-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Christopher D. Clausen" <[EMAIL PROTECTED]> writes:
>> Also, can someone please refresh my memory about what we've decided >> with respect to putting home directories in AFS? If we have decided >> to put home dirs completely in AFS, mail would have to be delivered >> elsewhere, > >> but then we would still need AFS credentials in order to >> access the user's .procmailrc and .forward. > > Incorrect. Just use ACLs correctly. > ~/ has system:anyuser l > ~/Public has system:anyuser rl > ~/.forward is a symlink to Public/.forward > ~/.procmailrc is a symlink to Public/.procmailrc Thanks. That helps me to visualize how this setup would work. > Although there are security issues allowing procmail to run with AFS > delivery as someone who knows what they are doing might be able to > read/write to someone else's email as the SMTP server (or whatever > handles actual delivery) would need generic AFS tokens. The IMAP / POP > clients can likely get use tokens from the user's password. This I'm not very happy about. Is there some way for the server to call procmail with some "subset" of the user's token and the mail delivery token, so that one user could not write to another user's mail directory? Though come to think of it, the same problem probably exists (if I understand it correctly) on normal procmail installations as well, so we wouldn't actually be taking a step backwards. Still, it's a concern. >> So, may I suggest that we put homes under a local NFS partition, which >> would only be exported to the machines in the rack? Or failing that, >> deliver mail to a separate NFS volume outside of home, but with areas >> for each user? The NFS server would be deleuze, so that mail gets >> delivered locally and puts less stress on the NFS server (lots of >> small files == much pain for NFS). Then squirrelmail and courier >> could also serve mail locally, without having to access many small >> files across the network. > > I don't see NFS as a solution to this problem. Now I could see using > only local disk and keeping all email only on deleuze, if its decided > that AFS will cause problems. Also, since Deleuze IS the AFS server, > small files aren't being accessed across the network. Or does > squirrelmail not run on Deleuze? The problem NFS would solve is making email available to the other machines, without delivering all mail to another machine. I didn't realize that our AFS volume was hosted on deleuze -- that addresses my concerns and obviates the need for a separate NFS volume. > Also realize that AFS is designed to cache files and quite good at doing > this. Ah, didn't know that before. - -- Michael Olson -- FSF Associate Member #652 -- http://www.mwolson.org/ Interests: Lisp, text markup, protocols -- Jabber: mwolson_at_hcoop.net /` |\ | | | Projects: Emacs, Muse, ERC, EMMS, Planner, ErBot, DVC |_] | \| |_| Reclaim your digital rights by eliminating DRM. See http://www.defectivebydesign.org/what_is_drm for details. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFy11j+1Ho2POo0xkRAvBgAJ4kT3gRCBU1hmX9gg2EBIg63XZcvgCeMq/f nROjuIYJuCCPsM2FheUs+BE= =CNam -----END PGP SIGNATURE----- _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
