On Wed, Oct 30, 2002 at 02:16:28PM -0500, Michael Stenner wrote: > 1) use ident: spamc connects, spamd asks ident if spamc is who it > says it is, then proceeds. > > BAD: This is slowish (although probably not compared to the > spam-checking itself). > > BAD: Not portable. > > BAD: You'd need to restrict the server to accept connections only > form ident-able machines, the you're probably already > restricting anyway.
you forgot:
BAD: The default on a lot of systems is to do encrypted ident,
so you just get a string like '[aTOhw4XvZQD6kO5C0jqERAw87rIngQRq]'
I can decode that (timestamp uid source_ip source_port dest_ip dest_port)
but spamd would have no way of doing it. Even if it did, it'd
have to figure out uid->username.
> Anyway, I'm interested in what people think would be the best way to
> address this and whether there would be enough interest to warrant
> patch-acceptance. If it's just us, I probably won't spend the time on
> it, but if it's likely to be incorporated, I probably will.
I still don't see the purpose of authentication in spamd. Unless you
enable user rules, the only things I can think of that could happen
maliciously is tainting the AWL and generating lots of log entries with
the other user's name.
So far, I think authentication has more negatives (namely added complexity
and time) than positives (limiting who can run through spamd with your
config).
--
Randomly Generated Tagline:
"Is blue supposed to be soothing when I lose my data?" - Dave DeMaagd
msg10207/pgp00000.pgp
Description: PGP signature
