[OpenAFS] mail spool on AFS

Derek Atkins warlord@MIT.EDU
19 Nov 2001 23:27:50 -0500 

It has been shown over and over again that putting /var/spool/mail
in AFS is a Bad Idea (TM).  Use IMAP.  You're MUCH better off
in MANY ways.

If you absolutely insist on using AFS for /var/spool/mail (perhaps
because you're a masochist or you feel you want to use inferior
technology to solve your problem), you need to make sure that your
mail server has write access into the /var/spool/mail volume.  This
can be a challenge as the mail daemon tends to change users all the
time, for each user for which it delivers mail.

In particular, you are going to want to give the mailer daemon write
(rlidwk) access.  There are many ways to accomplish this:

 1) Give the mailer daemon a token.  You do this by giving it a
    kerberos principal and having it obtain a token periodically from
    a keytab.

 2) Use IP Acls.  This isn't as secure, and anyone on the server can
    access the mail spool, but you don't need to deal with kerberos
    principals and keytabs.

If, however, you use IMAP, then users can still store their mail in
AFS when they download it from the server, and you don't have to deal
with all this authentication crap.  Even better, you can use IMAP over
SSL and users can encrypt their mail as they download it.

-derek

"Enesha Fairluck" <enesha@sunflower.org> writes:

> Evening
> 
>     I am trying to place my /var/spool/mail into afs space, and am =
> having troubles trying to do the permissions.  A bit new to AFS, so the =
> concept might be obvious and just evading my grasp:) I understand about =
> the standards such as system:anyuser and system:authuser but not sure  =
> how to parlay any of that into something useful for me:)   I am using =
> the latest OpenAFS on RH7.1.   I've tried seeking advice in the docs, =
> but they have been limited help, tho I get a better understanding every =
> minute:)  Any help would be appreciated:)  Thanks!
> 
> --E
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available