Exim Nervous Mailbox Quota Suite version 1999-11-08

 * Copyright (c) 1999
 * 	Vadim Vygonets.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of Vadim Vygonets nor the names of his contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY VADIM VYGONETS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL VADIM VYGONETS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.

*****************************************************************

INTRODUCTION

This is the Exim Nervous Mailbox Quota Suite.  It does not impose
hard quotas on users' mailboxes, but it makes a user nervous by
putting all his mail in a secondary mailbox, inaccessible to the
user, when he is over his quota.  When the user clears his
mailbox (i.e., deletes mail to make his mailbox below the quota
again), mail from his secondary mailbox is transferred back to
his primary mailbox, in FIFO order.

*****************************************************************

ASSUMPTIONS

1. You run Exim 3 on a relatively normal UNIX system.

2. To eliminate unwanted setuid binaries, this suite assumes that
   all users' mailboxes are writable by EXIM_GROUP (usually
   called `exim' or `mail'), i.e., mode 660, owned by its owner
   and group EXIM_GROUP.

3. It also assumes that all users' mail which lands in their
   mailboxes is delivered there by Exim, using local_delivery
   transport, thus making use of quota_warn_threshold possible
   (it was created for a system where users read their mail via
   POP3, and have no access to their home directories).

4. Yet another assumption is that all users have the same mailbox
   quota.  If it's not true, you should edit the setting of
   quota_warn_threshold in the Exim configuration file, and
   $quota in the transfer-mail script.

*****************************************************************

DESIGN

When a user's mailbox grows over the quota, an explanatory mail
is sent to quota-violation+USER@local.dom.  This mail is caught
by the quota_violation director, and redirected to
quota_violation_delivery transport.  This transport tweaks some
headers and stores the message in the user's mailbox.  After
that, a shadow transport quota_violation_create_secondary is
called, which runs the quota_violation script.

The script checks the size of the user's primary mailbox and, if
it's over the quota, creates the secondary mailbox.  Thus, quota
violation messages just force the check, and there is no danger
that somebody will do denial-of-service attack by sending mail to
quota-violation+USER.

When the secondary mailbox exists, all mail to the user is
handled by secondary_localuser director and
secondary_local_delivery transport.  The secondary mailbox is
mode 660, owned by EXIM_USER, mail EXIM_GROUP, to ensure that (a)
it's inaccessible to the user, and (b) it can be read or written
by the mail transfer cron job.

The mail transfer cron job must be run with sufficient
permissions to read and write primary and secondary mailboxes,
i.e., either having permissions of group EXIM_GROUP (preferred),
or root permissions.  Making it run hourly is advised.  All it
has to do is to run the transfer-all script, which then
iteratively runs transfer-mail script for every user who has
secondary mailbox, and whose primary mailbox is below the quota.

The transfer-mail script transfers mail from the secondary
mailbox to the primary mailbox in FIFO order until the primary
mailbox is over the quota again, or the secondary mailbox is
empty.  In the latter case, if the primary mailbox is still below
the quota, the secondary mailbox is deleted, thus signalling to
Exim to re-start normal delivery to primary mailbox.  Otherwise,
the secondary mailbox is still kept, even if it's empty.

*****************************************************************

INSTALLATION

0. BACK UP EXIM CONFIGURATION FILE.

1. Edit the Makefile, tweaking the parameters to match your ego.

2. Create directory for secondary mailboxes, making it mode 770,
   owned by EXIM_USER, group EXIM_GROUP.

3. Run the Makefile.

4. Copy the resulting files quota_violation, transfer-all, and
   transfer-mail to the Exim script directory.

5. Set the cron job to run transfer-all every once in a while
   (once per hour seems reasonable).

6. Look into the resulting file configure.snippets, transfering
   relevant parts (variable definitions, transports, and
   directors) to your Exim configuration file.

7. Send SIGHUP to the Exim daemon process.

8. May God be with you.  Or Gods, if you're a polytheist.  Or
   your psychologist, if you're an American atheist.

*****************************************************************

OBTAINING THE LATEST VERSION, REPORTING BUGS, ETC.

Mail me:
	Vadim Vygonets <vadik@vygo.net>.
