Jim Cheetham wrote:
> Quoting W B Hacker (from 24/04/10 10:38):
>> Jim Trigg wrote:
>>> Does anyone here use system groups to determine what domains are valid
>>> for a system user to receive mail through? I am hosting nine domains on
>>> a single system, and am looking for a simple way to allow a given user
>
>> I sort of passed-over that, as I put what would otherwise be 'system' users into
>> a virtual user DB along with all other identities, real or synthetic.
>> ...
>> - If one DOES add an SQL DB, it requires admin work as well as CPU, RAM, and fs
>> resources, so the flexibility has a price. Even more so if you want a
>> decent-feeling AND secure web interface to all of it.
>
> Jim, for what you are trying to achieve in the longer term, I'd agree
> strongly with Bill & say you should be using a database. However, as you
> have what appears to be a "small" setup, and in order to avoid any
> significant admin work, I'd recommend the use of sqlite for your DB.
> sqlite is very simple -- a single file that can be backed up trivially,
> but the SQL interface it provides to exim is very clean & functional.
>
> If the users that are receiving email are supposed to have system
> (shell) accounts for other reasons, and the whole domain-without-tld
> naming scheme has a valid use for permissions in the file system, then
> it's worth pursuing your current idea. However, if the only reason these
> 'users' exist is related to email, then I recommend virtualising
> everything from the email address lookup to IMAP authentication with the
> backend server. It's not difficult, and you'll learn stuff up front that
> will be essential in your setup later anyway.
>
> -jim
>
BTW and JFWIW - NONE of our users - virtual or otherwise - have unix file
ownership privs in the mailstore. (a sysadmin su'ed to root, of course - but
those don't have mail service for their shell ID's, and are ordinarily the only
three 'human' shell-holders at all on any given server).
The EUID's and EGID's to be used are also handed to Exim and Dovecot by the DB,
and Exim, Dovecot, ClamAV, SA, Ecartis, Prayer, and such are in the same 'real'
GID for logging and file handling to ease their talking to and handing files to
each other.
Exim and Dovecot then use the DB for AUTH and for the map of the fs for a given
login (where the login is not neessarily related to user@???, nor even in
the same form) to know which files may be accessed.
DB-resident privs have no real limits on number of levels or complexity of
relationship.
As to leaner SQL critters?
SQLite is at least a very honest and straightforward bit of kit and doesn't
pretend to be what it ain't. Way more flexible than LDAP, much leaner than MySQL.
But ... there is a whole world of difference between SQLite's access-control
model and that of PostgreSQL - not to mention the multi-write access control:
http://en.wikipedia.org/wiki/Comparison_of_relational_database_management_systems
Given our needs (above) plus remote DB management, AND simultaneous use of
PostgreSQL for a number of other things besides mail, we'd be hard-pressed to
use SQLite.
Bill
