Back to Community Threads
Review of SmarterMail Service: DO we REALLY need LSA Permissions on Windows?
Problem reported by Howell Dell - 2/3/2026 at 12:47 PM
Submitted
Why does SmarterMail need LSA User? What about on Linux? I've not looked at that yet. I am thinking about Docker Container on Linux is supposed to be better to Isolate the R/Ws! I can barely spell Linux so don't ask me too much!

I know a lot of functions SmarterMail calls likely require permissions but I think in a full review we might find that a lot of SmarterMail does not need such permission.

Back when MRS was ASPX App I set the Web Site of MRS to App Pool Identity to prevent breakout of the sandbox but that does not help us now as SmarterMail has implemented its own Web Server as part of the APP and MRS is a simple Web Proxy. This is now a typical dev pattern for .NET Core 8, 9 or 10. The reason for this dev pattern is a good thing as SmarterMail can do more surveillance of incoming connections and report about them -- aka a stronger IDS which I applaud!

Maybe SmarterMail could decompose the service into higher and lower level permissions to tighten up the file permission security. An example of this is ColdFusion where they isolated functions to dedicated services to potentially limit breakouts.

When I used to run ISC Bind the installer created a local user for the Service thus you only needed that user permissions on a specific folder to R/W. Thus you did NOT have the ability to write all over the server in the first place.
Zach Sylvester Replied
2/3/2026 at 8:35 PM
Employee Post
Hey Howell,

Thanks for the question. Reviewing permissions and such is on our near future todo list. For the best isolation you would want to use a docker container. Currently SmarterMail runs as the root user on Linux but we are planning to have it run under its own user eventually. 

Once we do that it will reduce alot of potential risk. But at the same time it makes doing some things harder so it will take lots of QC and internal testing on all the platforms we support which will take some time.

Part of why we have things running this way is we want to make running SmarterMail so easy that anyone can do it with just basic knowledge of DNS and basic knowledge of server managment. If you've ever tried to install other mail software you'd see that there is alot more involved like manually modifying config files and entering commands into your system. Even after all that troubleshooting issues is also much more difficult. So, we try to remove as many roadblocks for users as possible. 

In the mean time I recommend keeping an eye on the release notes for new features, security enhancements and fixes. 

Kind Regards, 

Zach Sylvester

Software Developer
SmarterTools Inc.
J
J. LaDow Replied
2/3/2026 at 9:08 PM
I hate to say it, but running something mission critical like a mail server at least as far as security goes should require more than "basic knowledge of server management" -- there is a lot to monitor on a public facing server and basic knowledge just doesn't cover it.

But in regards to simplicity of "installing" and "operating" SmarterMail itself, wanting the concept to be simple and easy is totally understandable. In reality, it shouldn't take much to coax SM to run under a less-privileged user in Linux -- the Kestrel webserver only needs to be served by a web proxy so it's not like it needs permission to manage the firewall, and the user account granted to SM would need access to the paths SM uses.
MailEnable survivor / convert --
John Quest Replied
2/4/2026 at 10:05 AM
I hate to say it, but running something mission critical like a mail server at least as far as security goes should require more than "basic knowledge of server management" -- there is a lot to monitor on a public facing server and basic knowledge just doesn't cover it.

Absolutely agree, BUT...

Part of why we have things running this way is we want to make running SmarterMail so easy that anyone can do it with just basic knowledge of DNS and basic knowledge of server managment.

What is pathetically sad is how many "email administrators" do not have a basic DNS knowledge of what is needed to host an email server. Nor a basic server management/administrative knowledge.
C
Carl Morris Replied
2/4/2026 at 8:53 PM
I have switched SmarterMail to using a limited user account in a Windows installation (non-domain-joined).  So far in my limited implementation it is working fine.  There are several steps, but nothing too hard if you have familiarity with the Windows security mechanisms.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Adding Delegates in eM Client (Windows and Mac)SmarterMail > Desktop and Mobile Synchronization
Webmail Shows an Expired Certificate WarningSmarterMail > Troubleshooting
Virus Scanner Exceptions for SmarterMailSmarterMail > Troubleshooting
Moving SmarterMail Data to Shared StorageSmarterMail > Server Configuration and Management
Unblock / Allow Browser Notifications in SmarterMailSmarterMail > Domain/User Configuration and Management