Mercurial > docs > diploma

comparison thesis/tex/4-MasqmailsFuture.tex @ 196:b80438534651

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
rewrites and new content about non-functional requirements
author meillo@marmaro.de
date Wed, 31 Dec 2008 14:00:30 +0100
parents 74a6cbdc7255
children b08be036783d
comparison
equal deleted inserted replaced
195:ff55d3d6fbca 196:b80438534651
54 Here follows a list of quality requirements for \masqmail, or other kinds of programs in similar environment and with similar jobs. These requirements specify the non-functional properties of the software, thus they are also called \name{non-functional requirements}. The list is based on \person{Hafiz} \cite[page~2]{hafiz05}, with insperation from \person{Spinellis} \cite[page~6]{spinellis06}. 54 Here follows a list of quality requirements for \masqmail, or other kinds of programs in similar environment and with similar jobs. These requirements specify the non-functional properties of the software, thus they are also called \name{non-functional requirements}. The list is based on \person{Hafiz} \cite[page~2]{hafiz05}, with insperation from \person{Spinellis} \cite[page~6]{spinellis06}.
55 %fixme: refer to ch01 and ch02 55 %fixme: refer to ch01 and ch02
56 56
57 57
58 \subsubsection*{Security} 58 \subsubsection*{Security}
59 \MTA{}s are critical points for computer security, as they are accessable from external networks. They must be secured with high effort. Properties like high priviledge level, work load influenced from extern, work on unsafe data, and demand for reliability, increase the security needed. \masqmail\ needs to be secure enough for its target field of operation. 59 \MTA{}s are critical points for computer security, as they are accessable from external networks. They must be secured with high effort. Properties like high priviledge level, work load influenced from extern, work on unsafe data, and demand for reliability, increase the need for security. \masqmail\ needs to be secure enough for its target field of operation.
60 60
61 61
62 \subsubsection*{Reliability} 62 \subsubsection*{Reliability}
63 Reliability is the second essential quality property for an \MTA. Mail, for which the \MTA\ took responsibility, must never get lost. The \MTA\ must not be the cause of any mail loss, no matter what happens. Unreliable \mta{}s are of no value. 63 Reliability is the second essential quality property for an \MTA. Mail for which the \MTA\ took responsibility must never get lost. The \MTA\ must not be \emph{the cause} of any mail loss, no matter what happens. Unreliable \mta{}s are of no value.
64 64
65 65
66 \subsubsection*{Robustness} 66 \subsubsection*{Robustness}
67 Being robust means handling errors properly. Small errors may get tolerated, large errors may kill a process, to get restarted afterwards. Log messages should be written in every case. Robust software does not need a special environment, it creates the right environment itself. \person{Raymond}'s \name{Rule of Robustness} and his \name{Rule of Repair} are good descriptions.\cite[pages~18--21]{raymond03} 67 Being robust means handling errors properly. Small errors may get tolerated, large errors may kill a process. Killed processes should be automatically restarted and lead to a clean state again. Log messages should be written in every case. Robust software does not need a special environment, it creates the right environment itself. \person{Raymond}'s \name{Rule of Robustness} and his \name{Rule of Repair} are good descriptions.\cite[pages~18--21]{raymond03}
68 68
69 69
70 \subsubsection*{Extendability} 70 \subsubsection*{Extendability}
71 Modern needs like large messages demand for more efficient mail transport through the net. Aswell is a final solution needed to defeat the spam problem. New mail transport protocols seem to be the only good solutions for both problems. They also can improve reliability, authentication, and verification issues. \masqmail\ should be able to support new mail transfer protocols as they appear and are used. 71 Modern needs like large messages demand for more efficient mail transport through the net. Aswell is a final solution needed to defeat the spam problem. New mail transport protocols seem to be the only good solutions for both problems. They also can improve reliability, authentication, and verification issues. \masqmail's architecture needs to be extendable, to allow new features to be added afterwards. For example new mail transfer protocols as they appear and are used.
72 %fixme: like old sendmail, but not too much like it 72
73 73
74 \subsubsection*{Maintainability} 74 \subsubsection*{Maintainability}
75 Maintaining software takes much time and effort. \person{Spinellis} measures ``40\,\% to 70\,\% of the effort that goes into a software system is expended after the system is written first time.''\cite[page~1]{spinellis03} This is maintaining work. Hence making software good to maintain is effort that will become invalueable afterwards. 75 Maintaining software takes much time and effort. \person{Spinellis} guesses ``40\,\% to 70\,\% of the effort that goes into a software system is expended after the system is written first time.'' \cite[page~1]{spinellis03}. This work is called \emph{maintaining}. Hence making software good to maintain is effort that will easy 40 to 70\,\% of the work afterwards.
76 76
77 77
78 \subsubsection*{Testability} 78 \subsubsection*{Testability}
79 Good testability make maintainance easier, because functionality is directly verifiable when changes are done, thus removing the uncertaintay. Modularized software makes testing easier, because parts can be testet without external influences. 79 Good testability make maintainance easier too, because functionality is directly verifiable when changes are done, thus removing the uncertainty. Modularized software makes testing easier, because parts can be testet without external influences. \person{Spinellis} sees testability as a subquality of maintainability.
80 80
81 81
82 \subsubsection*{Performance} 82 \subsubsection*{Performance}
83 Also called ``efficiency''. Software requiring few time and few resources is nice. But as performance improvements are in contrast to many other quality poperties (reliability, maintainability, usability, capability \cite[page~5]{kan03}), japardizing them to gain some more performance should not be done. \person{Kernighan} and \person{Pike} state clear: ``[T]he first principle of optimization is \emph{don't}.''\cite[page~165]{kernighan99} 83 Also called ``efficiency''. Efficient software requires few time and few resources. The merge of communication hardware and its move from service providers to homes and to mobile devices, demand smaller and more resource-friendly software. The amount of mail will be lower, even if much more mail will be sent. More important will be the energy consumption and heat emission. These topics increased in relevance during the past years and they are expected to become more central.
84
85 The merge of communication hardware and the move of email services from providers to homes, demands smaller and more resource-friendly software. The amount of mail will be lower, even if much more mail will be sent. More important will be the energy consumption and heat emission. These topics increased in relevance during the past years and they are expected to become more central. \masqmail\ is not a program to be used on large servers, but to be used on small devices. Thus focusing on energy and heat, not on performance, is the direction to go.
86 84
87 85
88 \subsubsection*{Availability} 86 \subsubsection*{Availability}
89 Availability is important for server programs. They must stay operational, even when bad guys run \name{denial of service} attacks. 87 Availability is important for server programs. They must stay operational, even during \name{denial of service} attacks.
90 88
91 89
92 \subsubsection*{Portability} 90 \subsubsection*{Portability}
93 Not to forget is portability. It can be accieved by using standard features of the programming language and common libraries. Basic rules for portable code are defined by \person{Kerighan} and \person{Pike} \cite{kernighan99}. 91 Source code that compiles and runs on various operationg systems is called portable. Portability can be achieved by using standard features of the programming language and common libraries. Basic rules for portable code are defined by \person{Kerighan} and \person{Pike} \cite{kernighan99}. Portable code lets software spread faster.
94
95 Focusing on \unix\ systems seems to be okay, but being portable between different flavors of them is important. Also should the \masqmail\ be independent of the underlying file system.
96 92
97 93
98 \subsubsection*{Usability} 94 \subsubsection*{Usability}
99 Usability, not mentioned by \person{Hafiz} but by \person{Spinellis} and \person{Kan}, is a property very important from the user's point of view. Software with bad usability is rarely used, no matter how good it is---if roughly equivilent substitutes with better usability exist, the user will switch to one of them. 95 Usability, not mentioned by \person{Hafiz} (he focuses on architecture) but by \person{Spinellis} and \person{Kan}, is a property very important from the user's point of view. Software with bad usability is rarely used, no matter how good it is. If roughly equivilent substitutes with better usability exist, the user will switch to one of them. Usability here means easy to set up and configure, too; users are also administrators here. Having \mta{}s on many home servers and clients, requires easy and standardized configuration. The common setups should be configurable with single actions by the user. Complex configuration should be possible, but focused must be the most common form of configuration: choosing one of several standard setups.
100
101 Usability here means easy to set up and configure, too. Having \mta{}s on many home servers and clients, requires easy and standardized configuration. The common setups should be configurable with single actions by the user. Complex configuration should be possible, but focused must be the most common form of configuration: choosing one of several standard setups.
102 96
103 97
104 98
105 99
106 100
240 \masqmail\ does not provide special support for spam filter or content checking. But it is possible to invoke external filter applications by running two independent instances of \masqmail, connected by the filter application. The receiving \MTA\ instance accepts mail and pushes it into the filter. The filter application receives mail, processes it, possible modifies it, and pushes it over to a second \MTA\ instance. The second \MTA\ is responsible for further delivery of the mail. Appendix \ref{app:FIXME} shows configuration files to create such a setup. This is a concept that works in general. However, real spam \emph{prevention}---to not accept spam mail at all---or good filter interfaces are not available, but are nessesary for using \masqmail\ in an unsafe environment. 234 \masqmail\ does not provide special support for spam filter or content checking. But it is possible to invoke external filter applications by running two independent instances of \masqmail, connected by the filter application. The receiving \MTA\ instance accepts mail and pushes it into the filter. The filter application receives mail, processes it, possible modifies it, and pushes it over to a second \MTA\ instance. The second \MTA\ is responsible for further delivery of the mail. Appendix \ref{app:FIXME} shows configuration files to create such a setup. This is a concept that works in general. However, real spam \emph{prevention}---to not accept spam mail at all---or good filter interfaces are not available, but are nessesary for using \masqmail\ in an unsafe environment.
241 235
242 There is currently no way of archiving every message going through \masqmail. 236 There is currently no way of archiving every message going through \masqmail.
243 237
244 238
245 %fixme: write about non-functional requirements 239 Non-functional requirements are not so easy to be marked as fulfilled or not. Instead they are discussed here.
246 Making \masqmail\ a \name{crash-only software}\cite{candea03} would be a step to make it more robust. 240
241 \masqmail\ needs to be ``secure enough'', but what is ``secure enough''? This depends on its target field. Currently \masqmail\ is targeted to workstations and private networks, with explicit warning for use on permanent online hosts \citeweb{masqmail:homepage2}. \masqmail's current security is bad. (For instance does a long time known attack against \sendmail, described by \person{Sill} \cite[page~4]{sill02}, still outwit \masqmail). The security, however, seems acceptable for use on workstations and private networks, if the environment is trusted. In environments where untrusted components or persons have access to \masqmail, its security is too low.
242
243 Similar for its reliability. It has been reported that \masqmail\ has not sent mail under some circumstances \citeweb{FIXME}. %fixme
244 The author also noticed problems with where only one part of the queued message was removed, the other part remained as garbage. Fortunately, reports abou lost mail are not known. Current reliability is not good enough.
245
246 The logging behavior of \masqmail\ is good, but does not cover everything. Also it trusts its environment. For example, if the queue directory is world writeable by accident (or as action of an intruder), any user can remove messages from the queue or replace them with own ones. \masqmail\ does not even write a debug message in this case.
247
248 \masqmail's extendability is very poor. This is a general problem of monolithic software, but can thus be provided with high effort. \exim\ is an example for good extendability for a monolithic program.
249
250 The maintainability of \masqmail\ appears to be equivilent to other software of similar kind. Missing modularity and therefore more complexity makes the maintainer's work harder. In summary is \masqmail's maintainability bearable, and in view of its missing modularity good. The testability suffers from the same. Testing program parts is hard, but done by compiling source parts to special test programs.
251
252 The performance---effenciency---of \masqmail\ is good enough for its target field of operation, where this is a minor goal. As well is its availability. Hence no further work needs to be done her.
253
254 The code's protability is good with view on \unix-like operation systems. At least \name{Debian}, \name{Redhat}, \NAME{SUSE}, \name{slackware}, \name{Free}\NAME{BSD}, \name{Open}\NAME{BSD}, and \name{Net}\NAME{BSD} are reported to be able to compile and run \masqmail\ \citeweb{masqmail:homepage2}. About special requirements for the underlying file system is not heard of. The portability is already good.
255
256 The usability, from the administator's point of view, is very good. \masqmail\ was developed to suite a specific, limited job, its configuration does perfect match. The user's view does not reach to the \MTA, as it is hidden behind the \name{mail user agent}.
257
247 258
248 259
249 \subsubsection*{Missing parts} 260 \subsubsection*{Missing parts}
250 261
251 Support for other protocols than \SMTP\ seems not to be nessesary at the moment. Adding such support will need lots of work in all parts of \masqmail, hence delaying it until the support is needed appears to be the best solution. 262 Support for other protocols than \SMTP\ seems not to be nessesary at the moment. Adding such support will need lots of work in all parts of \masqmail, hence delaying it until the support is needed appears to be the best solution.
254 265
255 As authentication can be a guard against spam, filter facilities have lower priority. But basic spam filtering and interfaces for external tools should be implemented in future. Content checking, if really nessesary, should be left over to the \NAME{MDA}, to deal with it in local delivery. 266 As authentication can be a guard against spam, filter facilities have lower priority. But basic spam filtering and interfaces for external tools should be implemented in future. Content checking, if really nessesary, should be left over to the \NAME{MDA}, to deal with it in local delivery.
256 267
257 Archiving again is prefered to be implemented soon. It does not require much work, but enables all kinds of statistical analysis. Also it is a requirement for companies to archive their mail communication. 268 Archiving again is prefered to be implemented soon. It does not require much work, but enables all kinds of statistical analysis. Also it is a requirement for companies to archive their mail communication.
258 269
259 %fixme: what about non-functional requirements? 270 Non-functional requirements need improvements too.
260 271
261 272 \masqmail's security is bad and limits it thus to a field of operation that shrinks. Security becomes more important and networking and interaction increases. Save and trusted environment become rare. Improving security is an important thing to do in future.
262 273
263 274 Reliability is also to improve. It is a key quality property for an \MTA, and not good enough in \masqmail. Also is the program lacking robustness. Checking the environment and reporting bad characteristics is wanted. Especially improving robustness inrelation to the queue is favorable; applying ideas of \name{crash-only software}\cite{candea03} will be a good step.
264 \subsubsection*{Discussion on architecture} 275
276 Extendability, maintainability, and testability do all lack from the monolithic architecture and are nearly impossible to improve without changing the programs structure. These properties can hardly be retrofitted into software. But extendability might become important in the future, and the other two make all further work on the software easier.
277
278 Performance is a nice-to-have property, but as performance improvements are in contrast to many other quality poperties (reliability, maintainability, usability, capability \cite[page~5]{kan03}), jeopardizing these to gain some more performance should not be done. \person{Kernighan} and \person{Pike} state clear: ``[T]he first principle of optimization is \emph{don't}.''\cite[page~165]{kernighan99}. \masqmail\ is not a program to be used on large servers, but on small devices. Thus important for \masqmail\ is focusing on energy and heat, maybe also system resources, not on performance.
279
280 Focusing on being portable amoung the various flavors of \unix\ systems seems to be okay, because these systems are the ones \MTA{}s run on usually. Problems with non-\unix platforms are primary expected to come from file systems lacking required features. But no special care should be taken here.
281
282 Configuration could be eased more, by providing configuration generators to be able to run \masqmail\ right ``out of the box'' with only running one of several configuration scripts for common setups. This would make \masqmail\ better usable by people not technical educated.
283
284
285
286
287
288
289 \section{Discussion on architecture}
265 290
266 %fixme: why is there a need for a new arch?? 291 %fixme: why is there a need for a new arch??
267 Adding authentication and encryption support is limited to a narrow region in the code. Such features are addable to the current code base without much problem. In contrast do support for new protocols or mail processing interfaces to external programs require a lot of effort. Changes in many parts of the source code are required. It is no good idea to implement large retro-fitted features in a software that is critical in security and reliability, like \masqmail. Worse if these features need changes in the program's structure, like adding mail scanning interfaces would do. 292 Adding authentication and encryption support is limited to a narrow region in the code. Such features are addable to the current code base without much problem. In contrast do support for new protocols or mail processing interfaces to external programs require a lot of effort. Changes in many parts of the source code are required. It is no good idea to implement large retro-fitted features in a software that is critical in security and reliability, like \masqmail. Worse if these features need changes in the program's structure, like adding mail scanning interfaces would do.
268 293
269 If such features are needed, it is best do redesign the program's structure and rebuild it. A program's structure is primary its architecture. Which is probably the most influencing design decision, and has the greatest impact on the program's future capabilities. The architecture defines what the program can do, how it can be used. If the architecture does not fit the requirements, develpement reached a dead end \dots\ further work will make everything worse. The only good solution is to change the architecture, which, sadley but most likely, means a redesign from scratch. 294 If such features are needed, it is best do redesign the program's structure and rebuild it. A program's structure is primary its architecture. Which is probably the most influencing design decision, and has the greatest impact on the program's future capabilities. The architecture defines what the program can do, how it can be used. If the architecture does not fit the requirements, develpement reached a dead end \dots\ further work will make everything worse. The only good solution is to change the architecture, which, sadley but most likely, means a redesign from scratch.
329 %\person{Hafiz} adds: ``The major idea is that security cannot be retrofitted into an architecture.''\cite[page 64]{hafiz05} 354 %\person{Hafiz} adds: ``The major idea is that security cannot be retrofitted into an architecture.''\cite[page 64]{hafiz05}
330 355
331 356
332 357
333 358
334 \section{A design from scratch} 359
360
361
362
363
364 \section{Result}
365
366 Directions to go
367
368 Now how could \masqmail\ be like in, say, five years?
369
370 This section discusses about what shapes \masqmail\ could have---which directions the development could go to.
371
372
373
374
375 1) fix the current version
376
377
378 2) create a new one
379 But how is the effort of this complete rewrite compared to what is gained afterwards?
380 << would one create it at all? >>
381
382
383 pro---contra
384
385
386
387
388 << short term goals --- long term goals >>
389
390 do it like sendmail: first do the most needed stuff on the old design to make it still usable. Then design a new version from scratch, for the future.
391
392 << which parts to take out and do within the thesis >>
393
394
395
396
397
398
399
400
401
402
403
404
405 \chapter{A design from scratch}
335 406
336 The last sections identified the jobs that need to be done by a modern \MTA; problems and prefered choices were mentioned too. Now the various jobs are assigned to modules, of which an architecture is created. It is inpired by existing ones and driven by the identified jobs and requirements. 407 The last sections identified the jobs that need to be done by a modern \MTA; problems and prefered choices were mentioned too. Now the various jobs are assigned to modules, of which an architecture is created. It is inpired by existing ones and driven by the identified jobs and requirements.
337 408
338 409
339 410
770 http://fanf.livejournal.com/70432.html %how not to design an mta - address verification 841 http://fanf.livejournal.com/70432.html %how not to design an mta - address verification
771 http://fanf.livejournal.com/72258.html %how not to design an mta - content scanning 842 http://fanf.livejournal.com/72258.html %how not to design an mta - content scanning
772 843
773 844
774 845
775
776
777
778
779
780
781
782
783 \section{Result}
784
785 Directions to go
786
787 Now how could \masqmail\ be like in, say, five years?
788
789 This section discusses about what shapes \masqmail\ could have---which directions the development could go to.
790
791
792
793
794 1) fix the current version
795
796
797 2) create a new one
798 But how is the effort of this complete rewrite compared to what is gained afterwards?
799 << would one create it at all? >>
800
801
802 pro---contra
803
804
805
806
807 << short term goals --- long term goals >>
808
809 do it like sendmail: first do the most needed stuff on the old design to make it still usable. Then design a new version from scratch, for the future.
810
811 << which parts to take out and do within the thesis >>
812
813