Author: Łukasz Grochal Date: To: lansyaw CC: exim-users Subject: Re: [Exim] Re: using exim w/ more than 65000 users
lansyaw@??? writes:
> care to tell us how exactly can that be done ? where do i start ?
> how exactly do i have mail users and yet not have them as system
> user ?
Well, one attempt would be to use Cyrus with some custom authentication
method (through SQL perhaps?) That makes your mail accounts completely
system-independant, access is restricted to POP3 and IMAP. That's actually
what I'm planning to do with my ca. 400 users and a strong belief that
they should never-ever and under any circumstances be able to obtain
a shell access. They're kind of users that write down passwords and stick
them to the monitor, you know ;>
Anyway, what I'm currently using is a modified POP3 server that checks
usersnames and passwords against a custom /etc/whatever file that has
a format of "username:hashed-password:extended user info". Popserver
then runs as an unpriviledged 'someuser' - the same for all the accounts,
unless a system user with a given name exists, in which case popserver
runs on behalf of that user. Still the password is checked against the
custom file which allows separate passwords for pop3 and shell.
Exim configuration, pretty crude I believe, but it does what it's
supposed to, looks like:
# Transport - we write to standard unix mailbox files.
virttransport:
driver = appendfile
group = mail
user = someuser
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
file = /var/spool/mail/${local_part}
# Director - this is the last-resort director, if a system user exists,
# the localuser director is in use.
As you can see, anything you need for a user to exist is a line in
/etc/whatever to allow them to log-in via POP3 and a file in /var/spool/mail
for mail to be delivered. Hacking any POP3 daemon (except perhaps Cucipop
which is a programmer's nigthmare :) and UW imapd is fairly simple;
you just don't use PAM or shadow passwords and substitute calls to
getpwnam with calls to your own authorization function. In case of imapd
I also map home directories to /var/spool/imap/{username}, but I have
never checked if I won't end up with users being able to read each other's
mail this way. I probably will ;) (it's the same system user, remember? :)
Anyway - Cyrus is probably what you want - it should scale far better
than the hacks I use.
--
Łukasz Grochal, Network Administrator
Radio Muzyka Fakty, Sp. z o.o. al. Waszyngtona 1, 30-204 Kraków
tel., fax: +48 12 4252625 e-mail: l.grochal@???