> Also, as there seems to be a program that authenticates itself as
> "postman", it seems that a sufficiently motivated person could examine
> the program in order to authenticate themselves as "postman" and be
> able to read everyone's mail.
This is only true if the mail delivery runs on a non-trusted machine,
where the 'sufficiently motivated person' has root access. I'd assume
that the password for 'postman' is not coded into the program, but
stored on the local disk. The sendmail daemon runs as root, and hence
the mail delivery program can gain access to the 'postman' password.
At least, this is how we do it. If you have mail delivered by a non-
trusted machine, you have lost anyway, AFS or not.
Michael Niksch
