> The more I read about this issue, the more the apache way (also used by proftpd) comes to mind. > > > > Some users can do whatever they please: > > <Protocol POP3 IMAP> > <Limit> > deny from all > allow from 127.0.0.1 > require gid 1 > require user anton > require user bernard > require user charlie > </Limit> > </Protocol> > > only group_id=0 can do IMAP from limited network: > > <Protocol IMAP> > <Limit> > deny from all > allow from 194.109.214.0/24 > require gid 0 > </Limit> > </Protocol> > > > reject delivery for disabled accounts: > > <Protocol LMTP> > <Limit> > deny from all > require valid-account > </Limit> > </Protocol> > > Of course this would have to be converted into sql tables etc...
That's quite interesting and flexible. I'm not sure how that translates into database tables for implimentation - or were you just thinking a text field, and parse that each time? Of course performance would be better to have an actual db schema... What had been discussed previously, iirc, was along the lines of: - A status table that basically held an enable/disable and a text message (to be returned in smtp bounce, webpage error, etc.) ID Enabled Message 1 1 Status OK. 2 0 Administratively disabled. 3 0 Account suspended: Delinquent in payment 4 0 Account disabled for spamming. 5 0 Account suspended: Policy Violation etc. (obviously check your liability if you go telling the world that user X doesn't pay their bills, etc. :) - A capabilities table for specifying what a user/alias/group can or cannot do. capability table: ID Capability Description 1 pop3 Access to POP3 2 imap4 Access to IMAP4 3 insert Can receive messages (SMTP/LMTP) 4 forward Allowed offsite mail forwarding 5 webmail Allowed to use webmail capabilities table: user_idnr alias_idnr client_idnr capability status 123 null null 1 1 123 null null 2 2 null 333 null 3 2 null 333 null 4 1 null null 444 5 1 666 null null 1 4 666 null null 2 4 666 null null 3 4 666 null null 4 4 666 null null 5 4 You'd then make functions to check permissions using the generic capability name (eg. "pop3"). That's not the most elegant setup, right offhand, and may not have been exactly it, but something along those lines. -- Jesse Norell jesse @ kci.net
