Re: Webmail configuration for schools
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió:
> I need to provide email access for 13,000 to 14,000 K12
> students. Last school year we used Microsoft
> Exchange
BY GOD, did he really say that?
> >with extremely
> 1. Postfix with either mysql or LDAP for virtual user delivery.
> 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
> (Courier-imap authentication is the tricky bit.)
Sounds great!
> Since we have been using a SQL database to track user account
> information, I thought that mysql would be the best means of dealing
> with Postfix. It would be trivial to load mysql with the information
> that Postfix needs. My experience with active directory LDAP is not
> great. When using active directory as an LDAP server, it seams like
> there is always more fiddling than there should be. Would mysql hold up
> well in this sort of environment? (load, speed etc.)
Hell, postfix/courier wont even need the database to scale to that (but
you will for peace of mind and easy of reporting), it aint that big.
Properly tunned mysql would work very well, postgress would also do the
job very well. Hell, ive a 10K accounts system, it runs all of it on a
single host with webmail (yeah, i know i push it too hard), and it
doesnt even use the database and its nowhere near saturation. Course,
its a qmail based system, not postfix, but there shouldnt be much of a
difference.
> Courier-imap authentication is the big question in my mind. It
> would be great if we could use active directory to do authentication
> here. LDAP authentication probably won't work correctly. There is no
> compatible password available and LDAP bind authentication is
> problematic. Microsoft lets you do an LDAP bind even if your account is
> locked, your password has expired etc. Would Kerberos be a reasonable
> solution? I have no direct experience with Kerberos.
Im not shure ms kerberos plays nice with other's kerberos.
> Would it be possible to authenticate the user by having the courier authentication
> daemon request a Kerberos ticket? It is my understanding that the imap
> server would not be granted a ticket if the client credentials were not
> authentic. It would also be possible to set up RADIUS authentication.
> Would RADIUS be a better solution?
USE THE PAM. I mean it, use pam, youll be able to even do NT domain
based autentication (albeit with some tweaking and lots and lots of
stress testing). Id go with SQL authentication+pam, or even courier
mysql standard authentication, then dump from the activedir from time to
time.
You can also use pam and kerberos i think, so you dont need courier to
do kerberos itself.
> The only remaining issue is a policy related one. Students and
> or parents have to sign an Internet acceptable use policy for a student
> to get access to the Internet. (The person that has to sign depends on
> the age/grade level of the student.) If they have a signed form, we
> enter this in the SQL database along with their other account info.
> Currently, we provide email accounts to all students. If they don't
> have a singed form, they can only send email internally. Can postfix be
> configured to allow virtual users access to specific domains based on
> the user?
Um... not shure.... cool idea though.
Reply to: