B) I have a problem with storage-abusers & really want the carrot-stick quota system my favorite ISP, Panix, has. You get N bytes {or messages, I can live with either/both} and when you get near, you get nagged until you solve it.
I personally use filesystem quotas. with this, if the user goes over quota they are no longer able to receive email. my current setup will permfail incoming mail if the system is unable to store it with an error stating "user over quota." this is my preference.
Politicaly, this will not fly. The big offender is the PHB.
When you exceed quota, you get no more incoming mail, just nagging. It's shunted aside until you make room. After D days, if it's still there, the shunted mail is returned.
if you use dovecot LDA (deliver) then this is the default (possibly non-configurable) behavior. deliver returns a TEMPFAIL if it cannot write the new mail to user's storage device. this is at least the case for filesytem quotas. if you're going to have strictly virtual users, you'll need to use something like maildir quotas which may have different behavior.
I'm still trying to grok the +/- aspects of virtual users...
C) Password changes. How can I have user-changable pw's, with crack/sanity checking of the new ones? Do I have to have accessible shell accounts on the box for each user? [argh]
To my knowledge, dovecot (or rather, most IMAP/POP servers) does not handle password change requests. I know that early versions of Eudora had a "Change Password" option, I'm not sure if that's still there but that option is not common in modern email clients.
It is there....
You'll need to choose your user management tools properly according to your needs. (i.e. do you use LDAP or MySQL for your backend database? what types of management tools are provided with each? will you have to provide your own tools? etc)
All open questions... One thing that occurs to me a giving them shell accounts, but making the shell 'passwd'
It's not the cleanest solutions, but I personally just create real user accounts on my system (i don't have the need to distinguish by domains however) with a shell that prevents logins but allows IMAP/POP connections. I then use a plugin to squirrelmail to allow the users to change their passwords.
better!!
Thanks...