On 2005-10-28, at 1328, Jeremy Kitchen wrote:
On Thursday 27 October 2005 10:57 pm, John Simpson wrote:On 2005-10-26, at 1949, Rick Macdougall wrote:Domain Quotas are not going to happen anytime soon I think, the over head of calculating the quota for a domain of 20K users is just too much. If you really need domain quotas, use a separate user for each domain and use system quotas. Of course you will then have to run qmail-smtpd as root.or make the "vchkpw" binary setuid root, and let qmail-smtpd run as qmaild (as it was designed.)but that will break chkuser.
thinking about how chkuser works, that makes sense. i didn't think about that because i don't use chkuser.
i've looked at chkuser twice (once over a year ago, and once again a few months ago) and i'm not comfortable with having qmail tied that closely into vpopmail. that's why i wrote the validrcptto.cdb patch, to reject messages which are addressed to non-existent recipients, without tying qmail to any one technology (such as vpopmail, or courier-authlib.) any system which allows you to generate a list of valid addresses can be used to build a cdb file, and my web site has a perl script which does this for system and vpopmail accounts.
the weakness of my patch is that it relies on a cdb file which must be rebuilt whenever the underlying data changes (i.e. mailboxes or domains added or deleted.) however, because it uses a cdb file, the recipient checks are done VERY quickly, without having to fork/exec any other processes, and the cdb file can be copied out to internet- facing "pre-filtering" servers which otherwise would not have any way to check recipients.
as i've said before, the various "recipient check" patches each have their own strengths and weaknesses... i will admit to being slightly biased towards mine, but i don't think any more or less of anybody for choosing one of the others. i figure anybody smart enough to apply a patch will also be smart enought to choose one based on their own needs and the particulars of each patch.
as a separate issue, i'm also not comfortable with the idea of running internet-accessible services as root. i did my time running sendmail and bind, back before i was introduced to qmail and djbdns, and i still have flashbacks to evenings spent rebuilding mail and DNS servers because some joker in germany had nothing better to do with his time than trash my server.
-------------------------------------------------- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -------------------------------------------------- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
