Blame Manuals/Tcpi-ug/Configurations/Dialup/usage.docbook

d46962
<sect1 id="configurations-dialup-usage">
d46962
d46962
    <title>Usage Convenctions</title>
d46962
d46962
    <para>
d46962
        The infrastructure described in this chapter uses the
d46962
        client/server model to provide a public mail service through
d46962
        the telephone line. In this configuration, we (the poeple
d46962
        building the infrastructure) provide the information you (the
d46962
        person using the infrastructure) need to know in order to
d46962
        establish a point-to-point connection from your client
d46962
        computer to the server computer through the telephone line.
d46962
    </para>
d46962
d46962
    <para>
d46962
        The infrastructure described in this chapter is made available
d46962
        to you free of charge, however, you should know that
d46962
        maintaining it costs both money and time. For example, for
d46962
        each hour the server computer is on production there is an
d46962
        electrical consume that need to be paid every month.
d46962
        Likewise, each call that you establish from your client
d46962
        computer to the server computer will cost you money, based on
d46962
        the location you made the call from and the time you spend
d46962
        connected.
d46962
    </para>
d46962
d46962
    <para>
d46962
        In this section we discuss usage convenctions we all must be
d46962
        agree with, in order to achieve a practical and secure
d46962
        interchange system.
d46962
    </para>
d46962
d46962
    <sect2 id="configurations-dialup-usage-conn">
d46962
    <title>Establishing Dial-Up Connections</title>
d46962
d46962
    <para>
d46962
        To establish a dial-up connection to the server computer you
d46962
        need to install and configure a Modem device in your client
d46962
        computer.  Each operating system has its own way of doing
269239
        this, but if you are using &TC;;, you can use the
d46962
        <command>wvdialconf</command> and
d46962
        <command>system-config-network</command> commands, as
d46962
        described in <xref linkend="configurations-dialup-modem" />.
d46962
    </para>
d46962
d46962
    <para>
269239
        In the configuration process you need to enter the following
269239
        information:
d46962
    </para>
d46962
269239
<screen>
269239
 ISP Name: server.example.com
269239
ISP Phone: +53043515094
269239
 Username: client.example.com
269239
 Password: mail4u
269239
</screen>
269239
d46962
    </sect2>
d46962
d46962
    <sect2 id="configurations-dialup-usage-connlimits">
269239
    <title>Administering Dial-Up Connections</title>
d46962
d46962
    <para>
269239
        The lifetime of dial-up connections must be limitted based on
269239
        the number of users you expect to establish connection and the
269239
        kind of services you plan to provide. Using the information
269239
        described in <xref linkend="configurations-dialup-server" />
269239
        as reference, the lifetime of dial-up connections will be 15
269239
        minutes from the moment they were established on. Likewise,
269239
        once the connection has been established, if the link is idle
269239
        for 1 minute, the server computer will close the connection to
269239
        free the telephone line for others to use.
d46962
    </para>
d46962
d46962
    <para>
269239
        The number of consecutive connections realized from the same
269239
        telephone number in a fixed period of time must be also
269239
        controlled in order to reduce Denial of Service (DoS) attacks.
269239
        This way, you can consider an environment where: more than 3
269239
        consecutive connections (that last 15 or less minutes each)
269239
        from the same telephone number in a time range of 60 minutes
269239
        will be taken as a DoS attack from the client computer.  In
269239
        such cases, once the client computer is disconnected from
269239
        server computer, the telephone number originating the call
269239
        won't be able to establish any further connection to the
269239
        server computer in the next 15 minutes since the last it was
269239
        disconnected on.
d46962
    </para>
d46962
d46962
    <note>
d46962
    <para>
d46962
        In order to achieve an acceptable degree of efficiency when
269239
        controlling consecutive connections from the same telephone
269239
        number, it is required that both the client's telephone number
269239
        and connection times (e.g., when the connection was opened,
269239
        and when it was closed) be registered somehow in the server
d46962
        computer (e.g., Is it on pppd's log file?). Without such
d46962
        information it would be very difficult to achieve any
d46962
        prevention against DoS attacks originated from incoming calls.
d46962
    </para>
d46962
    </note>
269239
269239
    <para>
269239
        Another issue to consider here is that, in order to realize
269239
        any control over incoming telephone calls, it is required that
269239
        the client computer realizes a telepohne call into the server
269239
        computer to provide the telephone number information and that
269239
        certainly occupies the telephone line until the access control
269239
        actions take place. This could be used by evil users to
269239
        generate DoS attacks (e.g., by configuring a client computer
269239
        to redial the server computer telephone number forever), since
269239
        there is no way to control access at a Modem level without
269239
        occupying the telephone line for a few seconds at least. The
269239
        only change legitimate users have against such evil users'
269239
        attacks would be establish connection before them (e.g., in
269239
        the exact range of time between disconnection and redial).
269239
    </para>
d46962
    </sect2>
d46962
d46962
    <sect2 id="configurations-dialup-usage-users">
d46962
    <title>Administering User Profiles</title>
d46962
d46962
    <para>
d46962
        In order for a you to use any service provided by the server
d46962
        computer it is required that you get registered a user profile
d46962
        first. The user profile provides the user information required
d46962
        by services inside the server computer (e.g., username,
269239
        password, e-mail address, telephone number, etc.). To register
269239
        new user profiles, you need to use the web application
269239
        provided by the server computer. For example, assuming the
269239
        domain name of the server computer is 
d46962
        class="domainname">example.com</systemitem>, the URL of the
d46962
        web application would be: 
d46962
        url="https://example.com/people/?action=register" />.
d46962
    </para>
d46962
    
d46962
    <para>
d46962
        To reach the web interface, the first thing you need to do is
d46962
        establishing a dial-up connection to the server computer as
d46962
        described in 
d46962
        linkend="configurations-dialup-usage-conn"/>. Once the dial-up
d46962
        connection has been established, you need to open a web
d46962
        browser (e.g., Firefox) and put the URL mentioned above in the
d46962
        address space, and press Enter to go. This will present you a
d46962
        list of instructions that will guide you through the
d46962
        self-registration process. Other actions like updating or
d46962
        deleting your user profile can be also achieved from this web
d46962
        interface.
d46962
    </para>
d46962
d46962
    <important>
d46962
    <para>
d46962
        The web interface used to manage user profiles inside the
d46962
        server computer must be presented over an encrypted session in
d46962
        order to protect all the information passing through.
d46962
    </para>
d46962
    </important>
d46962
d46962
    <para>
d46962
        Inside the server computer, all related subsystems in need of
d46962
        user information (e.g., Postix, Cyrus-Imapd and Saslauthd)
d46962
        retrive user information from one single (LDAP) source. The
d46962
        web application provided by the server computer manages all
d46962
        these subsystems' configuration files in order to provide a
d46962
        pleasant experience for end users.  The web interface must be
d46962
        as simple as possible in order to achieve all administration
d46962
        tasks in the range of time permitted by the server computer
d46962
        before it closes the connection established from the client
d46962
        computer.
d46962
    </para>
d46962
d46962
    <para>
d46962
        More information about the web interface you need to use to
d46962
        manage your user profile inside the server computer can be
d46962
        found in <xref linkend="administration-mail" />.
d46962
    </para>
d46962
d46962
    </sect2>
d46962
d46962
    <sect2 id="configurations-dialup-usage-scope">
d46962
    <title>Determining Information Scope</title>
d46962
d46962
    <para>
d46962
        The information generated inside the server computer is
d46962
        isolated from Internet. This way, any information generated
d46962
        inside the server computer will be available only to people
d46962
        registered inside the server computer. For example, don't ever
d46962
        expect to send/receive e-mails to/from Internet e-mail
d46962
        accounts like Gmail or Yahoo, nor visiting web sites like
d46962
        <ulink url="http://www.google.com/">Google</ulink> or 
d46962
        url="http://www.wikipedia.org/">Wikipedia</ulink> either. For
d46962
        this to happen, it is required an established connection
d46962
        between the server computer we are configuring and the
d46962
        Internet network we want those services in, but such
d46962
        established connection isn't possible in the current
d46962
        environment.
d46962
    </para>
d46962
    </sect2>
d46962
d46962
    <sect2 id="configurations-dialup-usage-services">
d46962
    <title>Determining Provided Services</title>
d46962
d46962
    <para>
d46962
        The implementation of services that required persistent
d46962
        connections (e.g., <application>chats</application>) will not
d46962
        be considered as a practical offer inside the server computer.
d46962
        Instead, only asynchronous services (e.g.,
d46962
        <application>e-mail</application>) will be supported. This
d46962
        restriction is required to reduce the amount time demanded by
d46962
        services. For example, consider an environment where you
d46962
        connect to the server computer for sending/receiving e-mails
d46962
        messages and then quickly disconnect from it to free the
d46962
        telephone line for others to use.  In this environment, there
d46962
        is no need for you and other person to be both connected at
d46962
        the same time to send/receive e-mail messages to/from each
d46962
        other.  The e-mails sent from other person to you will be
d46962
        available in your mailbox the next time you get connected to
d46962
        the server computer and use your e-mail client to send/receive
d46962
        e-mail messages.  Likewise, you don't need to be connected to
d46962
        the server computer in order to write your e-mail messages.
d46962
        You can write down your messages off-line and then establish
d46962
        connection once you've finished writing, just to send them
d46962
        out and receive new messages that could have been probably
d46962
        sent to you.
d46962
    </para>
d46962
d46962
    <para>
d46962
        Another issue related to e-mail exchange is the protocol used
d46962
        to receive messages. Presently, there are two popular ways to
d46962
        do this, one is through IMAP and another through POP3.  When
d46962
        you use IMAP protocol, e-mail messages are retained in the
d46962
        server computer and aren't downloaded to client computer.
d46962
        Otherwise, when you use POP3 protocol, e-mail messages are
d46962
        downloaded to the client computer and removed from server
d46962
        computer. Based on the resources we have and the kind of link
d46962
        used by the client computer to connect the server computer,
d46962
        using POP3 is prefered than IMAP. However both are made
d46962
        available.
d46962
    </para>
d46962
d46962
    <para>
d46962
        Assuming you use IMAP protocol to read your mailbox, be aware
d46962
        that you need to be connected to the server computer.  Once
d46962
        the connection is lost you won't be able to read your messages
d46962
        (unless your e-mail client possesses a feature that let you
d46962
        reading messages off-line). Morover, you run the risk of get
d46962
        your mailbox out of space. If your mailbox gets out of space,
d46962
        new messages sent to you will not be deliver to your mailbox.
d46962
        Instead, they will be deferred for about 5 days hoping you
d46962
        free the space in your mailbox to deliver them. If you don't
d46962
        free space within this period of time, e-mail messages sent to
d46962
        you will be bounced back to their senders.
d46962
    </para>
d46962
d46962
    <para>
d46962
        Otherwise, if you use POP3 protocol to read your mailbox, you
d46962
        always keep your mailbox free to receive new e-mails messages
d46962
        and keep them for you until the next time you establish
d46962
        connection with the server computer and download them to your
d46962
        client computer using your e-mail client.
d46962
    </para>
d46962
    </sect2>
d46962
d46962
    <sect2 id="configuration-dialup-usage-diskspace">
d46962
    <title>Determining Disk Space Usage</title>
d46962
d46962
    <para>
d46962
        Assuming you are providing a public service, it is required to
d46962
        limit the maximum number of users registered inside the server
d46962
        computer, based on the maximum disk space the server computer
d46962
        confines to such purpose. For example, consider an environment
d46962
        where users can get registered themselves using a web
d46962
        interface which requires the web application to know how much
d46962
        free space is available before proceeding to register new mail
d46962
        accounts inside the server computer; this, to prevent user
d46962
        registrations when there isn't enough free space to perform a
d46962
        new user registration.  Considering the computer server has
d46962
        confined 5GB of disk space to handle the mail service (e.g.,
d46962
        mail queues, mailboxes, etc.), if we set 10MB for each user
d46962
        account, it will be possible to provide self-registration
d46962
        through the web interface for 500 users in total.
d46962
    </para>
d46962
d46962
    <para>
d46962
        Another measure related to disk space saving might be to
d46962
        remove unused user accounts and their related files (e.g.,
d46962
        mailboxes) from the server computer. For example, consider an
d46962
        environment where user accounts are automatically removed from
d46962
        the server computer when they don't establish a connection
d46962
        with the server computer in a period greater than 7 days since
d46962
        the last valid connection established to the server computer.
d46962
        Once the user account is removed, it is no longer functional
d46962
        of course, and the person whom lost the account will need to
d46962
        create a new one, assuming it want to have access back to the
d46962
        mail service inside the server computer.
d46962
    </para>
d46962
d46962
    </sect2>
d46962
        
d46962
</sect1>