03-27 15:40
1) Create a Local Computer User account on your hMailserver Computer which is Member of the local Computers Administrators group
Sorry, but a Local Computer Account will have no network access at all, regardless of the group membership.
But a Network Active Directory User can be Member of a Local Computer User Group like Administrators and SAM
rights can be granted via SECPOL to ACT AS SERVICE.

Re: Saving attachments to a network location ?

Posted: 2020-03-27 22:10
by mikedibella
Dravion wrote:
2020-03-27 21:39
But a Network Active Directory User can be Member of a Local Computer User Group like Administrators and SAM
rights can be granted via SECPOL to ACT AS SERVICE.
This is true but it is not going to solve the OP problem. You process would work if the account was a Domain (AD) Account and not a Local (SAM) Account, but I happen to think that copying the file is the most straight-foward, and easiest to troubleshoot, approach.

Re: Saving attachments to a network location ?

Posted: 2020-03-28 06:46
by mattg
We don't know if the OP has an Active Directory or just a workgroup or perhaps even disjointed devices on the same LAN (ie a home network with a NAS)
RvdH wrote:
2020-03-27 19:01
mikedibella wrote:
2020-03-27 17:44
However, I stick with my original recommendation. Run you COM client in your desired security context and just copy the file from the local drop.
+1
+1

Re: Saving attachments to a network location ?

Posted: 2020-03-28 07:57
by Dravion
He was talkin about a self developed C# Application which needs to SaveFile to a specific path. Windows itself supports only Filesystem paths or a UNC Networkpath
for a remote file Operation.

However:
A Remote file operation is only allowed if a C# Application can authenticate itself against the ruling Authority, whichis nowdays typically a Active Directory. If its not ADS, you need to maintain all the required permissions and settings
accross alll diffefent Computers if itd a Workgroup or not, this even goes for Linux, Solaris, FreeBDD and MacOS Samba Shares.

Re: Saving attachments to a network location ?

Posted: 2020-03-28 09:16
by RvdH
If he is using a self developed C# Application, i wouldn't rely on hmailserver's COM...but would use something like MailKit to those download attachments via IMAP
MailKit is very neat and powerfull, I created that zipscanner with it and more recently a service that does cleanup bounces (NDR's) send from al large mailing list to deactivate no longer existing emailadresses