Re: [exim] 'super' imap user

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: W B Hacker
Dátum:  
Címzett: exim users
Tárgy: Re: [exim] 'super' imap user
Stephen Kestle wrote:

> I wish I knew if there was a term for this:
>
> An imap account that virtualises all the users as subfolders of the
> 'super' account. e.g.
>
> Stephen
>     - Inbox
>     - Sent
>     - Trash

>
> Bob
>     - Inbox
>     ....

>
> 'super'
>     -Stephen 
>         -Inbox
>         ...
>     -Bob
>         -Inbox
>         ...

>
> Is it possible to do such a configuration in exim?
>
> Cheers
>
> Stephen
>


Yes. Couple of ways that I can think of, but none are really Exim issues, nor
even, necessarily IMAP daemon issues:

1) IF you are storing messages with a UID:GID other-than that of Exim, (end-user
UID). You might use *n*x user:group file perms and group membership so that one
or more 'super users' had (at least) read access to to all/some subset(s) of
others, by virtue of multiple memberships in the group.

You need to be *really* careful here, else you may open a serious security hole.


2) Not (necessarily) recommended, but in production here for a long time, is to
relay on an SQL RDBMS to store rights and mailstore mapping with hierarchical
options.

In practice, a field in the DB indicates which group or department a user is a
staff-member of, and/or a supervisor of.

A supervisor's 'working' account maps only to his/her own messages. Same as any
other ordinary account.

A supervisor's "functional supervisory" account maps to the mailstore of all the
accounts of all subordinates in the group/department(s) below his/her level. At
the top level, that could be the entire firm.

This is just as 'legal' as the 'management' having access to all the keys to the
desks and file cabinets in a business environment, though making sure staff are
*aware* that the 'company' email is treated the same as any other 'company
property or files is de riguer.

For an ISP, or a hobbyist running a friends and family mailserver w/o an agreed
covering ToS, it could be legal suicide.

However, on that score, anyone with 'root' privileges and/or membership in the
Exim-runner or IMAP-runner group, can, of course read nearly all mail on the
system with 'lynx' anyway. So, too, anyone allowed to do a 'cp' to a directory
their MUA can already access.

Not one bit of which is recommended unless yurazz is well-covered from a legal
standpoint...

Even then, while it may not be illegal for a skunk to attend a wedding, it will
never be welcome!

;-)

Manners...

Bill