Webmail configuration for schools
I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange with extremely tight quotas. There are currently ~5500 mailboxes. We had no idea what the utilization was going to be, teachers normally don't pick up new services too quickly and Exchange was the simplest implementation in our environment. They didn't use email at all for half of the year and some schools didn't want to use email at all. Since the usage was not too high, the system held up to load well. My guess is that the utilization will jump next school year. Pennsylvania will have technology education standards that will have to meet. Email is one of the standards that will have to be dealt with. We have a native mode active directory implementation. When student accounts are created, we store their information in a SQL database for various uses. Every student has their own account. I have been looking at a configuration like this: 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Webmail configuration for schools
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange BY GOD, did he really say that? with extremely 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Sounds great! Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Hell, postfix/courier wont even need the database to scale to that (but you will for peace of mind and easy of reporting), it aint that big. Properly tunned mysql would work very well, postgress would also do the job very well. Hell, ive a 10K accounts system, it runs all of it on a single host with webmail (yeah, i know i push it too hard), and it doesnt even use the database and its nowhere near saturation. Course, its a qmail based system, not postfix, but there shouldnt be much of a difference. Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Im not shure ms kerberos plays nice with other's kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? USE THE PAM. I mean it, use pam, youll be able to even do NT domain based autentication (albeit with some tweaking and lots and lots of stress testing). Id go with SQL authentication+pam, or even courier mysql standard authentication, then dump from the activedir from time to time. You can also use pam and kerberos i think, so you dont need courier to do kerberos itself. The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user? Um... not shure cool idea though. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Webmail configuration for schools
I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange with extremely tight quotas. There are currently ~5500 mailboxes. We had no idea what the utilization was going to be, teachers normally don't pick up new services too quickly and Exchange was the simplest implementation in our environment. They didn't use email at all for half of the year and some schools didn't want to use email at all. Since the usage was not too high, the system held up to load well. My guess is that the utilization will jump next school year. Pennsylvania will have technology education standards that will have to meet. Email is one of the standards that will have to be dealt with. We have a native mode active directory implementation. When student accounts are created, we store their information in a SQL database for various uses. Every student has their own account. I have been looking at a configuration like this: 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user?
Re: Webmail configuration for schools
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: I need to provide email access for 13,000 to 14,000 K12 students. Last school year we used Microsoft Exchange BY GOD, did he really say that? with extremely 1. Postfix with either mysql or LDAP for virtual user delivery. 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.) (Courier-imap authentication is the tricky bit.) Sounds great! Since we have been using a SQL database to track user account information, I thought that mysql would be the best means of dealing with Postfix. It would be trivial to load mysql with the information that Postfix needs. My experience with active directory LDAP is not great. When using active directory as an LDAP server, it seams like there is always more fiddling than there should be. Would mysql hold up well in this sort of environment? (load, speed etc.) Hell, postfix/courier wont even need the database to scale to that (but you will for peace of mind and easy of reporting), it aint that big. Properly tunned mysql would work very well, postgress would also do the job very well. Hell, ive a 10K accounts system, it runs all of it on a single host with webmail (yeah, i know i push it too hard), and it doesnt even use the database and its nowhere near saturation. Course, its a qmail based system, not postfix, but there shouldnt be much of a difference. Courier-imap authentication is the big question in my mind. It would be great if we could use active directory to do authentication here. LDAP authentication probably won't work correctly. There is no compatible password available and LDAP bind authentication is problematic. Microsoft lets you do an LDAP bind even if your account is locked, your password has expired etc. Would Kerberos be a reasonable solution? I have no direct experience with Kerberos. Im not shure ms kerberos plays nice with other's kerberos. Would it be possible to authenticate the user by having the courier authentication daemon request a Kerberos ticket? It is my understanding that the imap server would not be granted a ticket if the client credentials were not authentic. It would also be possible to set up RADIUS authentication. Would RADIUS be a better solution? USE THE PAM. I mean it, use pam, youll be able to even do NT domain based autentication (albeit with some tweaking and lots and lots of stress testing). Id go with SQL authentication+pam, or even courier mysql standard authentication, then dump from the activedir from time to time. You can also use pam and kerberos i think, so you dont need courier to do kerberos itself. The only remaining issue is a policy related one. Students and or parents have to sign an Internet acceptable use policy for a student to get access to the Internet. (The person that has to sign depends on the age/grade level of the student.) If they have a signed form, we enter this in the SQL database along with their other account info. Currently, we provide email accounts to all students. If they don't have a singed form, they can only send email internally. Can postfix be configured to allow virtual users access to specific domains based on the user? Um... not shure cool idea though.