[Mailwatch-devel] contributed "luser" interface

[Furnish, T. G <TGF...@he...>]

A prototype (ie something of an experimental and unfinished nature)
interface to mailwatch for non-administrative users has been added to cvs
under the luser subdirectory.

This interface is meant to let a single, non-administrative user see the
list of messages sent to or from his email address.  Email addresses are
used for authentication, with randomly generated passwords.  The interface
is deliberately simple and leaves out lots of nice features (for now).
Please feel free to try it out and please let me know if you have problems.
Corrections and improvements welcome.

If you like it, the good stuff all comes from Steve's original mailwatch
files.  Any bad stuff you find is undoubtedly my fault. :-)

The readme section of the INSTALL file is below.

--
Trever

=============================================================
Please read:

This is meant to provide a non-administrative, single-email-address
interface to the MailWatch database -- and only a SIMPLE one
at that.

In particular, this interface has no support for searching, no
way to let a user view a detail page for a message, and no way
for a user to release a message from quarantine or to run sa-learn.
Those features *will* be added later.

So what is this good for then, you may be asking...

It's good for letting a user determine whether a message they
never received was blocked by MailScanner.  That was my original
primary objective, since at my site we don't notify senders
OR recipients when a message is blocked - it just goes into the
quarantine, where it sits for a few days till it's deleted.  In
such a set-up the only other way for a user to figure out that
mailscanner blocked a message is to ask the email admin to check
on it for him.

Requirements:

If you have mailwatch working, then you ought to be able to get
this working.  You'll have to add a "lusers" table to the
mailscanner database to hold "lusernames" (described below).

Authentication:

For "luser" authentication, a new table, "lusers", is created
in the mailscanner database.  Lusernames are actually email
addresses and passwords are pseudo-randomly generated.  There
is no provision for letting a user set their own password,
although they can get a new random password at any time.

There is no provision for intergrating the authentication
with another user database, such as Active Directory or the
/etc/passwd file.  That's intentional - everything's a whole
lot simpler (and safer) if access restrictions are based only
on the email address in question.

A user initially connects to the login page and then clicks on
"create an account", which prompts him for his email address.
A message containing a random password is sent to that email
address.  If they user doesn't own the address, they never get
the password.

A note about "random" passwords:

With the routine included for generating passwords, the resulting
passwords are more likely to be easy to remember than they would
be if they were truely random.  We use patterns to produce
"pronounceable" passwords.  Sometimes however some passwords
might raise an eyebrow or too - there's nothing that can be
done to prevent that, but just be aware of it.  For example, if
the president of your company gets his password randomly set
to "m0ron12" and takes it personally... well, I doubt he'll
forget it, and that's the whole point. ;^)