[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Webmail on cobalt raq3? Advice needed
- Subject: Re: [cobalt-users] Webmail on cobalt raq3? Advice needed
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Fri May 4 14:06:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"BOBKA Lastname" <mychacho@xxxxxxxxx> wrote:
> My understanding of IMAP protocol is that you do have
> to create a user for the system, correct me if Im
> wrong.
In my experience, IMAP mailboxes are accessed by system users. There may be
a way to hack IMAP to authenticate versus your own text file or database
user list, though I haven't had a need to look into this.
> Now that opens the whole world of security
> implications even if I disable telnet and ssh for
> these users.
Don't give the users shell access and turn off FTP access for the affected
sites.
> Is there any ways to not have to create
> users on the system?
Of course. You could create a catchall account for a domain and use
procmail to filter emails to separate folders based on the recipient's
address. Alternately, you could have incoming email parsed by a script
(PHP, Perl or your favorite language) and drop the email into a database,
splitting out date, sender, recipient, subject, etc. into separate fields.
There are other solutions, but you get the idea. Then your web application
will be responsible for authentication and controlling access to the
appropriate data.
> Why not just have the username in
> the database and authenticate through that?
And maybe IMAP can do that. I just have never had the need so I haven't
researched it. I do know the PHP IMAP functions let you specify the port so
you could run IMAP on a different port to prevent users from accessing it
via other methods. And the PHP IMAP functions can also access POP boxes.
If you're worried about users accessing your server a simple method I have
used on a limited basis is to create a database that maps usernames to email
addresses. My system usernames look like d1120024 (d is server's code, 112
is site number, 00024 is user number for that site), which if I had webmail
only users is something they could not easily guess and looks nothing like
their email alias. So I would modify the interface to a webmail program to
allow the users to input their email address and password, but after they
submit it I would have my script use the email address to lookup the
matching username and use it and the supplied password to access the
mailbox.
> Does
> POP-based email also work this way(creating
> system-wide users and setting them specific
> permission).
Neither POP nor IMAP services create users. They simply allow users to
access email from their mailboxes. You don't need to use either service to
access email though. I've seen webmail programs that stored email in flat
files, db files and databases. My preference would be to use databases.
> The ideal situation would be to have user
> authentication/access control that is email-daemon
> based and not system-based. Any advice?
I once modified a very simple webmail program called phpop to use the method
I described above. As a PHP developer and former Perl developer I can say
it would be easy to do the same with squirrelmail, imp and any other open
source webmail program you might want to use. You could also build your own
system from scratch, but that's not an easy task. Search
http://www.freshmeat.net/, http://www.sourceforge.com/ and
http://www.cgi-resources.com/ for webmail programs and perhaps you'll find
an open source one that meets your requirements. Or perhaps someone else on
this list knows of one.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/