On Tue, Feb 23, 1999 at 01:15:21AM -0800, Russell Evans wrote:
> Is it possible to use Bruce Guenter's QMAILQUEUE to hold sent mail in a
> queue until the user authenticated him or herself via pop. I was thinking a
> program could be called to dump the mail in the queue and send back a
> notification to the sender on authorization failure.
It is certainly possible, if not somewhat difficult, to do this. The
biggest problem that I've encountered in implementing things like this
is that the envelope information is sent *after* the message is
completed instead of *before*. What you would need to do is:
- send the message to a temporary file
- read the sender address from the envelope
- determine if that sender has been authenticated
- if so, send the message to qmail-queue, followed by the envelope
- otherwise, send the envelope to a temporary file as well
- when the user authenticates with POP, check for temporary files that
would be caused by that user and deliver them to qmail-queue
There are several obvious holes in this, though. What if the user never
authenticates, or sends piles of mail before authenticating? This could
become a big DOS attack. Ownership also becomes sticky, as the files
delivered through the QMAILQUEUE mechanism would be owned by whatever
user executes qmail-smtpd (which should not be root), while the program
that would feed off the authentication would run as that user, making
the files unreadable. How and where do you create secure temporary
files?
--
Bruce Guenter, QCC Communications Corp. EMail: [EMAIL PROTECTED]
Phone: (306)249-0220 WWW: http://www.qcc.sk.ca/~bguenter/
