Mercurial > docs > diploma
comparison thesis/tex/5-Improvements.tex @ 326:802635628c92
various work in ch05
| author | meillo@marmaro.de |
|---|---|
| date | Fri, 23 Jan 2009 11:23:17 +0100 |
| parents | 8671d9c0f29a |
| children | 2b1da14922f7 |
comparison
equal
deleted
inserted
replaced
| 325:f5225dd052cb | 326:802635628c92 |
|---|---|
| 13 | 13 |
| 14 The first three \TODO{}s are implementable by improving the current code or by adding wrappers or interposition filters. The following sections describe solution approaches to do that work. | 14 The first three \TODO{}s are implementable by improving the current code or by adding wrappers or interposition filters. The following sections describe solution approaches to do that work. |
| 15 | 15 |
| 16 | 16 |
| 17 | 17 |
| 18 \subsubsection*{Encryption} | 18 \subsection{Encryption} |
| 19 | 19 |
| 20 Encryption should be the first funtionality to add to the current code. This requirement was already discussed on page \pageref{requirement-encryption}. As explained there, \NAME{STARTTLS} encryption---as defined in \RFC\,2487---should be added to \masqmail. | 20 Encryption should be the first funtionality to add to the current code. This requirement was already discussed on page \pageref{requirement-encryption}. As explained there, \NAME{STARTTLS} encryption---as defined in \RFC\,2487---should be added to \masqmail. |
| 21 | 21 |
| 22 Adding encryption requires changes mainly in three source files: \path{smtp_in.c}, \path{smtp_out.c}, and in \path{conf.c}. | 22 Adding encryption requires changes mainly in three source files: \path{smtp_in.c}, \path{smtp_out.c}, and in \path{conf.c}. |
| 23 | 23 |
| 49 % smtp_tls_CA_file = /etc/postfix/CAcert.pem | 49 % smtp_tls_CA_file = /etc/postfix/CAcert.pem |
| 50 | 50 |
| 51 | 51 |
| 52 | 52 |
| 53 | 53 |
| 54 \subsubsection*{Authentication} | 54 \subsection{Authentication} |
| 55 | 55 |
| 56 Authentication is the second function to add; it is important to restrict the access to \masqmail, especially for mail relay. The requirements for authentication where identified on page \pageref{requirement-authentication}. | 56 Authentication is the second function to add; it is important to restrict the access to \masqmail, especially for mail relay. The requirements for authentication where identified on page \pageref{requirement-authentication}. |
| 57 | 57 |
| 58 Static access restriction, based on the \NAME{IP} address is already possible by using \name{TCP Wrappers}. This makes it easy to refuse all connections from outside the local net for example, which is a good prevention of being an open relay. More detailed static restrictions, like splitting between mail for the system and mail to relay, should not be added to the current code. This may be a concern for the new design. | 58 Static access restriction, based on the \NAME{IP} address is already possible by using \name{TCP Wrappers}. This makes it easy to refuse all connections from outside the local net for example, which is a good prevention of being an open relay. More detailed static restrictions, like splitting between mail for the system and mail to relay, should not be added to the current code. This may be a concern for the new design. |
| 59 | 59 |
| 93 | 93 |
| 94 | 94 |
| 95 | 95 |
| 96 | 96 |
| 97 | 97 |
| 98 \subsubsection*{Security} | 98 \subsection{Security} |
| 99 | 99 |
| 100 Improvements to \masqmail's security are an important requirement and are the third task to work on. Retrofitting security \emph{into} \masqmail\ is not or hardly possible as it was explained in section \ref{sec:discussion-further-devel}. But adding wrappers and interposition filters can be a large step towards security. | 100 Improvements to \masqmail's security are an important requirement and are the third task to work on. Retrofitting security \emph{into} \masqmail\ is not or hardly possible as it was explained in section \ref{sec:discussion-further-devel}. But adding wrappers and interposition filters can be a large step towards security. |
| 101 | 101 |
| 102 At first mail security layers like \name{smap} come to mind. The market share analysis in section \ref{sec:market-share} identified such software. This is an interposition filter that stands between the untrusted network and the \MTA. It accepts mail in replacement for the \MTA\ (also called \name{proxy}) in order to separate the \MTA\ from the untrusted network. | 102 At first mail security layers like \name{smap} come to mind. The market share analysis in section \ref{sec:market-share} identified such software. This is an interposition filter that stands between the untrusted network and the \MTA. It accepts mail in replacement for the \MTA\ (also called \name{proxy}) in order to separate the \MTA\ from the untrusted network. |
| 103 | 103 |
| 107 | 107 |
| 108 The advantage is that the \MTA\ itself needs not to bother much with untrusted environments. And a small proxy cares only about that work. | 108 The advantage is that the \MTA\ itself needs not to bother much with untrusted environments. And a small proxy cares only about that work. |
| 109 | 109 |
| 110 \name{smap} is non-free software and thus no general choice for \masqmail. A way to achieve a similar setup would be to copy \masqmail\ and strip one copy to the bare minimum what is needed for the proxy job. \name{setuid} could be removed and root privilege too if \name{inetd} is used. This hardens the proxy instance. | 110 \name{smap} is non-free software and thus no general choice for \masqmail. A way to achieve a similar setup would be to copy \masqmail\ and strip one copy to the bare minimum what is needed for the proxy job. \name{setuid} could be removed and root privilege too if \name{inetd} is used. This hardens the proxy instance. |
| 111 | 111 |
| 112 | 112 Mail from extern would then come through the proxy into the system. Mail from the local host and from the local network could be directly accepted by the normal \masqmail, if those locations are considered trusted. But it seems better to have them use the proxy too, or maybe a second proxy instance with different policy. |
| 113 | 113 |
| 114 split masqmail into two instances | 114 The here described setup comes close to the structure of the incoming channels in the new design which is described in \ref{sec:new-design}. This shows the possibilities of the here chosen approach. %fixme: rethink this sentence |
| 115 | 115 |
| 116 \begin{verbatim} | 116 |
| 117 +--------+ ext ||||| int +--------+ | 117 \subsubsection*{A concrete setup} |
| 118 ---> |stripped|---> inter --->|normal | | 118 |
| 119 |masqmail| pos |masqmail| | 119 A stripped down proxy needs to be created. It should only be able to receive mail via \SMTP, encrypt the communication, authenticate clients, and send mail out via \SMTP\ to an internal socket (named ``X'' in the figure). This is a straight forward task. The normal \masqmail\ instance runs on the system too. It takes input from \name{stdin} (by calling the \path{sendmail} command) and via \SMTP\ where it listens on an internal socket (named ``X'' in the figure). Outgoing mail is handled without difference to a regular setup. Figure \ref{fig:proxy-setup} depicts the setup. |
| 120 +--------+ ||||| +--------+ | 120 |
| 121 \end{verbatim} | 121 \begin{figure} |
| 122 | 122 \begin{center} |
| 123 << refer back to enc and auth >> | 123 \includegraphics[scale=0.75]{img/proxy-setup.eps} |
| 124 | 124 \end{center} |
| 125 \caption{A setup with a proxy} | |
| 126 \label{fig:proxy-setup} | |
| 127 \end{figure} | |
| 128 | |
| 129 | |
| 130 \subsubsection*{Spam and malware handling} | |
| 131 | |
| 132 The presented setup is the same as the one with two \MTA\ instances and a scanner application in between, which was suggested to add spam and malware scanner afterwards to an \MTA. This is a fortunate conincidence, because a scanner like \name{amavis} can simply be put in replace for the internal socket ``X''. | |
| 133 | |
| 134 | |
| 135 | |
| 136 | |
| 137 \subsubsection*{Conditional compilation} | |
| 125 << conditional compilation >> | 138 << conditional compilation >> |
| 126 | 139 |
| 127 | 140 |
| 128 \subsubsection*{Reliability} | 141 |
| 129 | |
| 130 discuss persistence through using databases | |
| 131 | |
| 132 | |
| 133 | |
| 134 \subsubsection*{Spam and malware handling} | |
| 135 | |
| 136 discuss the MTA->scanner->MTA approach | |
| 137 | |
| 138 | |
| 139 | |
| 140 \subsubsection*{Bug fixes} | |
| 141 | |
| 142 already fixed bugs | |
| 143 | 142 |
| 144 | 143 |
| 145 | 144 |
| 146 | 145 |
| 147 | 146 |
| 153 | 152 |
| 154 | 153 |
| 155 | 154 |
| 156 | 155 |
| 157 \section{A new design} | 156 \section{A new design} |
| 157 \label{sec:new-design} | |
| 158 | 158 |
| 159 The last chapter identified the requirements for a modern and securt \masqmail. Now the various jobs of an \MTA\ get assigned to modules, of which the new architecture is created. It is inspired by existing \MTA{}s and driven by the identified requirements. | 159 The last chapter identified the requirements for a modern and securt \masqmail. Now the various jobs of an \MTA\ get assigned to modules, of which the new architecture is created. It is inspired by existing \MTA{}s and driven by the identified requirements. |
| 160 | 160 |
| 161 One wise experience was kept in mind during the design: ``Many times in life, getting off to the right start makes all the difference.'' \cite[page~32]{graff03}. | 161 One wise experience was kept in mind during the design: ``Many times in life, getting off to the right start makes all the difference.'' \cite[page~32]{graff03}. |
| 162 | 162 |
| 163 | 163 |
| 164 | 164 Major design ideas of the design were: |
| 165 \subsection{Design decisions} | |
| 166 | |
| 167 One major design idea of the design were: | |
| 168 \begin{itemize} | 165 \begin{itemize} |
| 169 \item free the internal system from in and out channels | 166 \item free the internal system from in and out channels |
| 170 \item arbitrary protocol handlers have to be addable afterwards | 167 \item arbitrary protocol handlers have to be addable afterwards |
| 171 \item a single facility for scanning (all mail goes through it) | 168 \item a single facility for scanning (all mail goes through it) |
| 172 \item concentrate on mail transfer | 169 \item concentrate on mail transfer |
| 173 \end{itemize} | 170 \end{itemize} |
| 174 | 171 |
| 175 | 172 |
| 173 | |
| 174 \subsection{Architectural design} | |
| 175 | |
| 176 \subsubsection*{Incoming channels} | 176 \subsubsection*{Incoming channels} |
| 177 | 177 |
| 178 \sendmail-compatible \mta{}s must support at least two incoming channels: mail submitted using the \sendmail\ command, and mail received via the \SMTP\ daemon. It is therefor common to split the incoming channel into local and remote. This is done by \qmail\ and \postfix. The same way is \person{Hafiz}'s view. | 178 \sendmail-compatible \mta{}s must support at least two incoming channels: mail submitted using the \sendmail\ command, and mail received via the \SMTP\ daemon. It is therefor common to split the incoming channel into local and remote. This is done by \qmail\ and \postfix. The same way is \person{Hafiz}'s view. |
| 179 | 179 |
| 180 In contrast is \name{sendmail X}: Its locally submitted messages go to the \SMTP\ daemon, which is the only connection towards the mail queue. %fixme: is it a smtp dialog? or a second door? | 180 In contrast is \name{sendmail X}: Its locally submitted messages go to the \SMTP\ daemon, which is the only connection towards the mail queue. %fixme: is it a smtp dialog? or a second door? |
| 211 %fixme: check, cite, and think about | 211 %fixme: check, cite, and think about |
| 212 | 212 |
| 213 %fixme: discuss: filesystem vs. database | 213 %fixme: discuss: filesystem vs. database |
| 214 << \masqmail\ uses the filesytem to store the queue, storing the queue in a databases might improve the reliability through better persistence. >> %fixme | 214 << \masqmail\ uses the filesytem to store the queue, storing the queue in a databases might improve the reliability through better persistence. >> %fixme |
| 215 | 215 |
| 216 | |
| 217 %fixme: what about the ``rule of repair''? | 216 %fixme: what about the ``rule of repair''? |
| 218 | 217 |
| 219 | 218 |
| 220 \subsubsection*{Sanitize mail} | 219 \subsection{Functional design} |
| 221 | |
| 222 Mail coming into the system often lacks important header lines. At least the required ones must be added from the \MTA. A good example is the \texttt{Message-Id:} header. | |
| 223 | |
| 224 In \postfix, this is done by the \name{cleanup} module, which invokes \name{rewrite}. The position in the message flow is after coming from one of the several incoming channels and before the message is stored into the \name{incoming} queue. Modules that handle incoming channels may also add headers, for example the \texttt{From:} and \texttt{Date:} headers. \name{cleanup}, however, does a complete check to make the mail header complete and valid. | |
| 225 | |
| 226 Apart from deciding where to sanitize the mail header, is the question where to generate the envelope. The envelope specifies the actual recipient of the mail, no matter what the \texttt{To:}, \texttt{Cc:}, and \texttt{Bcc:} headers tell. Multiple reciptients lead to multiple different envelopes, containing all the same mail message. | |
| 227 | |
| 228 | 220 |
| 229 | 221 |
| 230 \subsubsection*{Aliasing} | 222 \subsubsection*{Aliasing} |
| 231 | 223 |
| 232 Where should aliases get expanded? They appear in different kind. Important are the ones available in the \path{aliases} file. Aliases can be: | 224 Where should aliases get expanded? They appear in different kind. Important are the ones available in the \path{aliases} file. Aliases can be: |
| 364 \subsubsection*{Archiving} | 356 \subsubsection*{Archiving} |
| 365 | 357 |
| 366 Mail archiving and auditability become more important as electronic mail becomes more important. Ability to archive verbatim copies of every mail coming into and every mail going out of the system, with relation between them, appears to be a goal to achieve. | 358 Mail archiving and auditability become more important as electronic mail becomes more important. Ability to archive verbatim copies of every mail coming into and every mail going out of the system, with relation between them, appears to be a goal to achieve. |
| 367 | 359 |
| 368 \postfix\ for example has a \texttt{always\_bcc} feature, to send a copy of every mail to a definable reciptient. At least this funtionality should be given, although a more complete approach is preferable. | 360 \postfix\ for example has a \texttt{always\_bcc} feature, to send a copy of every mail to a definable reciptient. At least this funtionality should be given, although a more complete approach is preferable. |
| 361 | |
| 362 | |
| 363 | |
| 364 | |
| 365 | |
| 366 | |
| 367 | |
| 368 \subsection{Security design} | |
| 369 | |
| 370 \subsubsection*{Sanitize mail} | |
| 371 | |
| 372 Mail coming into the system often lacks important header lines. At least the required ones must be added from the \MTA. A good example is the \texttt{Message-Id:} header. | |
| 373 | |
| 374 In \postfix, this is done by the \name{cleanup} module, which invokes \name{rewrite}. The position in the message flow is after coming from one of the several incoming channels and before the message is stored into the \name{incoming} queue. Modules that handle incoming channels may also add headers, for example the \texttt{From:} and \texttt{Date:} headers. \name{cleanup}, however, does a complete check to make the mail header complete and valid. | |
| 375 | |
| 376 Apart from deciding where to sanitize the mail header, is the question where to generate the envelope. The envelope specifies the actual recipient of the mail, no matter what the \texttt{To:}, \texttt{Cc:}, and \texttt{Bcc:} headers tell. Multiple reciptients lead to multiple different envelopes, containing all the same mail message. | |
| 377 | |
| 378 | |
| 369 | 379 |
| 370 | 380 |
| 371 | 381 |
| 372 | 382 |
| 373 | 383 |