[OpenAFS] qmail and user mail accounts in AFS

[Sergio Gelato]

* bucy-openafs@gloop.org [2004-02-26 14:09:42 -0500]:
> On Tue, Feb 24, 2004 at 10:33:57AM -0600, Troy Benjegerdes wrote:
> 
> > I have a script that starts up courier-imap and courier-mta with tokens 
> > for a user called 'mail' that has ACL's for all the user's maildirs.
> 
> We contemplated this and its a bad idea if you allow a user to put
> arbitrary shellcode in .qmail -- any user's delivery can clobber any
> other user's mail since they're all running with the same creds.

True, although if you tighten up the ACLs on the maildirs (lidk on tmp/,
lik on new/ for the mail user) what you get is "only" denial of service
and mailbox poisoning attacks, no clobbering of legitimate email. By
"mailbox poisoning" I mean the insertion of a perfect forgery in which
not even the first Received: header is authentic. Of course that's
already bad enough.

> (i.e. there's a user/mail princ/user.mail pts user for each user which
> in turn only has rights on the user's maildir)

Burns up twice as many uids, but if you can afford that it's the way to go.