Vijay Gill <[EMAIL PROTECTED]> wrote asking about "auth-sendmail" [1]:
>Under which auth token does the filter run under? What is to prevent a
>user from forwarding the mail to |xterm -d whatever:0.0.
The token belongs to an "authentication-only" AFS-id called "postman"
(postman has no $HOME). User $HOMEs must have an ACL that allows their
".mail" file to be written to by postman.
To prevent .forward file processing, the /etc/aliases file is configured
such that a user's mail alias is finally evaluated to the "tilde form".
So, on the mailserver, "/usr/lib/sendmail -bv username" displays
~[EMAIL PROTECTED]
By not allowing .forward file processing, you do not have the
"mail to |xterm -d whatever:0.0" problem. In addition, by configuring
your sendmail.cf to usr /usr/afsws/bin/pagsh instead of /bin/sh for
execution of programs, such programs get their own PAG and do not
share the sendmail daemon's "postman" token.
>Do you have seperate mail hosts for mail or do you just send mail to one
>of the afs fileservers?
There is one mailserver (could easily be two or more peered mailservers
with identical MX preferences) which handles all inbound and outbound mail.
This mailserver is an AFS client.
All inbound mail is delivered to the mailserver for delivery onto $HOME/.mail
(catering for AFS, NFS and local $HOMEs).
For outbound mail, all user client workstations have an identical
sendmail.cf [2] which simply forwards all mail to the mailserver
and does no alias processing on the local client.
Before outbound mail leaves the site mailserver, the From: address is
re-written (via sendmail.cf) to hide individual client workstation names.
So, it looks like it originated from "[EMAIL PROTECTED]".
Mail alias expansion is only done on the mailserver thus giving you a
managable mail namespace for your domain.
>Anyone else also using afs authenticated sendmail to deliver mail into
>$HOME/.mail (or close model to that) solutions, please post your
>experiences, pitfalls etc. We also must support forwarding through
>procmail for mail delivery into a users home directory.
I have heard the Andrew Message System is well integrated with AFS.
Perhaps, others using AMS could comment?
Hope this helps!
--
paul http://acm.org/~mpb/homepage.html
References:
[1] "auth-sendmail"
ftp://ftp.transarc.com/pub/afs-contrib/doc/faq/auth-sendmail.tar.Z
[2] simple client sendmail.cf which just forwards to mailserver:
# client workstation sendmail.cf
#
# Does no alias processing, just forwards everything to "mailserver".
# Does not handle inbound mail because mailserver handles all inbound mail.
# Hence, there must also be a mail alias for the local username on mailserver.
#
# Before use:
# replace the DJ and Dl "site_domain_name" with your real domain name
#
# No warranty expressed or implied!
#
DJsite_domain_name
Dj$w.$J
DVUK-2.1
Dnmailer-daemon
DlFrom $g $d remote from site_domain_name
Do.:%@!^=/[]~
Dq$?x$x <$g>$|$g$.
De$j Sendmail $v/$V ready at $b
OA/usr/lib/aliases
Odbackground
Om
Og1
OL9
Oo
OPmailer-daemon
OQ/usr/spool/mqueue
Or2h
OS/var/log/sendmail.st
OT3d
Ou1
Ox8
OX12
Pfirst-class=0
Pspecial-delivery=100
Pjunk=-100
Troot
Tdaemon
Tuucp
Tmail
H?F?From: $q
H?D?Date: $a
H?M?Message-Id: <$p.$t@$j>
H?F?Resent-From: $q
H?D?Resent-Date: $b
H?M?Resent-Message-Id: <$p.$t@$j>
HSubject:
HReceived: $?sfrom $s by $j; $b$.
HVia: $?S$S; $b$.
S0
R$+ $#ether$@mailserver$:<$1> send to mailserv
er
S1
S2
S3
R$*<$*>$* $2
R$+@$+ $:$>15$1@$2
S4
S5
S7
S8
S10
S11
S15
R$+@$+.$J $@$1@mailserver.$J host specific name
S16
S17
Mlocal, P=/bin/bellmail, F=nlsmFD, S=21, R=21, A=mail $u
Mprog, P=/bin/bellmail, F=nlsmFD, S=21, R=21, A=mail $u
Mether, P=[IPC], F=nsmFDMuXC, S=21, R=21, A=IPC $h
S21
R<$+> $@$1 address ok
R$+ $@$1 address ok
R$- $1@$J
