Re: POP3 daemon selection
On Tue, 04 Jan 2000, Jonathan Hall wrote:
>> You can patch qpopper to use ~/.popbull-username instead of ~/.popbull , that
>> way you have have 25,000 users with the same home directory. A site where I
>> used to work did just this.
>
>I thought of that. I prefer to avoid that, though... I like leaving the
>files in the users' home directories so that the full-access users can, if
>they wanted to, edit their .popbull file read, for instance, "10000000" to
>avoid ever receiving another pop bulliten. Altho.... I certianly wouldn't
>consider that a required ability. :-)
If the file in the user's home directory contains the user's name as part of
the file-name then you can have 10,000 users with the same home directory, or
you can have a directory for each user, or you can mix and match.
>> > The solution I have devised for this problem is to go ahead and create
>> >home directories for the mail-only customers, but not give the individual
>> >users read or write permissions to the directory. Then, hacking the qpopper
>> >source to run setgid "mailonly", and then set all mail-only customers' home
>> >directories as read- and write-able by group "mailonly," thus allowing
>> >qpopper the ability to store the needed .popbull file, but not allowing
>> >mail-only customers access to the system.
>> >
>> > Now... my question: Is this solution pheasable and secure?
>>
>> Firstly, why would you not want the account to have read access to it's own
>> home directory?
>
>It is possible for a customer to have full access, then switch to e-mail
>only access. It would be concievably possible for someone to create a .ssh
>directory with an 'authorized_hosts' file, for instance, and then gain
>access to the system via ssh, bypassing /etc/passwd.
When you change them remove the .ssh directory. Then make a cron job that
checks for them and reports/removes them.
>If they do not have read access to their home directory, there is no chance
>of this.
That's one way of doing it. Also you could write a PAM module to specify who
gets to login...
>> I recently fixed an old mail server that used to have 27000 accounts run by
>> qpopper. I installed the POP server from Qmail. Then I wrote and installed
>> my maildir-bulletin package (which should be in Debian now - you can get the
>> source from http://www.coker.com.au/maildir-bulletin/ ). Now each user has
>> their own home directory. Users who are mail-only have their shell as
>> /bin/false and can only login via POP. When a bulletin arrives a single file
>> is created in /home/bulletins and then hard links (soft links if the hard
>> links fail) are created to the Maildir of every user.
>> This is much more capable than qpopper bulletins because it works with any
>> Maildir POP server (well there's only one such POP server at the moment - but
>> others are being written), "ls -l /home/bulletins" shows you how many people
>> have yet to read each bulletin (link-count - 1), and I've written an
>> automatic bulletin-unsender.
>>
>> Try it out. Currently this setup has 27000 people happily using it on an AIX
>> server. The Debian version hasn't been tested as well as I would like but
>> I'll rapidly fix any bugs you find.
>
>Hmmm.... Interesting. What MTA are you using? And what configurations are
>required for the MTA to use the mail-dir setup?
Postfix and Procmail for delivery.
The Maildir setup requires a seperate home directory for each user.
My maildir-bulletin package can work with any mail server. It should work
for Qmail but I haven't tested it properly.
--
The ultimate result is that some innovations that would truly benefit
consumers never occur for the sole reason that they do not coincide with
Microsoft's self-interest.
-- Judge Thomas Penfield Jackson, U.S. District Judge
Reply to: