procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Slightly OT: How to let users change settings without logging in

2002-02-14 11:05:38
from [Fred Morris] [Permanent Link] 
Edward Wildgoose <Edward(_dot_)Wildgoose(_at_)FRMHedge(_dot_)com> wrote:

[...]
Another thought is that I could use procmail itself, eg send an encoded
file to the user with details in the body.  This would get spotted by the
.procmailrc and update the local variables and then ditch the email
without delivering...  Is there some way to make this safe without the
risk of outsiders sending in mail to the users with commands in the
body...


Sure, it's a two-step process. It assumes that this account is the final
delivery address, or in other words that your responsibility for security
ends when messages get into the user's delivery spool (inbox on the
server).

1. Have the users send themselves a request to update message. This message
is intercepted by the LDA (on the server), which generates a random
"cookie", and rewrites the message before delivery so that it contains the
cookie.

2. The users then send themselves a second message, referencing the cookie,
with the desired changes. Again, the LDA (on the server) intercepts the
message, compares it to the cookie, and makes the necesary changes.


PerlJacket does something like this. Warning, beta code (although it works
for me!), no user dox here, just a really large perl script:

  http://www.inwa.net/~m3047/perljacket/

(I plan to fix the handfull of known issues and write some dox some time in
the next month or so.)


[...]
In all this we must assume non-technically literate users with a small
patience threshold.  They will not be changing these variables very often
so they will have forgotten how to do it when they need to, hence web
ideas are mostly appreciated.


Then you will need some good parsing and bozo checking!

One important consideration is that whatever you send them in the "cookie"
acknowledgement message should be self-contained, with instructions and
also the current settings. Finally, after the changes are made (or if the
update fails), be sure to send them a sensible acknowledgement.


I toyed with the idea of writing a custom serverlet and Java applet, such
that when the request message is received, the servelet starts up and
starts listening on some port for the user; the user fires up the applet to
communicate with it and make the changes. Decided that might fly on my own
server, but it probably wasn't going to go over with many ISPs.

--

Fred Morris
m3047(_at_)inwa(_dot_)net


_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Hopefully simple question, and is this a good idea?, Matt of the Long Red Hair
Next by Date:  Re: Slightly OT: How to let users change settings without logging in, Professional Software Engineering
Previous by Thread:  Re: Slightly OT: How to let users change settings without logging in, Professional Software Engineering
Next by Thread:  RE: Slightly OT: How to let users change settings without logging in, Edward Wildgoose
Indexes:  [Date] [Thread] [Top] [All Lists]