David Thompson <[EMAIL PROTECTED]> replied to assorted people:
> Message-Id: <[EMAIL PROTECTED]>
> To: Paul Blackburn <[EMAIL PROTECTED]>
> cc: [EMAIL PROTECTED]
> Subject: Re: help!!!
> In-Reply-To: Message from Paul Blackburn <[EMAIL PROTECTED]>
> of "Tue, 12 Dec 2000 08:30:59 GMT." <[EMAIL PROTECTED]>
> Date: Tue, 12 Dec 2000 09:26:12 -0600
> From: David Thompson <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
> Precedence: bulk
>
> Paul Blackburn wrote:
> >The problem with using AFS authentication on a popserver
> >is that, compared to local authentication, AFS authentication
> >takes much more resource and time. It involves connecting
> >to the AFS kaserver across the network.
That's really insecure. If the pop server is connecting to kaserver,
then you must be sending cleartext passwords to the pop server.
If you're sending them every minute, that's a *very* attractive
target for any wannabe vandal with a snooper. Ugh.
"kpop" moves the actual authentication onto the client and uses kerberos
the way it's supposed to be used. It's still not ideal;
it only handles authentication and doesn't secure the session
which would be vulnerable to tcp hijacking. Also, with k4, it's
only des. There's also a whole new proxy issue if you need
AFS tokens in the mail server.
> >
> >Typically, popserver users connect and login very frequently
> >(perhaps every minute) just to check if they have new mail.
> >All this login activity soon swamps a popserver that is
> >using AFS login authentication.
This is user behavior which can be controlled - tell users not to poll
more than once ever X minutes (where X is something you choose based on
what load you think you can support, but probably at least 5 minutes,
enforced by having popserver check for a login attempt too soon after a
successful login and refusing such connections.)
It might also be attractive to offer an additional "mail notification"
service that isn't quite so expensive. It's not hard to teach a mail
server how to send zephyrgrams upon mail delivery, for instance.
It might be entertaining today to figure out how to use ICQ or
"instant messanger" or whatever today.
...(deleted suggestions about sizing resources, using imap, and a
...really scary approach using local unix passwords.)
>
> IMAP helps the authentication situation significantly, because it creates
> persistent connections. Regardless of whether you do IMAP or POP, PAG cleanup
> is essential if you create a new PAG for each connection, which I would
> recommend. A moderately busy server will create thousands of PAGs a day,
> which will kill any amount of CPU you can throw at it if you don't do cleanup.
> Our IMAP server used PAM (a good thing), but didn't call the authentication
> destroy routines (a _very_ bad thing). 30,000 authenticated PAGs wandering
> around in your kernel REALLY REALLY sucks. xstat_cm_test is your friend for
> finding out things like this.
Definitely. If you're creating pags, you *should* arrange to get rid of them
as well. Um, but if this is *just* a pop server, it may actually be a better
thing to use the default uid based pags. If you were clever, you could even
reuse AFS tokens if they're sufficiently fresh, which would allow you to keep
using the same rx connections, which should be a net win for those awful users
who keep connecting "real often".
If it's *just* a pop server, an even better option would be to keep the
mailboxes on the local disk, and let the pop client copy them to AFS.
That would avoid all the need to have an AFS token on the pop server,
which is a big win, security-wise. There's really no benefit to keeping
a pop mailbox in AFS. With imap, I can see the value to keeping all those
folders of saved mail in AFS instead. I can also see a whole bunch
of new resource sizing concerns that would need to be considered,
such as memory to hold the processes for all those active connections,
the size of the AFS cache, etc.
I find myself curious as to how these sites that presumably keep pop
mailboxes in AFS handle mail forwarding. Do you handle mail forwarding
on the pop servers? Do you allow programs, such as procmail and
vacation? How do you handle AFS tokens and pags for such programs? If
you haven't thought about this, and are using sendmail or something
similar, what happens if a user creates a .forward in their home
directory? Is it honored?
-Marcus Watts
UM ITCS Umich Systems Group
