[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Webmail
- From: Kit Halsted <kit_(_at_)_kithalsted_(_dot_)_com>
- Date: Sun, 3 Feb 2002 17:53:41 -0500
Apologies for asking a question so similar to one in the archive's
greatest hits section, but there are a lot of sysadmins on this list
whose opinions are worth listening to & this *exact* question hasn't
been asked before.
I've had clients start asking for webmail lately. I'd like to offer
this functionality, but I'd like to do it without compromising system
security & without adding a database to my server. The server does
POP3 & SMTP, I'll give my users IMAP about when hell freezes over. (I
don't need the aggravation of storing their mail on the server &
telling them how to empty their mailboxes when they hit quota.) I
looked at Endymion MailMan, but I stopped looking when I realized
their pricing was per-domain. Now I'm mostly looking at sqwebmail. I
think I can run this without compromising system security because I'm
running a virtual mail package. I'm running qmail with vpopmail,
which means I can run sqwebmail suid vpopmail instead of suid root.
Now, I'm not a security expert. What I'd like to know from this list
is whether my logic re: sqwebmail is flawed & whether anyone has a
better suggestion for webmail, or even whether the idea of webmail is
so fundamentally flawed that I just shouldn't do it. Note that I
don't care about *mail* security (they're using POP-3 already), I
only care about host security (POP-3 users do not have shells).
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
"...qui desiderat pacem, praeparet bellum"
(...if you would have peace, be prepared for war)
-Flavius Vegetius Renatus