[OpenAFS] PAG's and MTA's

Dan Pritts danno@internet2.edu
Wed, 27 Nov 2002 20:30:40 -0500 

On Thu, Nov 28, 2002 at 01:17:59PM +1300, Nathan Ward wrote:
> I get permission denied errors when trying to drop mail into maildirs.
> Courier is getting the correct home dir (/afs/alb-nz.esphion.com/user/nward) and uids.
> I have run the courier startup script inside a pagsh, with the "mailerd/deliver" krb ticket and the mailerd.deliver AFS token.
> mailerd.deliver has "l" perms on all home dirs, and rlw on Maildirs and below.
> I have tried setting perms to "all" also. No effect.

as someone else suggested, you will need to have "i" permission as well
as rlw, since each new message is delivered by inserting a new file into
the Maildir/new directory.  Setting the permissions to "all" should have
covered this, though.

are you 100% sure that courier has the token?  

> - Courier is trying setuid itself to "nward" (the user i'm delivering
> to) and not getting the afs tokens. Is that possible? 

I do not know Courier, but based on my experience with other mail
software I think it is likely that courier is going setuid to the
recipient for delivery.

Whether that will clear the tokens in the PAG is another question -
i would expect not but i could be wrong.

> I am logged in as
> nward on the machine, shouldn't afs use that user's tokens?

you have specifically told AFS that you want to run in a PAG by running
under pagsh.  Thus, even if nward has tokens on the host outside a PAG
context, i believe that the courier pagsh will not be able to access them.

I worked with a similar system at a previous employer.  the way we dealt
with this problem was to create a principal userid.mail for each and every
userid that wanted to have mail delievered.  Each of these pseudousers
was set to use the same password, which was stored on local disk on
the mail delivery servers.  We used sendmail as our MTA with procmail
as the delivery agent.  We hacked procmail to get a token first thing,
and then do the delivery.

It was not completely ideal, but it worked.

Personally, if i were designing a mail system today, I would not deliver
into afs.  I would deliver into local disk on the mail server, and have
users access the mail via IMAP or POP.  Even if I had lots and lots of
users - if that were the case I would provision users across IMAP servers.
I would accept that occasionally i might have to rebalance the user load
across servers.

danno
--
dan pritts                                       danno@internet2.edu
systems administrator                            734/352-4953 office
internet2                                        734/546-4423 mobile