Michael Olson <[EMAIL PROTECTED]> wrote: > Michael Olson <[EMAIL PROTECTED]> writes: >> On Feb 3, 2007, at 12:41 AM, Christopher D. Clausen wrote: >>> >>> Are we delivering email into AFS? >> >> I don't know how we're currently planning to set up home directories >> w.r.t. AFS, so I have no idea.
Delivering directly into home directories (user volumes) is a bad idea for security reasons. I;d suggest seperate email.<USER> volumes mounted under a different root location. > Thinking about this some more, we should probably *not* deliver mail > to an AFS volume, because there is no good reason (that I can think > of) do so, and one rather significant reason to not do so (namely: > overhead). What overhead? > If anyone can think of a good reason to do this, let me know. So that one can read email from any machine. > Also, can someone please refresh my memory about what we've decided > with respect to putting home directories in AFS? If we have decided > to put home dirs completely in AFS, mail would have to be delivered > elsewhere, > but then we would still need AFS credentials in order to > access the user's .procmailrc and .forward. Incorrect. Just use ACLs correctly. ~/ has system:anyuser l ~/Public has system:anyuser rl ~/.forward is a symlink to Public/.forward ~/.procmailrc is a symlink to Public/.procmailrc Although there are security issues allowing procmail to run with AFS delivery as someone who knows what they are doing might be able to read/write to someone else's email as the SMTP server (or whatever handles actual delivery) would need generic AFS tokens. The IMAP / POP clients can likely get use tokens from the user's password. > So, may I suggest that we put homes under a local NFS partition, which > would only be exported to the machines in the rack? Or failing that, > deliver mail to a separate NFS volume outside of home, but with areas > for each user? The NFS server would be deleuze, so that mail gets > delivered locally and puts less stress on the NFS server (lots of > small files == much pain for NFS). Then squirrelmail and courier > could also serve mail locally, without having to access many small > files across the network. I don't see NFS as a solution to this problem. Now I could see using only local disk and keeping all email only on deleuze, if its decided that AFS will cause problems. Also, since Deleuze IS the AFS server, small files aren't being accessed across the network. Or does squirrelmail not run on Deleuze? Also realize that AFS is designed to cache files and quite good at doing this. <<CDC _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
