Re: POP3 daemon selection
> >feature of qpopper, and qpopper needed to start storing .popbull files in
> >each user's home directory. Without a valid home directory, qpopper cannot
> >store a .popbull file in the mail-only users' home directories. As a
> >result, these customers receive every pop bulliten again EVERY time they
> >check their mail.
>
> You can patch qpopper to use ~/.popbull-username instead of ~/.popbull , that
> way you have have 25,000 users with the same home directory. A site where I
> used to work did just this.
I thought of that. I prefer to avoid that, though... I like leaving the
files in the users' home directories so that the full-access users can, if
they wanted to, edit their .popbull file read, for instance, "10000000" to
avoid ever receiving another pop bulliten. Altho.... I certianly wouldn't
consider that a required ability. :-)
> > The solution I have devised for this problem is to go ahead and create
> >home directories for the mail-only customers, but not give the individual
> >users read or write permissions to the directory. Then, hacking the qpopper
> >source to run setgid "mailonly", and then set all mail-only customers' home
> >directories as read- and write-able by group "mailonly," thus allowing
> >qpopper the ability to store the needed .popbull file, but not allowing
> >mail-only customers access to the system.
> >
> > Now... my question: Is this solution pheasable and secure?
>
> Firstly, why would you not want the account to have read access to it's own
> home directory?
It is possible for a customer to have full access, then switch to e-mail
only access. It would be concievably possible for someone to create a .ssh
directory with an 'authorized_hosts' file, for instance, and then gain
access to the system via ssh, bypassing /etc/passwd.
If they do not have read access to their home directory, there is no chance
of this.
> If the shell is /bin/false and sudo is either not installed or configured
> correctly then they won't be able to access the home directory anyway.
>
> > Or better yet... is there a more "clean" way of accomplishing what I need,
> >either with qpopper or another POP3 daemon?
> >
> > And lastly... Is there another POP3 daemon I should consider anyway?
> >Either for security or configurability?
>
> I recently fixed an old mail server that used to have 27000 accounts run by
> qpopper. I installed the POP server from Qmail. Then I wrote and installed
> my maildir-bulletin package (which should be in Debian now - you can get the
> source from http://www.coker.com.au/maildir-bulletin/ ). Now each user has
> their own home directory. Users who are mail-only have their shell as
> /bin/false and can only login via POP. When a bulletin arrives a single file
> is created in /home/bulletins and then hard links (soft links if the hard
> links fail) are created to the Maildir of every user.
> This is much more capable than qpopper bulletins because it works with any
> Maildir POP server (well there's only one such POP server at the moment - but
> others are being written), "ls -l /home/bulletins" shows you how many people
> have yet to read each bulletin (link-count - 1), and I've written an
> automatic bulletin-unsender.
>
> Try it out. Currently this setup has 27000 people happily using it on an AIX
> server. The Debian version hasn't been tested as well as I would like but
> I'll rapidly fix any bugs you find.
Hmmm.... Interesting. What MTA are you using? And what configurations are
required for the MTA to use the mail-dir setup?
--
"If I had thought about it, I wouldn't have done the experiment. The
literature was full of examples that said you can't do this." -- Spencer
Silver on the work that led to the unique adhesives for 3-M "Post-It"
Notepads.
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Jonathan Hall * jonhall@futureks.net * PGP public key available
Systems Admin, Future Internet Services; Goessel, KS * (316) 367-2487
http://www.futureks.net * PGP Key ID: FE 00 FD 51
-= Running Debian GNU/Linux =-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Reply to: