Webmail configuration for schools

2003-07-01 Thread Ross, Chris 
I need to provide email access for 13,000 to 14,000 K12
students.  Last school year we used Microsoft Exchange with extremely
tight quotas.  There are currently ~5500 mailboxes.  We had no idea what
the utilization was going to be, teachers normally don't pick up new
services too quickly and Exchange was the simplest implementation in our
environment.  They didn't use email at all for half of the year and some
schools didn't want to use email at all.  Since the usage was not too
high, the system held up to load well.  My guess is that the utilization
will jump next school year.  Pennsylvania will have technology education
standards that will have to meet.  Email is one of the standards that
will have to be dealt with.

We have a native mode active directory implementation.  When
student accounts are created, we store their information in a SQL
database for various uses.  Every student has their own account.  I have
been looking at a configuration like this:

1. Postfix with either mysql or LDAP for virtual user delivery.
2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
(Courier-imap authentication is the tricky bit.)


Since we have been using a SQL database to track user account
information, I thought that mysql would be the best means of dealing
with Postfix.  It would be trivial to load mysql with the information
that Postfix needs.  My experience with active directory LDAP is not
great.  When using active directory as an LDAP server, it seams like
there is always more fiddling than there should be.  Would mysql hold up
well in this sort of environment?  (load, speed etc.)

Courier-imap authentication is the big question in my mind.  It
would be great if we could use active directory to do authentication
here.  LDAP authentication probably won't work correctly.  There is no
compatible password available and LDAP bind authentication is
problematic.  Microsoft lets you do an LDAP bind even if your account is
locked, your password has expired etc.  Would Kerberos be a reasonable
solution?  I have no direct experience with Kerberos.  Would it be
possible to authenticate the user by having the courier authentication
daemon request a Kerberos ticket?  It is my understanding that the imap
server would not be granted a ticket if the client credentials were not
authentic.  It would also be possible to set up RADIUS authentication.
Would RADIUS be a better solution?

The only remaining issue is a policy related one.  Students and
or parents have to sign an Internet acceptable use policy for a student
to get access to the Internet.  (The person that has to sign depends on
the age/grade level of the student.)  If they have a signed form, we
enter this in the SQL database along with their other account info.
Currently, we provide email accounts to all students.  If they don't
have a singed form, they can only send email internally.  Can postfix be
configured to allow virtual users access to specific domains based on
the user?


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Webmail configuration for schools

2003-07-01 Thread Alex Borges 
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: 
   I need to provide email access for 13,000 to 14,000 K12
 students.  Last school year we used Microsoft 

 Exchange 

BY GOD, did he really say that?

 with extremely

 1. Postfix with either mysql or LDAP for virtual user delivery.
 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
   (Courier-imap authentication is the tricky bit.)

Sounds great!

   Since we have been using a SQL database to track user account
 information, I thought that mysql would be the best means of dealing
 with Postfix.  It would be trivial to load mysql with the information
 that Postfix needs.  My experience with active directory LDAP is not
 great.  When using active directory as an LDAP server, it seams like
 there is always more fiddling than there should be.  Would mysql hold up
 well in this sort of environment?  (load, speed etc.)

Hell, postfix/courier wont even need the database to scale to that (but
you will for peace of mind and easy of reporting), it aint that big.
Properly tunned mysql would work very well, postgress would also do the
job very well. Hell, ive a 10K accounts system, it runs all of it on a
single host with webmail (yeah, i know i push it too hard), and it
doesnt even use the database and its nowhere near saturation. Course,
its a qmail based system, not postfix, but there shouldnt be much of a
difference.

 Courier-imap authentication is the big question in my mind.  It
 would be great if we could use active directory to do authentication
 here.  LDAP authentication probably won't work correctly.  There is no
 compatible password available and LDAP bind authentication is
 problematic.  Microsoft lets you do an LDAP bind even if your account is
 locked, your password has expired etc.  Would Kerberos be a reasonable
 solution?  I have no direct experience with Kerberos.  

Im not shure ms kerberos plays nice with other's kerberos.

 Would it be possible to authenticate the user by having the courier authentication
 daemon request a Kerberos ticket?  It is my understanding that the imap
 server would not be granted a ticket if the client credentials were not
 authentic.  It would also be possible to set up RADIUS authentication.
 Would RADIUS be a better solution?

USE THE PAM. I mean it, use pam, youll be able to even do NT domain
based autentication (albeit with some tweaking and lots and lots of
stress testing). Id go with SQL authentication+pam, or even courier
mysql standard authentication, then dump from the activedir from time to
time. 

You can also use pam and kerberos i think, so you dont need courier to
do kerberos itself.

   The only remaining issue is a policy related one.  Students and
 or parents have to sign an Internet acceptable use policy for a student
 to get access to the Internet.  (The person that has to sign depends on
 the age/grade level of the student.)  If they have a signed form, we
 enter this in the SQL database along with their other account info.
 Currently, we provide email accounts to all students.  If they don't
 have a singed form, they can only send email internally.  Can postfix be
 configured to allow virtual users access to specific domains based on
 the user?
Um... not shure cool idea though.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Webmail configuration for schools

2003-07-01 Thread Ross, Chris 
I need to provide email access for 13,000 to 14,000 K12
students.  Last school year we used Microsoft Exchange with extremely
tight quotas.  There are currently ~5500 mailboxes.  We had no idea what
the utilization was going to be, teachers normally don't pick up new
services too quickly and Exchange was the simplest implementation in our
environment.  They didn't use email at all for half of the year and some
schools didn't want to use email at all.  Since the usage was not too
high, the system held up to load well.  My guess is that the utilization
will jump next school year.  Pennsylvania will have technology education
standards that will have to meet.  Email is one of the standards that
will have to be dealt with.

We have a native mode active directory implementation.  When
student accounts are created, we store their information in a SQL
database for various uses.  Every student has their own account.  I have
been looking at a configuration like this:

1. Postfix with either mysql or LDAP for virtual user delivery.
2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
(Courier-imap authentication is the tricky bit.)


Since we have been using a SQL database to track user account
information, I thought that mysql would be the best means of dealing
with Postfix.  It would be trivial to load mysql with the information
that Postfix needs.  My experience with active directory LDAP is not
great.  When using active directory as an LDAP server, it seams like
there is always more fiddling than there should be.  Would mysql hold up
well in this sort of environment?  (load, speed etc.)

Courier-imap authentication is the big question in my mind.  It
would be great if we could use active directory to do authentication
here.  LDAP authentication probably won't work correctly.  There is no
compatible password available and LDAP bind authentication is
problematic.  Microsoft lets you do an LDAP bind even if your account is
locked, your password has expired etc.  Would Kerberos be a reasonable
solution?  I have no direct experience with Kerberos.  Would it be
possible to authenticate the user by having the courier authentication
daemon request a Kerberos ticket?  It is my understanding that the imap
server would not be granted a ticket if the client credentials were not
authentic.  It would also be possible to set up RADIUS authentication.
Would RADIUS be a better solution?

The only remaining issue is a policy related one.  Students and
or parents have to sign an Internet acceptable use policy for a student
to get access to the Internet.  (The person that has to sign depends on
the age/grade level of the student.)  If they have a signed form, we
enter this in the SQL database along with their other account info.
Currently, we provide email accounts to all students.  If they don't
have a singed form, they can only send email internally.  Can postfix be
configured to allow virtual users access to specific domains based on
the user?

Re: Webmail configuration for schools

2003-07-01 Thread Alex Borges 
El mar, 01 de 07 de 2003 a las 07:35, Ross, Chris escribió: 
   I need to provide email access for 13,000 to 14,000 K12
 students.  Last school year we used Microsoft 

 Exchange 

BY GOD, did he really say that?

 with extremely

 1. Postfix with either mysql or LDAP for virtual user delivery.
 2. Courier-imap with a web interface (squirrelmail, sqwebmnail etc.)
   (Courier-imap authentication is the tricky bit.)

Sounds great!

   Since we have been using a SQL database to track user account
 information, I thought that mysql would be the best means of dealing
 with Postfix.  It would be trivial to load mysql with the information
 that Postfix needs.  My experience with active directory LDAP is not
 great.  When using active directory as an LDAP server, it seams like
 there is always more fiddling than there should be.  Would mysql hold up
 well in this sort of environment?  (load, speed etc.)

Hell, postfix/courier wont even need the database to scale to that (but
you will for peace of mind and easy of reporting), it aint that big.
Properly tunned mysql would work very well, postgress would also do the
job very well. Hell, ive a 10K accounts system, it runs all of it on a
single host with webmail (yeah, i know i push it too hard), and it
doesnt even use the database and its nowhere near saturation. Course,
its a qmail based system, not postfix, but there shouldnt be much of a
difference.

 Courier-imap authentication is the big question in my mind.  It
 would be great if we could use active directory to do authentication
 here.  LDAP authentication probably won't work correctly.  There is no
 compatible password available and LDAP bind authentication is
 problematic.  Microsoft lets you do an LDAP bind even if your account is
 locked, your password has expired etc.  Would Kerberos be a reasonable
 solution?  I have no direct experience with Kerberos.  

Im not shure ms kerberos plays nice with other's kerberos.

 Would it be possible to authenticate the user by having the courier 
 authentication
 daemon request a Kerberos ticket?  It is my understanding that the imap
 server would not be granted a ticket if the client credentials were not
 authentic.  It would also be possible to set up RADIUS authentication.
 Would RADIUS be a better solution?

USE THE PAM. I mean it, use pam, youll be able to even do NT domain
based autentication (albeit with some tweaking and lots and lots of
stress testing). Id go with SQL authentication+pam, or even courier
mysql standard authentication, then dump from the activedir from time to
time. 

You can also use pam and kerberos i think, so you dont need courier to
do kerberos itself.

   The only remaining issue is a policy related one.  Students and
 or parents have to sign an Internet acceptable use policy for a student
 to get access to the Internet.  (The person that has to sign depends on
 the age/grade level of the student.)  If they have a signed form, we
 enter this in the SQL database along with their other account info.
 Currently, we provide email accounts to all students.  If they don't
 have a singed form, they can only send email internally.  Can postfix be
 configured to allow virtual users access to specific domains based on
 the user?
Um... not shure cool idea though.