[6051] in Kerberos
AFS-aware IMAP daemon?
daemon@ATHENA.MIT.EDU (Trey Harris)
Wed Oct 25 19:05:48 1995
To: kerberos@MIT.EDU
Date: 25 Oct 1995 21:55:37 GMT
From: harris@email.unc.edu (Trey Harris)
I administer an email system with approximately 26,000 users, of which
several thousand are using IMAP. We currently run on a cluster of
workstations, but are soon to upgrade to an IBM RS/6000 parallel SP
system. At this time, we will be migrating our users to AFS.
At this time we anticipate using MIT Kerberos v4 for both AFS and SP
authentication (since both AFS and the SP are compatible with Kerberos v4
but not with each other's proprietary Kerberos). However, we may end up
using the AFS kaserver for reasons of expediency. I don't think this
changes the answer to my question, though.
My question has to do with my IMAP users. Mail spools will continue to
reside in the Unix filesystem, not AFS. Thus, as I understand it, there
is no need for an 'AFS-ized' IMAP daemon just to get at the inboxes of
users. AFS does not come into this scenario. A Kerberized daemon is
required so that the plaintext login can be authenticated to Kerberos.
However, when an IMAP client makes a request for an archived mail folder
(such as the sent or saved messages), the daemon must get this information
from the user's home directory--which resides in AFS.
Now, if we use the Cyrus imapd, a plaintext login (such as Pine,
MailDrop, Siren Mail or Simeon Email use) will cause the imap daemon to
get a Kerberos ticket.
This is where I get fuzzy, however. I believe that a Kerberos ticket is
necessary but not sufficient to grant a process access to the AFS
filespace. An AFS token is also required for a process to be able to
read and write to an AFS filesystem. Am I correct?
If so, are there any IMAP daemons out there (or any easy modifications to
existing ones) that will allow access to AFS?
--
Trey Harris http://sunsite.unc.edu/harris/
System Administrator, Project Isis, Office of Information Technology
The University of North Carolina at Chapel Hill
