Webmail configuration for schools

To: <debian-isp@lists.debian.org>
Subject: Webmail configuration for schools
From: "Ross, Chris" <cross@wcasd.k12.pa.us>
Date: Tue, 1 Jul 2003 08:35:35 -0400
Message-id: <[🔎] 42918C1908E8A44495BB9695F969ACB81F683F@sabmsx04.wcasd.k12.pa.us>

	I need to provide email access for 13,000 to 14,000 K12
students.  Last school year we used Microsoft Exchange with extremely
tight quotas.  There are currently ~5500 mailboxes.  We had no idea what
the utilization was going to be, teachers normally don't pick up new
services too quickly and Exchange was the simplest implementation in our
environment.  They didn't use email at all for half of the year and some
schools didn't want to use email at all.  Since the usage was not too
high, the system held up to load well.  My guess is that the utilization
will jump next school year.  Pennsylvania will have technology education
standards that will have to meet.  Email is one of the standards that
will have to be dealt with.

	We have a native mode active directory implementation.  When
student accounts are created, we store their information in a SQL
database for various uses.  Every student has their own account.  I have
been looking at a configuration like this:

1. Postfix with either mysql or LDAP for virtual user delivery.
2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
	(Courier-imap authentication is the tricky bit.)


	Since we have been using a SQL database to track user account
information, I thought that mysql would be the best means of dealing
with Postfix.  It would be trivial to load mysql with the information
that Postfix needs.  My experience with active directory LDAP is not
great.  When using active directory as an LDAP server, it seams like
there is always more fiddling than there should be.  Would mysql hold up
well in this sort of environment?  (load, speed etc.)

	Courier-imap authentication is the big question in my mind.  It
would be great if we could use active directory to do authentication
here.  LDAP authentication probably won't work correctly.  There is no
compatible password available and LDAP bind authentication is
problematic.  Microsoft lets you do an LDAP bind even if your account is
locked, your password has expired etc.  Would Kerberos be a reasonable
solution?  I have no direct experience with Kerberos.  Would it be
possible to authenticate the user by having the courier authentication
daemon request a Kerberos ticket?  It is my understanding that the imap
server would not be granted a ticket if the client credentials were not
authentic.  It would also be possible to set up RADIUS authentication.
Would RADIUS be a better solution?

	The only remaining issue is a policy related one.  Students and
or parents have to sign an Internet acceptable use policy for a student
to get access to the Internet.  (The person that has to sign depends on
the age/grade level of the student.)  If they have a signed form, we
enter this in the SQL database along with their other account info.
Currently, we provide email accounts to all students.  If they don't
have a singed form, they can only send email internally.  Can postfix be
configured to allow virtual users access to specific domains based on
the user?

Reply to:

Follow-Ups:
- Re: Webmail configuration for schools
  - From: Alex Borges <alex@sogrp.com>

Prev by Date: Re: PPP-= SERVER and RADIUS
Next by Date: closing exims open relay - something to do with the percent hack
Previous by thread: Re: [Urgent] Samba problem
Next by thread: Re: Webmail configuration for schools
Index(es):
- Date
- Thread