> In article <01LOA42D00IM00004T@mauve.mrochek.com>, ned+info-pmdf@mauve.mrochek.com writes:
> > > Has anyone else seen this? Am I behind the times, or have bounce messages
> > > now become a bad thing? Or has Spamcop just gone off the deep end?


> > IMO its a little bit of both. In this times of joe-jobs and blowback spam it is
> > essential that as many checks as possible be performed by the SMTP server
> > before accepting mail to a given recipient. At a bare minimum invalid addresses
> > simply must be rejected, and it is best if things like over quota situations
> > are also dealt with at this point.


> How do you check users being overquota during the SMTP dialogue especially if
> the check is being done on your central mailhub which then has to deliver the
> mail to various internal systems ?


There are a bunch of ways to do it. The one we encourage sites to use with iMS
is to have an attribute in the LDAP directory that indicates whehter or not a
given user is over quota, and to check that attribute before accepting mail. If
the attribute says the user is over quota the mail is refused with an
appropriate 4xy error. You then have a daemon of some sort on the backend
systems that periodically scans and updates this information. It is also useful
if you can get "user dropped under" and "user is now over" indicators from the
store itself, especially the former, so that complaints of "I'm under quota but
mail still couldn't get through" are minimized.

In iMS we elected to add an additional "overquota" status to the existing
mailuserstatus attribute rather than create a new, separate attribute for this,
but we also could accomodate a separate attribute if need be.

Another way to do it is to have a plugin that actively queries for quota
information for the user using, say, appropriate IMAP commands. I don't like
the latency this introduces into SMTP much, but some sites insist on quota
information being absolutely current.

However, on a more general note, I have always found quota to be an issue that
a surprising number of sites handle very poorly. IMO the best way to deal with
quota issues it to set management policies that result in users rarely being in
an over quota condition. But sites have a lot of trouble doing this. Issues
include:

(1) News flash: Disk prices have dropped just a bit over the past few years.
And while disk prices aren't the only contributing per Mb cost associated
with a fully backed up storage solution, and other parts of such a solution
haven't dropped in price as much, the overall cost has come down a LOT.
Yet I routinely see sites you'd swear were caught in a time warp and
operating with quota policies as if it were 1985, not 2005.

(2) Site policies for users getting more quota when they need it are all too
often overly draconian. And on the flip side, quota enforcement is often
done poorly, e.g., predicate abusers are rarely penalized for their
poor behavior by having their account suspended.

(3) The best way to save space is not to use it in the first place. Mechanisms
like shared folders exist and can be used to elimiante the need for
users to have their own copies of everything. Yet such mechanissms are
seriously underused.

(4) It is also true that both client and server support for data sharing
mechanisms are inadequate. But this is primarily due to the fact that
support for such features just isn't a priority for enough customers to
interest vendors in expanding their support.

(5) Another news flash: We're collectively under siege, and there's no
longer any room for the administative squabbles among various fiefdoms
I all too frequently see that prevent sites from developing effective
site-wide policies for email. Have a department that insists on running
their own departmental server and not coordinating it with the
organization as a whole yet which also wants the all the protection
the site as a whole gets? They need to be read the riot act and if
necessary shown the door.

Now, having said all this, I will also add that I find the trend towards
outsourced mail solutions that offer huge quotas to be equally disturbing. I
can't speak for anyone else, but I just don't trust the likes of Google enough
to store all my email archives there on a permanent basis. (And please don't
try and tell me the Google folks are the good guys. Maybe they are right now,
but people and companies change over time.) The situation is Europe is arguably
different given how much stronger privacy laws are there, but the best law
imagineable won't stop an accident from happening.

And finally, there are all our hot new legal requirements like Sarbanes-Oxley,
which are being interpreted in all sorts of exciting, and highly inconsisent,
ways. (Read the actual legislation if you want to see why.) It is hard to
reconcile a draconian quota policy with a requirement that every scrap of email
ever sent be preserved for all eternity. Consider yourself lucky if this
stuff doesn't apply to you.

Ned