Our key goals in designing HLFS were:
Since most sites provide access to users' home directories from any host, it made sense to store incoming mail there as well. That way, as long as users could log into a host and access their home directories via NFS, their mail would be accessible as well. This solved the first problem. Also, since users must login in order to read their mail, causing their home directories to be automounted, no extra mounts are required in order to begin reading mail.
The second problem was solved by making sure that the final access of the mail spool directory remains a ``real'' directory (not a read-only pseudo-filesystem provided by an automounter). All UAs access the spool directory for reading and writing the user's mail file and create lock files there. That means that /var/spool/mail needs to be readable, writable, and searchable for UAs and MTAs so that lock files can be written and removed. See also Section 4.6. For the purpose of writing the mail and lock files, a subdirectory inside the user's home directory is sufficient, since it is already owned by that user. Ensuring that users cannot access other users' files can easily be achieved by protecting this subdirectory.
In order not to change the behavior of programs like
comsat[21,23], from or finger, which are designed to
read any user's mail, we implemented a special check for a designated group.
If the effective gid of the process is the designated group, we assume
that such a special program is executing, and hlfsd arranges to do the
lookup not only of the real spool directory, but of the mailbox itself. See
|component||Pathname left||Value if symbolic link|
The third problem is solved by ensuring that all operations which might hang hlfsd are performed in the background, while still providing service in the parent or child process. Furthermore, if hlfsd is not running anymore, or if the user's home filesystem is full, mail gets delivered to an alternate directory (See also Section 4.3). A cron job (running several times a day in our department), looks at the alternate directory, and attempts to resend messages in it to their rightful owners. All that is incurred is a delay in mail delivery, which, in most cases, is no longer than the length of time between consecutive invocations of the lost-mail remailing script.
Having a special mail-spool subdirectory owned and controlled by the user also addresses the last problem, that of privacy. Users can change the protection bits on their mailbox directory inside their home directory so that it is readable and searchable only by the owner. Any other program or user, unless running as the superuser on the same host, would not be able to find out whether a user has new mail, how much of it there is, or when it was last read.