Date: Mon, 19 Feb 2001 14:29:31 +0000 From: ian j hart <ianjhart@freeloader.freeserve.co.uk> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Sendmail and Identd Message-ID: <3A912DCB.6F351A77@freeloader.freeserve.co.uk> References: <006401c09a3c$a4e28dc0$1401a8c0@tedm.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry about the length, need the context. Ted Mittelstaedt wrote: > > Ted Mittelstaedt tedm@toybox.placo.com > Author of: The FreeBSD Corporate Networker's Guide > Book website: http://www.freebsd-corp-net-guide.com > > > -----Original Message----- > > From: ianjhart@omega.my.domain [mailto:ianjhart@omega.my.domain]On > > Behalf Of ian j hart > > Sent: Sunday, February 18, 2001 4:37 PM > > To: Ted Mittelstaedt > > Cc: freebsd-questions@FreeBSD.ORG > > Subject: Re: Sendmail and Identd > > > > > > Ted Mittelstaedt wrote: > > > > > > Hi Ian, > > > > > > I think you perhaps misunderstand: even if you set up > > > IMP you STILL would have had to setup those 1500 accounts. > > > > Can you point me to some software? I seriously doubt I can get this past > > the staff, but it's worth a look. Can't see anything in ports. > > > > Since you have no other solution, I don't think this is an issue of > getting approval from the staff - this IS the _only_ option that's > going to work in the time you have allotted. I seriously doubt > that the staff is going to do nothing and let the problem remain > unsolved. If they can think of a better solution then they are > welcome to implement it. See my later comments on hierarchy. > > Unfortunately, while there's about 10 of these programs, none of > them are in the ports. I can send you instructions for building > IMP on a FreeBSD 4.2 server, I can't guarentee they will work > on a previous version of FreeBSD but they probably will. But, > you should also consider setting up a SEPARATE server just to > implement this - the webinterface to the mailserver talks to > the mailserver via IMAP and does not have to be actually executing > on the mailserver itself. > > > > > > > I also beg to differ - this is very clearly a mail client > > > problem. > > > > This I know, I have bald patches to prove it. > > > > > As you have realized, Sendmail does not rewrite the > > > From: address. This is because the mail client program is > > > in charge of correctly putting the user@whateverdomain address > > > into the outgoing mail. This is inherent to the SMTP protocol. > > > > > > Your blaming the failure of the user's mail client program > > > to properly create the username@whateverdomain address on the > > > mail client program itself. However, this is wrong, the client > > > program is doing what it's supposed to be doing. > > > > Not all the time it isn't. When the users home (network) directory is > > available their email settings are transfered to whatever workstation > > they are sat at. This is part of my plan to make the network as > > transparent as possible to the users. It works just like *at home*. > > > > Riiiiiggggght - I heard that from Microsoft's marketing department 4 years > ago and I've still to see it actually work right. > > > However, when the network connection fails windows SILENTLY replaces > > these settings with some from the local hard drive. This is not what the > > client program is supposed to be doing. AFAIK IE4 does not exhibit this > > behavior. The new _identities_ appear to be the cause. To revert the > > software on all the clients would take me weeks. I would have to > > roll-out the software in one go. (Having USER.DAT files from different > > versions doesn't strike me as a good idea.) The bottom line on this is > > that I would have to wait until the summer break. > > > > So I can't fix the client. Turning off email for 4 months not an option. > > I have to hack the server. Hobsons choice as we say. > > > > I don't see how you can do that, even with lots of hacks into the > mailserver. Unless the correct From address is passed from the mail client > during the SMTP phase, there is no other way for the server to identify > the userID of the sending SMTP connection. This is one of these issues > that fixing or replacing the client is the only option. But I have an Identd server which runs on the windows clients. Sorry if I didn't make that clear. I can run this as a service from the system policy setup. This will not appear in the task list. A clever user might figure out how to kill it, but I can cope with a low volume of hackers. (I built a tool to parse the NT login file. I just compare this with the time stamp and real host name on the mail.) > > > > > > > If you give your users the ability to retrieve e-mail via > > > POP3 and transmit it via SMTP then you give them the > > > responsibility to make sure that the From address is correct. > > > If they are unwilling or unable to do this (due either to > > > their misunderstanding how the client program operates, or > > > due to their logging in somewhere and allowing some mystical > > > "thang" to change the From address) then clearly you have > > > to either force them to use a mail client that they DO understand, > > > or force them to use a mail client that they have no control > > > over, and that you do. This is what IMP is. IMP is a mail > > > client that runs ON THE MAILSERVER, instead of on a remote > > > desktop, so instead of having a remote client that has unreachable > > > settings, you have a mail client that is local to the mailserver > > > that YOU can control. > > > > I see the problem more like this. When a user logs on they should get > > their own email settings, or none at all. Not a seemingly random > > selection. This is _my_ problem. > > Then your going to have to replace the client. You can do it one of 3 ways > as I see it: > > 1) Replace the existing client on the desktop with a different one (Eudora, > or an earlier version of IE or whatever) I agree that this is the right option, but I don't have the time to rollout the software. > > 2) Replace the existing desktop-based client with a host-based client. > Early > versions of this are MUA's like Pine, but I doubt that you want to give > Telnet access to 1500 students. Later versions of this are webinterfaces, > a-la Hotmail, like IMP. > > 3) Modify the desktop client you have deployed to make it do different > behavior. Since your a Microsoft shop, you should be able to call Microsoft > up and pay them some money to patch the .DLL or whatever file is involved, > right? After all this is why your using commercial software to begin with - > the support, right? Sorry if this is sounding like a taunt, but your > administration voted Microsoft for the support - now they need the support > and so it's Microsoft's chance to prove why commercial software is so > much better than Open Source. All the software is OEM - no support. But it is cheap(er) <bg> and schools are poor in the uk. > > >User missconfiguration or deliberate > > spoofing is a different problem. > > > > > > > > I also beg to differ with your statement: > > > > > > "...No-one checks account details every time > > > they mail...." > > > > > > Guess what, _I_ do. > > > > You are one in a million (estimate). > > > > > I'm sure that any power users among > > > your students do also. > > > > Not a chance. Age range is 11-17 BTW. > > > > > It's simple enough to do when using > > > a mail client program like Eudora, which _does_ place the > > > >From address IN THE MESSAGE DURING COMPOSITION unlike > > > Microsoft Outlook which hides it. In fact, that's another > > > answer to your problem - because Eudora doesen't give a rat's > > > ass about what drive your logged into. > > > > I wouldn't dissagree, but they want windows + IE. This is policy, I just > > implement. > > In any case installing Eudora would mean a full rollout. > > > > If they want Windows + IE then they have to play the commercial software > game, which means getting on the horn with Microsoft and having them > fix the problem. It may be expensive, but Microsoft has convinced these > people that Windows + IE is the way to go, so now they have to live with > the results. If Microsoft is so much better than Eudora, then Microsoft > can fix it. > > I think your wasting time chasing a mirage. Accept the fact that you > can't fix it on the server and go forward. If you think my checkcompat() is broken can you say how? > It's easy enough to set up > a webinterface to the mailserver, then deny relaying from your internal > subnets and issue an edict that all students must use the webinterface > for e-mail. After all you already have the web browsers all deployed, > so you won't have to do a rollout to all 1500 desktops. Maybe I threw you a curve ball here. We do have 1500 users, but we only have ~150 workstations. That's why we hot seat. Schools are somewhat underfunded in the uk. > If your administration > starts yapping about it, then tell them that they can either do it this > way or they can call Microsoft and avail themselves of the superior > commercial > software support that Microsoft's marketing department is always yapping > about, and get a patch issued for the new mail clients. Hierarchy: They are Gods, I am the office cat. In fact I am THE technician. I wear all the hats, from network coordinator to bottle washer. I suspect your experience of schools is vastly different to that of the uk. > > In the long run your going to be better off because future rollouts on > the desktops won't bugger the mailserver. Your students will be better > off because they can go anywhere, such as home or a local Cafe or library > that has a web browser, and access their e-mail. It also neatly solves > problems like Macintoshes and OS/2 systems being unable to use the > mail system. In short, this is something that you should have done a > long time ago. Our history of even IntrAnet access is only three months. We are a decade behind over here. :( I could go into the history, but I don't want to rant. This is a private mail hub fed through a firewall. There are NO dialins. > > > > > > > Ted Mittelstaedt tedm@toybox.placo.com > > > Author of: The FreeBSD Corporate Networker's Guide > > > Book website: http://www.freebsd-corp-net-guide.com > > > > > > > -----Original Message----- > > > > From: ianjhart@omega.my.domain [mailto:ianjhart@omega.my.domain]On > > > > Behalf Of ian j hart > > > > Sent: Sunday, February 18, 2001 11:10 AM > > > > To: Ted Mittelstaedt > > > > Cc: freebsd-questions@FreeBSD.ORG > > > > Subject: Re: Sendmail and Identd > > > > > > > > > > > > Ted Mittelstaedt wrote: > > > > > > > > > > What about installing IMP or other webinterface and forcing the > > > > > students that aren't savvy enough to know how to use their > > > > > mail client properly to use that instead? This allows you to > > > > > centralize all administration on the mail clients to in effect > > > > > the central mailserver, and in addition allows the students to > > > > > check mail from any browser. > > > > > > > > > > Ted Mittelstaedt tedm@toybox.placo.com > > > > > Author of: The FreeBSD Corporate Networker's Guide > > > > > Book website: http://www.freebsd-corp-net-guide.com > > > > > > > > [snip original message] > > > > > > > > Thanks for your reply, but... :) > > > > > > > > I only installed Internet access and mail just before Xmas. We've just > > > > spent a half-term getting (1500) user accounts setup. I would not be a > > > > very popular guy if I changed track at this point. > > > > > > > > The problem is not with 'savvy'. It's a _feature_. You log on and send > > > > some mail. If the network drive with your profile is not available you > > > > get the default user settings. (No-one checks account details > > every time > > > > they mail). The mail goes out with a random users return address. > > > > Sendmail only checks the hostname, which is correct (and masqueraded > > > > anyway). The only clue that this is happening is when you > > read mail and > > > > the prompted account name is not your own. God bless Bill Gates. > > > > > > > > -- > > > > ian j hart > > > > ICT Technician. > > > > Cardinal Newman School. > > > > > > > > -- > > ian j hart > > ICT Technician > > Cardinal Newman School > > -- ian j hart ICT Technician Cardinal Newman School To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A912DCB.6F351A77>