[OpenAFS] PAG's and MTA's

Nathan Ward nward@esphion.com
Thu, 28 Nov 2002 15:38:54 +1300


> are you 100% sure that courier has the token?  
how can I check?

> 
> > - Courier is trying setuid itself to "nward" (the user i'm delivering
> > to) and not getting the afs tokens. Is that possible? 
> 
> I do not know Courier, but based on my experience with other mail
> software I think it is likely that courier is going setuid to the
> recipient for delivery.
> 
> Whether that will clear the tokens in the PAG is another question -
> i would expect not but i could be wrong.

I know very little about PAGs. Any URLs people can give me?

> 
> > I am logged in as
> > nward on the machine, shouldn't afs use that user's tokens?
> 
> you have specifically told AFS that you want to run in a PAG by running
> under pagsh.  Thus, even if nward has tokens on the host outside a PAG
> context, i believe that the courier pagsh will not be able to access them.
> 
> I worked with a similar system at a previous employer.  the way we dealt
> with this problem was to create a principal userid.mail for each and every
> userid that wanted to have mail delievered.  Each of these pseudousers
> was set to use the same password, which was stored on local disk on
> the mail delivery servers.  We used sendmail as our MTA with procmail
> as the delivery agent.  We hacked procmail to get a token first thing,
> and then do the delivery.

I have hacked courier to get a token first too. We will see how that goes post-compile.
It gets a token that lasts a minute, from a keytab on the local disk, which is probably a better option I think.
And with the (hopeful) magic of PAM's krb5 and openafs-session modules, I will be able to have users login to the mail server with a password, and PAM will give that process mail access for that user for 10 mins or so. maybe.

> It was not completely ideal, but it worked.
> 
> Personally, if i were designing a mail system today, I would not deliver
> into afs.  I would deliver into local disk on the mail server, and have
> users access the mail via IMAP or POP.  Even if I had lots and lots of
> users - if that were the case I would provision users across IMAP servers.
> I would accept that occasionally i might have to rebalance the user load
> across servers.
I want to have mail delivered to users home's. I will have mail available with IMAP as well, but still to homes.

-- 

Nathan Ward
System Administrator
Esphion Ltd.

PH:    +64 9 4142060      | EMail: nward@esphion.com
MOB:   +64 9 21 431675    | Web:   www.esphion.com

--

This message is provided "AS IS" with no warranties, and confers no rights.
Any opinions or policies stated within are my own and do not necessarily constitute those of my employer.
Harvesting of this address for purposes of bulk email (spam and UCE) is expressly prohibited unless by my explicit prior request.  I retaliate viciously against spammers and spam sites.