[OpenAFS] qmail and user mail accounts in AFS
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 23 Feb 2004 16:03:56 -0500
On Monday, February 23, 2004 15:57:13 -0500 Brian Huntley
<bhuntley@clarkson.edu> wrote:
> We used IP-based ACL's to get around the token problem. We created a
> subdirectory in ~/ in which the new, cur and tmp dir's lived. Then, we
> created PTS users/groups that contained the IP's of our mail servers, and
> gave those groups write access into the mail subdirectory. Just make
> sure your mail servers are hardened, as IP ACL's represent a
> significant security issue.
They do, but it doesn't have anything to do with how well hardended the
machines are whose addresses are on the ACL. An IP address is not an
authenticator, and IP-address-based ACL's are pretty easy to subvert,
without having to have access to any machine that's "supposed" to be on the
ACL.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA