|
|
d46962 |
<sect1 id="configurations-dialup-usage">
|
|
|
d46962 |
|
|
|
d46962 |
<title>Usage Convenctions</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
The infrastructure described in this chapter uses the
|
|
|
d46962 |
client/server model to provide a public mail service through
|
|
|
d46962 |
the telephone line. In this configuration, we (the poeple
|
|
|
d46962 |
building the infrastructure) provide the information you (the
|
|
|
d46962 |
person using the infrastructure) need to know in order to
|
|
|
d46962 |
establish a point-to-point connection from your client
|
|
|
d46962 |
computer to the server computer through the telephone line.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
The infrastructure described in this chapter is made available
|
|
|
d46962 |
to you free of charge, however, you should know that
|
|
|
d46962 |
maintaining it costs both money and time. For example, for
|
|
|
d46962 |
each hour the server computer is on production there is an
|
|
|
d46962 |
electrical consume that need to be paid every month.
|
|
|
d46962 |
Likewise, each call that you establish from your client
|
|
|
d46962 |
computer to the server computer will cost you money, based on
|
|
|
d46962 |
the location you made the call from and the time you spend
|
|
|
d46962 |
connected.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
In this section we discuss usage convenctions we all must be
|
|
|
d46962 |
agree with, in order to achieve a practical and secure
|
|
|
d46962 |
interchange system.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configurations-dialup-usage-conn">
|
|
|
d46962 |
<title>Establishing Dial-Up Connections</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
To establish a dial-up connection to the server computer you
|
|
|
d46962 |
need to install and configure a Modem device in your client
|
|
|
d46962 |
computer. Each operating system has its own way of doing
|
|
|
269239 |
this, but if you are using &TC;;, you can use the
|
|
|
d46962 |
<command>wvdialconf</command> and
|
|
|
d46962 |
<command>system-config-network</command> commands, as
|
|
|
d46962 |
described in <xref linkend="configurations-dialup-modem" />.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
269239 |
In the configuration process you need to enter the following
|
|
|
269239 |
information:
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
269239 |
<screen>
|
|
|
269239 |
ISP Name: server.example.com
|
|
|
269239 |
ISP Phone: +53043515094
|
|
|
269239 |
Username: client.example.com
|
|
|
269239 |
Password: mail4u
|
|
|
269239 |
</screen>
|
|
|
269239 |
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configurations-dialup-usage-connlimits">
|
|
|
269239 |
<title>Administering Dial-Up Connections</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
269239 |
The lifetime of dial-up connections must be limitted based on
|
|
|
269239 |
the number of users you expect to establish connection and the
|
|
|
269239 |
kind of services you plan to provide. Using the information
|
|
|
269239 |
described in <xref linkend="configurations-dialup-server" />
|
|
|
269239 |
as reference, the lifetime of dial-up connections will be 15
|
|
|
269239 |
minutes from the moment they were established on. Likewise,
|
|
|
269239 |
once the connection has been established, if the link is idle
|
|
|
269239 |
for 1 minute, the server computer will close the connection to
|
|
|
269239 |
free the telephone line for others to use.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
269239 |
The number of consecutive connections realized from the same
|
|
|
269239 |
telephone number in a fixed period of time must be also
|
|
|
269239 |
controlled in order to reduce Denial of Service (DoS) attacks.
|
|
|
269239 |
This way, you can consider an environment where: more than 3
|
|
|
269239 |
consecutive connections (that last 15 or less minutes each)
|
|
|
269239 |
from the same telephone number in a time range of 60 minutes
|
|
|
269239 |
will be taken as a DoS attack from the client computer. In
|
|
|
269239 |
such cases, once the client computer is disconnected from
|
|
|
269239 |
server computer, the telephone number originating the call
|
|
|
269239 |
won't be able to establish any further connection to the
|
|
|
269239 |
server computer in the next 15 minutes since the last it was
|
|
|
269239 |
disconnected on.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<note>
|
|
|
d46962 |
<para>
|
|
|
d46962 |
In order to achieve an acceptable degree of efficiency when
|
|
|
269239 |
controlling consecutive connections from the same telephone
|
|
|
269239 |
number, it is required that both the client's telephone number
|
|
|
269239 |
and connection times (e.g., when the connection was opened,
|
|
|
269239 |
and when it was closed) be registered somehow in the server
|
|
|
d46962 |
computer (e.g., Is it on pppd's log file?). Without such
|
|
|
d46962 |
information it would be very difficult to achieve any
|
|
|
d46962 |
prevention against DoS attacks originated from incoming calls.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
</note>
|
|
|
269239 |
|
|
|
269239 |
<para>
|
|
|
269239 |
Another issue to consider here is that, in order to realize
|
|
|
269239 |
any control over incoming telephone calls, it is required that
|
|
|
269239 |
the client computer realizes a telepohne call into the server
|
|
|
269239 |
computer to provide the telephone number information and that
|
|
|
269239 |
certainly occupies the telephone line until the access control
|
|
|
269239 |
actions take place. This could be used by evil users to
|
|
|
269239 |
generate DoS attacks (e.g., by configuring a client computer
|
|
|
269239 |
to redial the server computer telephone number forever), since
|
|
|
269239 |
there is no way to control access at a Modem level without
|
|
|
269239 |
occupying the telephone line for a few seconds at least. The
|
|
|
269239 |
only change legitimate users have against such evil users'
|
|
|
269239 |
attacks would be establish connection before them (e.g., in
|
|
|
269239 |
the exact range of time between disconnection and redial).
|
|
|
269239 |
</para>
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configurations-dialup-usage-users">
|
|
|
d46962 |
<title>Administering User Profiles</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
In order for a you to use any service provided by the server
|
|
|
d46962 |
computer it is required that you get registered a user profile
|
|
|
d46962 |
first. The user profile provides the user information required
|
|
|
d46962 |
by services inside the server computer (e.g., username,
|
|
|
269239 |
password, e-mail address, telephone number, etc.). To register
|
|
|
269239 |
new user profiles, you need to use the web application
|
|
|
269239 |
provided by the server computer. For example, assuming the
|
|
|
269239 |
domain name of the server computer is
|
|
|
d46962 |
class="domainname">example.com</systemitem>, the URL of the
|
|
|
d46962 |
web application would be:
|
|
|
d46962 |
url="https://example.com/people/?action=register" />.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
To reach the web interface, the first thing you need to do is
|
|
|
d46962 |
establishing a dial-up connection to the server computer as
|
|
|
d46962 |
described in
|
|
|
d46962 |
linkend="configurations-dialup-usage-conn"/>. Once the dial-up
|
|
|
d46962 |
connection has been established, you need to open a web
|
|
|
d46962 |
browser (e.g., Firefox) and put the URL mentioned above in the
|
|
|
d46962 |
address space, and press Enter to go. This will present you a
|
|
|
d46962 |
list of instructions that will guide you through the
|
|
|
d46962 |
self-registration process. Other actions like updating or
|
|
|
d46962 |
deleting your user profile can be also achieved from this web
|
|
|
d46962 |
interface.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<important>
|
|
|
d46962 |
<para>
|
|
|
d46962 |
The web interface used to manage user profiles inside the
|
|
|
d46962 |
server computer must be presented over an encrypted session in
|
|
|
d46962 |
order to protect all the information passing through.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
</important>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Inside the server computer, all related subsystems in need of
|
|
|
d46962 |
user information (e.g., Postix, Cyrus-Imapd and Saslauthd)
|
|
|
d46962 |
retrive user information from one single (LDAP) source. The
|
|
|
d46962 |
web application provided by the server computer manages all
|
|
|
d46962 |
these subsystems' configuration files in order to provide a
|
|
|
d46962 |
pleasant experience for end users. The web interface must be
|
|
|
d46962 |
as simple as possible in order to achieve all administration
|
|
|
d46962 |
tasks in the range of time permitted by the server computer
|
|
|
d46962 |
before it closes the connection established from the client
|
|
|
d46962 |
computer.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
More information about the web interface you need to use to
|
|
|
d46962 |
manage your user profile inside the server computer can be
|
|
|
d46962 |
found in <xref linkend="administration-mail" />.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configurations-dialup-usage-scope">
|
|
|
d46962 |
<title>Determining Information Scope</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
The information generated inside the server computer is
|
|
|
d46962 |
isolated from Internet. This way, any information generated
|
|
|
d46962 |
inside the server computer will be available only to people
|
|
|
d46962 |
registered inside the server computer. For example, don't ever
|
|
|
d46962 |
expect to send/receive e-mails to/from Internet e-mail
|
|
|
d46962 |
accounts like Gmail or Yahoo, nor visiting web sites like
|
|
|
d46962 |
<ulink url="http://www.google.com/">Google</ulink> or
|
|
|
d46962 |
url="http://www.wikipedia.org/">Wikipedia</ulink> either. For
|
|
|
d46962 |
this to happen, it is required an established connection
|
|
|
d46962 |
between the server computer we are configuring and the
|
|
|
d46962 |
Internet network we want those services in, but such
|
|
|
d46962 |
established connection isn't possible in the current
|
|
|
d46962 |
environment.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configurations-dialup-usage-services">
|
|
|
d46962 |
<title>Determining Provided Services</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
The implementation of services that required persistent
|
|
|
d46962 |
connections (e.g., <application>chats</application>) will not
|
|
|
d46962 |
be considered as a practical offer inside the server computer.
|
|
|
d46962 |
Instead, only asynchronous services (e.g.,
|
|
|
d46962 |
<application>e-mail</application>) will be supported. This
|
|
|
d46962 |
restriction is required to reduce the amount time demanded by
|
|
|
d46962 |
services. For example, consider an environment where you
|
|
|
d46962 |
connect to the server computer for sending/receiving e-mails
|
|
|
d46962 |
messages and then quickly disconnect from it to free the
|
|
|
d46962 |
telephone line for others to use. In this environment, there
|
|
|
d46962 |
is no need for you and other person to be both connected at
|
|
|
d46962 |
the same time to send/receive e-mail messages to/from each
|
|
|
d46962 |
other. The e-mails sent from other person to you will be
|
|
|
d46962 |
available in your mailbox the next time you get connected to
|
|
|
d46962 |
the server computer and use your e-mail client to send/receive
|
|
|
d46962 |
e-mail messages. Likewise, you don't need to be connected to
|
|
|
d46962 |
the server computer in order to write your e-mail messages.
|
|
|
d46962 |
You can write down your messages off-line and then establish
|
|
|
d46962 |
connection once you've finished writing, just to send them
|
|
|
d46962 |
out and receive new messages that could have been probably
|
|
|
d46962 |
sent to you.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Another issue related to e-mail exchange is the protocol used
|
|
|
d46962 |
to receive messages. Presently, there are two popular ways to
|
|
|
d46962 |
do this, one is through IMAP and another through POP3. When
|
|
|
d46962 |
you use IMAP protocol, e-mail messages are retained in the
|
|
|
d46962 |
server computer and aren't downloaded to client computer.
|
|
|
d46962 |
Otherwise, when you use POP3 protocol, e-mail messages are
|
|
|
d46962 |
downloaded to the client computer and removed from server
|
|
|
d46962 |
computer. Based on the resources we have and the kind of link
|
|
|
d46962 |
used by the client computer to connect the server computer,
|
|
|
d46962 |
using POP3 is prefered than IMAP. However both are made
|
|
|
d46962 |
available.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Assuming you use IMAP protocol to read your mailbox, be aware
|
|
|
d46962 |
that you need to be connected to the server computer. Once
|
|
|
d46962 |
the connection is lost you won't be able to read your messages
|
|
|
d46962 |
(unless your e-mail client possesses a feature that let you
|
|
|
d46962 |
reading messages off-line). Morover, you run the risk of get
|
|
|
d46962 |
your mailbox out of space. If your mailbox gets out of space,
|
|
|
d46962 |
new messages sent to you will not be deliver to your mailbox.
|
|
|
d46962 |
Instead, they will be deferred for about 5 days hoping you
|
|
|
d46962 |
free the space in your mailbox to deliver them. If you don't
|
|
|
d46962 |
free space within this period of time, e-mail messages sent to
|
|
|
d46962 |
you will be bounced back to their senders.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Otherwise, if you use POP3 protocol to read your mailbox, you
|
|
|
d46962 |
always keep your mailbox free to receive new e-mails messages
|
|
|
d46962 |
and keep them for you until the next time you establish
|
|
|
d46962 |
connection with the server computer and download them to your
|
|
|
d46962 |
client computer using your e-mail client.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
<sect2 id="configuration-dialup-usage-diskspace">
|
|
|
d46962 |
<title>Determining Disk Space Usage</title>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Assuming you are providing a public service, it is required to
|
|
|
d46962 |
limit the maximum number of users registered inside the server
|
|
|
d46962 |
computer, based on the maximum disk space the server computer
|
|
|
d46962 |
confines to such purpose. For example, consider an environment
|
|
|
d46962 |
where users can get registered themselves using a web
|
|
|
d46962 |
interface which requires the web application to know how much
|
|
|
d46962 |
free space is available before proceeding to register new mail
|
|
|
d46962 |
accounts inside the server computer; this, to prevent user
|
|
|
d46962 |
registrations when there isn't enough free space to perform a
|
|
|
d46962 |
new user registration. Considering the computer server has
|
|
|
d46962 |
confined 5GB of disk space to handle the mail service (e.g.,
|
|
|
d46962 |
mail queues, mailboxes, etc.), if we set 10MB for each user
|
|
|
d46962 |
account, it will be possible to provide self-registration
|
|
|
d46962 |
through the web interface for 500 users in total.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
<para>
|
|
|
d46962 |
Another measure related to disk space saving might be to
|
|
|
d46962 |
remove unused user accounts and their related files (e.g.,
|
|
|
d46962 |
mailboxes) from the server computer. For example, consider an
|
|
|
d46962 |
environment where user accounts are automatically removed from
|
|
|
d46962 |
the server computer when they don't establish a connection
|
|
|
d46962 |
with the server computer in a period greater than 7 days since
|
|
|
d46962 |
the last valid connection established to the server computer.
|
|
|
d46962 |
Once the user account is removed, it is no longer functional
|
|
|
d46962 |
of course, and the person whom lost the account will need to
|
|
|
d46962 |
create a new one, assuming it want to have access back to the
|
|
|
d46962 |
mail service inside the server computer.
|
|
|
d46962 |
</para>
|
|
|
d46962 |
|
|
|
d46962 |
</sect2>
|
|
|
d46962 |
|
|
|
d46962 |
</sect1>
|