Re: Antwort: Re: Re: LDAP and sendmail

[Stuart Lynne <sl@fireplug.net>]

On Fri, Mar 05, 1999 at 10:36:24AM +0100, Masiar Ighani wrote:
> 
> Hi Dustin,
> 
> but how do they pop their mail?  The POP-Server uses the /etc/passwd or
> /etc/shadow to get the password !?
> And the delivery agent needs the uid to change to, before writing in the
> users mailbox.

Many large mail servers take a "sealed" server approach. No user logins of
any kind (other than system administrators). 

All mail is stored in a separate  mailbox file or directory for each unique 
user.  All access by users to their mail is via pop or imap. So permissions 
are to make the mailboxes read/write only by the mail uid/gid. And 
setuid/setgid the mail delivery programs. 

All authentication, forwarding information, etc is stored in a database. In 
this case presumably LDAP.

The hooks in exim (for example) are perfectly adequate for delivering mail
for user@domain type users with forwarding, vacation etc using a directory 
server. 

And doing authentication out of the same directory server for pop access is
next to trivial (~100 or so lines of C). Simply derive a distinguished name 
from the users login (and perhaps a domain from the reverse DNS of the IP 
address the request came to) and attempt to bind to the directory with the 
provided password. If the bind succeeds you have a valid user. You can use the 
same information to find his unique mailbox file or directory.

-- 
Stuart Lynne <sl@fireplug.net>      604-461-7532      <http://edge.fireplug.net>
PGP Fingerprint: 28 E2 A0 15 99 62 9A 00  88 EC A3 EE 2D 1C 15 68