docs/diploma
diff thesis/tex/5-Improvements.tex @ 402:e57129f57faa
finished the indexing in a huge last effort
| author | meillo@marmaro.de |
|---|---|
| date | Sun, 08 Feb 2009 22:51:42 +0100 |
| parents | 13e630c5a44d |
| children | 1d527ad76c97 |
line diff
1.1 --- a/thesis/tex/5-Improvements.tex Sat Feb 07 23:48:48 2009 +0100 1.2 +++ b/thesis/tex/5-Improvements.tex Sun Feb 08 22:51:42 2009 +0100 1.3 @@ -20,6 +20,7 @@ 1.4 1.5 Encryption (\TODO\,1) should be the first functionality to be added to the current code. The requirement was already discussed on page~\pageref{requirement-encryption}. As explained there, \NAME{STARTTLS} encryption---defined in \RFC\,2487---should be added to \masqmail. 1.6 \index{starttls} 1.7 +\index{rfc} 1.8 1.9 This work requires changes mainly in three source files: \path{smtp_in.c}, \path{smtp_out.c}, and \path{conf.c}. 1.10 1.11 @@ -29,6 +30,7 @@ 1.12 The second file includes the functionality for the \SMTP\ client. It should start the encryption by issuing the \NAME{STARTTLS} keyword if the server supports it. It should be possible to send messages over encrypted channels only. 1.13 1.14 The third file controls the configuration files. New configuration options need to be added. The encryption policy for incoming connections needs to be defined. Three choices seem necessary: no encryption, offer encryption, insist on encryption. The encryption policy for outgoing connections should be part of each route setup. The options are the same: never encrypt, encrypt if possible, insist on encryption. 1.15 +\index{configuration} 1.16 1.17 \subsubsection*{Depencencies} 1.18 1.19 @@ -47,6 +49,7 @@ 1.20 1.21 \person{Frederik Vermeulen} wrote an encryption patch for \qmail\ which adds \NAME{STARTTLS} support \citeweb{qmail:tls-patch}. This patch includes about 500 lines of code. 1.22 \index{qmail} 1.23 +\index{starttls} 1.24 1.25 Adding this code in a similar form to \masqmail\ will be fairly easy. It will save a lot of work as it is not necessary to write the code completely from scratch. 1.26 1.27 @@ -60,8 +63,10 @@ 1.28 1.29 Authentication (\TODO\,2) is the second function to be added. It is important to restrict the access to \masqmail, especially for mail relay. The requirements for authentication where identified on page~\pageref{requirement-authentication}. 1.30 1.31 -Static access restriction, based on the \NAME{IP} address is already possible by using \NAME{TCP} \name{Wrappers}. This makes it easy to refuse all connections from outside the local network for example, which is a good prevention against being an open relay. More detailed static restrictions, like splitting between mail for users on the system and mail for relay, should \emph{not} be added to the current code. This is a concern for the new design. 1.32 -\index{tcp wrappers} 1.33 +Static access restriction, based on the \NAME{IP} address is already possible by using \NAME{TCP} \name{Wrapper}. This makes it easy to refuse all connections from outside the local network for example, which is a good prevention against being an open relay. More detailed static restrictions, like splitting between mail for users on the system and mail for relay, should \emph{not} be added to the current code. This is a concern for the new design. 1.34 +\index{access restriction} 1.35 +\index{tcp wrapper} 1.36 +\index{open relay} 1.37 1.38 \subsubsection*{One of the dynamic methods} 1.39 1.40 @@ -71,7 +76,7 @@ 1.41 Authentication based on certificates does suffer from the certificate infrastructure that is required. Although certificates are already used for encryption, its management overhead prevented wide spread usage for authentication. 1.42 1.43 \SMTP\ authentication (also referred to as \NAME{SMTP-AUTH}) support is easiest attained by using a \name{Simple Authentication and Security Layer} (short: \NAME{SASL}) implementation. \person{Dent} sees in \NAME{SASL} the best solution for dynamic authentication of users: 1.44 -\index{smtp-auth} 1.45 +\index{auth!smtp-auth} 1.46 \index{sasl} 1.47 1.48 \begin{quote} 1.49 @@ -80,12 +85,15 @@ 1.50 \end{quote} 1.51 1.52 These days \NAME{SMTP-AUTH}---defined in \RFC\,2554---is supported by almost all email clients. If encryption is used then even insecure authentication methods like \NAME{PLAIN} and \NAME{LOGIN} become secure. 1.53 +\index{rfc} 1.54 1.55 1.56 \subsubsection*{Simple Authentication and Security Layer} 1.57 \index{sasl} 1.58 1.59 \masqmail\ best uses an available \NAME{SASL} library. \name{Cyrus} \NAME{SASL} is used by \postfix\ and \sendmail. It is a complete framework that makes use of existing authentication concepts like the \path{passwd} file or \NAME{PAM}. As advantage it can be included in existing user data bases. \name{gsasl} is an alternative. It comes as a library which helps with the decision for a method and with generating the appropriate dialog data; the actual transmission of the data and the authentication against some database is left open to the programmer. \name{gsasl} is used, for instance, by \name{msmtp}. It seems best to give both concepts a try and decide then which one to use. 1.60 +\index{sendmail} 1.61 +\index{postfix} 1.62 \index{cyrus sasl} 1.63 \index{pam} 1.64 \index{gsasl} 1.65 @@ -95,6 +103,8 @@ 1.66 Authentication needs code changes in the same places as encryption. The relevant code files are \path{smtp_in.c}, \path{smtp_out.c}, and \path{conf.c}. 1.67 1.68 The server code, to authenticate clients, must be added to \path{smtp_in.c} and the configuration options to \path{conf.c}. Several configuration options should be provided: the authentication policy (no authentication, offer authentication, insist on authentication), the authentication backend (if several are supported), an option to refuse plain text methods (\NAME{PLAIN} and \NAME{LOGIN}), and one to require encryption before authentication. 1.69 +\index{configuration} 1.70 +\index{plain text} 1.71 1.72 If the authentication code for outgoing connects shall be changed too, it must be done in \path{smtp_out.c}. The configuration options are already present. 1.73 1.74 @@ -131,8 +141,11 @@ 1.75 The advantage of mail security layers is that the \MTA\ itself needs not to bother much with untrusted environments. The proxy cares for this. 1.76 1.77 \name{smap} is non-free software and thus no general choice for \masqmail. A way to achieve a similar setup is to copy \masqmail\ and strip one copy to the bare minimum of what is needed for the proxy job. \name{setuid} could be removed, and root privilege too if \name{inetd} is used. This hardens the proxy instance. 1.78 +\index{Free Software} 1.79 \index{inetd} 1.80 \index{proxy} 1.81 +\index{root privilege} 1.82 +\index{setuid} 1.83 1.84 Mail from outside would then come through the proxy into the system. Mail from the local host and from the local network could be directly accepted by the normal \masqmail, if those locations are considered trusted. But it seems better to have them use the proxy, too, or maybe a second proxy instance with different policy. 1.85 \index{policy} 1.86 @@ -143,15 +156,13 @@ 1.87 \subsubsection*{A concrete setup} 1.88 1.89 A stripped down proxy needs to be created. It should only be able to receive mail via \SMTP, encrypt the communication, authenticate clients, and send mail out via \SMTP\ to an internal socket (named ``X'' in the figure). This is a straight forward task. The normal \masqmail\ instance runs on the system, too. It takes input from \name{stdin} (when the \path{sendmail} command is invoked) and via \SMTP\ where it listens on an internal socket (named ``X'' in the figure). Outgoing mail is handled without difference to a regular setup. Figure~\ref{fig:proxy-setup} depicts the setup. 1.90 -\index{auth} 1.91 -\index{enc} 1.92 +\index{sendmail!command} 1.93 1.94 \begin{figure} 1.95 \begin{center} 1.96 \includegraphics[scale=0.75]{fig/proxy-setup.eps} 1.97 \end{center} 1.98 \caption{A setup with a proxy} 1.99 - \index{figure!A setup with a proxy} 1.100 \label{fig:proxy-setup} 1.101 \end{figure} 1.102 1.103 @@ -211,7 +222,7 @@ 1.104 \index{sendmail!command} 1.105 1.106 A bit different is the structure of \name{sendmail~X} at that point: Locally submitted messages go also to the \SMTP\ daemon, which is the only connection to the mail queue. \person{Finch} proposes a similar approach \cite{finch-sendmail}: He wants the \path{sendmail} command to be a simple \SMTP\ client that contacts the \SMTP\ daemon of the \MTA, like it is done by connections from remote. The advantage here is to have one single module where all \SMTP\ dialog with submitters is done. Hence one single point to accept or refuse incoming mail. Additionally does the module which puts mail into the queue not need to be \name{setuid} or \name{setgid}, because it is only invoked from the \SMTP\ daemon. The \MTA's architecture would become simpler and common tasks are not duplicated in modules that do similar jobs. 1.107 -\index{sendmailx} 1.108 +\index{sendmail!sendmailx} 1.109 \index{smtp} 1.110 \index{setuid} 1.111 1.112 @@ -234,12 +245,19 @@ 1.113 1.114 Outgoing mail is commonly either sent using \SMTP, piped into local commands (for example \path{uucp}), or delivered locally by appending to a mailbox. The requirements were identified on page~\pageref{rf1}. 1.115 \index{uucp} 1.116 +\index{pipe} 1.117 1.118 Outgoing channels are similar for \qmail, \postfix, and \name{sendmail~X}: All of them have a module to send mail using \SMTP\ and one for writing into a local mailbox. Local mail delivery is a job that should have root privilege to be able to switch to any user in order to write to his mailbox. Modular \MTA{}s do not require \name{setuid root} but the local delivery process (or its parent) should run as root. root privilege is not a mandatory requirement but any other approach has some disadvantages thus commonly root privilege is used. 1.119 +\index{postfix} 1.120 +\index{qmail} 1.121 +\index{sendmail!sendmailx} 1.122 \index{setuid} 1.123 +\index{root privilege} 1.124 1.125 Local mail delivery should not be done by the \MTA, but by an \NAME{MDA} instead. This decision was discussed in section~\ref{sec:functional-requirements}. This means only an outgoing channel that pipes mail into a local command is required for local delivery. 1.126 \index{local delivery} 1.127 +\index{mda} 1.128 +\index{pipe} 1.129 1.130 Other outgoing channels, one for each supported protocol, should be designed like it was done in other \MTA{}s. 1.131 1.132 @@ -249,10 +267,12 @@ 1.133 \index{mail queue} 1.134 1.135 The mail queue is the central part of an \MTA. This fact demands especially for robustness and reliability as a failure here can lead to mail loss. (See \RF\,2 on page~\pageref{rf2}.) 1.136 +\index{mail loss} 1.137 1.138 Common \MTA{}s feature one or more mail queues, they sometimes have effectively several queues within one physical representation. 1.139 1.140 \MTA\ setups that include content scanning tend to require two separate queues. To use \sendmail\ in such setups requires two independent instances with one own queue each. \exim\ can handle it with special \name{router} and \name{transport} rules but the data flow gets complicated. Hence an idea is to use two queues (\name{incoming} and \name{active} in \postfix's terminology) and have the content scanning within the move from the one to the other. 1.141 +\index{sendmail} 1.142 \index{exim} 1.143 \index{postfix} 1.144 1.145 @@ -262,6 +282,8 @@ 1.146 \index{database system} 1.147 1.148 Hence the choice here is having a directory with simple text files in it. This is straight forward, simple, clear, and general \dots\ and thus a good basis for reliability. It is additionally always an advantage if data is stored in the operating system's natural form, which is plain text in the Unix' case. 1.149 +\index{Unix} 1.150 +\index{plain text} 1.151 1.152 Robustness of the queue is covered in the next section. 1.153 1.154 @@ -285,18 +307,21 @@ 1.155 1.156 \person{Jon Postel}'s robustness principle\footnote{``Be liberal in what you accept, and conservative in what you send.''. In this wording in \RFC\,1122 and in different wordings in numerous \RFC{}s} should be respected in the \name{scanning} module. The module should parse the given input in a liberal way and generate clean output. \person{Raymond}'s \name{Rule of Repair}\footnote{``Repair what you can -- but when you must fail, fail noisily and as soon as possible.'' \cite[page~18]{raymond03}} can be applied, too. But it is important to repair only obvious problems, because repairing functionality is likely a target for attacks. 1.157 \index{robustness!principle of} 1.158 +\index{repair!rule of} 1.159 +\index{rfc} 1.160 1.161 1.162 1.163 1.164 \subsubsection*{Aliasing} 1.165 -\index{aliases} 1.166 +\index{alias expansion} 1.167 1.168 The functional requirements were identified under \RF\,4 on page~\pageref{rf4}. From the architectural point of view, the main question about aliasing is: Where should aliases get expanded? 1.169 1.170 Two facts are important to consider: (1) Addresses that expand to a list of users lead to more envelopes. (2) Aliases that change the recipient's domain part may make the message unsuitable for a specific online route. 1.171 1.172 Aliasing is often handled by expanding the alias and re-injecting the mail into the system. Unfortunately, the mail is processed twice then; additionally does the system have to handle more mail this way. If it is wanted to check the new recipient address for acceptance and do all processing again, then re-injecting it is the best choice. But already accepted messages may get rejected in the second go, though the replacement address was set inside the system. This seems not to be wanted. 1.173 +\index{smtp!rejecting} 1.174 1.175 Doing the alias expansion in the \name{scanning} module appears to be the best solution. Unfortunately, a second alias expansion must be made on delivery, because only then is clear which route is used for the message. This compromise should get accepted. 1.176 1.177 @@ -315,6 +340,7 @@ 1.178 The best point to archive copies of every incoming mail is the \name{queue-in} module, respectively the \name{queue-out} module for copies of outgoing mail. But the changes that are made by the receiving modules (adding further headers) and sending modules (address rewrites) are not respected with this approach. 1.179 1.180 \qmail\ has the ability to log complete \SMTP\ dialogs. Logging the complete data transaction into and out of the system is a great feature which should be implemented into each receiving and sending module. Though, as this will produce a huge amount of output, it should be disabled by default. 1.181 +\index{qmail} 1.182 \index{smtp!dialog} 1.183 1.184 Archiving's functional requirements were described as \RF\,10 on page~\pageref{rf10}. 1.185 @@ -348,12 +374,15 @@ 1.186 1.187 \begin{enumerate} 1.188 \item Refusing spam during the \SMTP\ dialog: This is the way it was meant by the designers of the \SMTP\ protocol. They thought checking the sender's and recipient's mail addresses would be enough, but as they are forgeable, it is not. More and more complex checks are needed to be done. Checking needs time, but \SMTP\ dialogs time out if it takes too long. Thus during the \SMTP\ dialog, only limited time can be used for checking if a message seems to be spam. The advantage of this approach is that bad messages can simply get refused---no responsibility for them is taken and no further system load is added. See \RFC\,2505 (especially section 1.5) for detail. 1.189 +\index{smtp!responsibility} 1.190 \index{smtp!dialog} 1.191 +\index{rfc} 1.192 1.193 \item Checking for spam after the mail was accepted and queued: Here it is possible to invest more processing time, thus more detailed checks can be done. But, as responsibility for messages was taken, it is no choice to simply delete spam mail. Checks for spam do not lead to sure results, they just indicate the possibility the message is unwanted mail. \person{Eisentraut} lists actions to take after a message is recognized as probably spam \cite[pages 18--20]{eisentraut05}. For mail the \MTA\ is responsible for, the only acceptable action is adding further or rewriting existing header lines. Thus all further work on the spam messages is the same as for non-spam messages. 1.194 \end{enumerate} 1.195 1.196 Modern \MTA{}s use both techniques in combination. Checks during the \SMTP\ dialog tend to be implemented in the \MTA\ to make them fast; checks after the message was queued are often done using external programs (\name{spamassassin} is a well known one). \person{Eisentraut} sees the checks during the \SMTP\ dialog to be essential: ``Ganz ohne Analyse w\"ahrend der \SMTP-Phase kommt sowieso kein \MTA\ aus, und es ist eine Frage der Einsch\"atzung, wie weit man diese Phase belasten m\"ochte.'' \cite[page 25, (translated: ``No \MTA\ can go without analysis during the \SMTP\ phase anyway, but the amount of stress one likes to put on this phase is left to his discretion.'')]{eisentraut05} 1.197 +\index{spamassassin} 1.198 1.199 Checks before a message is accepted, like \NAME{DNS} blacklists and \name{greylisting}, need to be invoked from within the receiving modules. Like for authentication and encryption, the implementation of this functionality should be provided by a central source. 1.200 \index{dns blacklist} 1.201 @@ -406,7 +435,6 @@ 1.202 \includegraphics[width=\textwidth]{fig/masqmail-arch-new.eps} 1.203 \end{center} 1.204 \caption{The new designed architecture for \masqmail} 1.205 - \index{figure!The new designed architecture for \masqmail} 1.206 \label{fig:masqmail-arch-new} 1.207 \end{figure} 1.208 1.209 @@ -425,7 +453,9 @@ 1.210 \paragraph{Receiver modules} 1.211 \index{incoming channels} 1.212 They are the communication interface between external senders and the \name{queue-in} module. Each protocol needs a corresponding \name{receiver module} to be supported. Most popular is the \name{sendmail} module, which is a command to be called from the local host, and the \name{smtpd} module which usually listens on port 25. Other modules to support other protocols may be added as needed. Receiving modules that need to listen on ports should get invoked by \name{inetd}, or by \person{Bernstein}'s more secure \name{ucspi-tcp}. This makes it possible to run them with least privilege. 1.213 -\index{least privilege} 1.214 +\index{inetd} 1.215 +\index{inetd!ucspi-tcp} 1.216 +\index{least privilege, principle of} 1.217 1.218 1.219 \paragraph{The \name{queue-in} module} 1.220 @@ -445,6 +475,10 @@ 1.221 \paragraph{Transport modules} 1.222 \index{outgoing channels} 1.223 These modules send outgoing mail; they are the interface between \name{queue-out} and remote hosts or local commands. The most popular modules of this kind are the \name{smtp} module which acts as an \SMTP\ client and the \name{pipe} module to interface gateways to other systems or networks like \NAME{FAX} and \NAME{UUCP}. A module for local delivery is not included; \masqmail\ passes this job to an \NAME{MDA} which gets invoked through the \name{pipe} module. (See section~\ref{sec:functional-requirements} for reasons.) 1.224 +\index{fax} 1.225 +\index{gateway} 1.226 +\index{mda} 1.227 +\index{pipe} 1.228 1.229 1.230 1.231 @@ -455,14 +489,14 @@ 1.232 The queuing system consists of two queues and a message pool. The queues store the spool files---in unprocessed form in \name{incoming} and in complete and valid form in \name{outgoing}. The \name{pool} is the storage of the data files. On disk, the three parts of the queuing system are represented by three directories within the queue path. 1.233 1.234 The representation of queued messages on disk is basically the same as in current \masqmail: One file for the envelope and message header information (the ``spool file'') and a second file for the message body (the ``data file''). 1.235 -\index{spool file} 1.236 -\index{data file} 1.237 1.238 The currently used internal structure of the spool files can remain. Following is a sample spool file from current \masqmail. The first part is the envelope and meta information. The annotations in parenthesis are only added to ease the understanding. The second part, after the empty line, is the message header. 1.239 1.240 \codeinput{input/sample-spool-file.txt} 1.241 1.242 The spool file owner's executable bit shows if a file is ready for further processing: The module that writes the file into the queue sets the bit as last action. Modules that read from the queue can process messages that have the bit set. This approach is derived from \postfix. 1.243 +\index{executable bit} 1.244 +\index{postfix} 1.245 1.246 The data file is stored into the \name{pool} by \name{queue-in}; it never gets modified until it is deleted by \name{queue-out}. They consist of data in local default text format. 1.247 1.248 @@ -474,13 +508,14 @@ 1.249 \index{ipc} 1.250 1.251 Communication between modules is required to exchange data and status information. This is also called ``Inter-process communication'' (short: \NAME{IPC}) because the modules are independent programs in this case and processes are programs in execution. 1.252 +\index{ipc} 1.253 1.254 The connections between \name{queue-in} and \name{scanning}, as well as between \name{scanning} and \name{queue-out}, is provided by the queues, only signals might be useful to trigger runs. Communication between receiver and transport modules and the outside world is organized by their specific protocol (e.g.\ \SMTP). 1.255 1.256 Left is only the communication between the receiver modules and \name{queue-in}, and between \name{queue-out} and the transport modules. Suggested for this communication is a simple protocol with data exchange through Unix pipes. Figure~\ref{fig:ipc-protocol} shows a state diagram for the protocol. 1.257 +\index{pipe} 1.258 1.259 The protocol is described in more detail now: 1.260 -\index{protocol} 1.261 1.262 \paragraph{Timing} 1.263 One dialog consists of exactly three phases: (1) The connection attempt, (2) The envelope and header transfer, and (3) The transfer of the message body. The order is always the same. The three phases are all initiated by the client process. After each phase the server process sends a success or failure reply. Timeouts for each phase need to be implemented. 1.264 @@ -490,7 +525,6 @@ 1.265 \includegraphics[scale=0.75]{fig/ipc-protocol.eps} 1.266 \end{center} 1.267 \caption{State diagram of the \NAME{IPC} protocol. (Solid lines indicate client actions, dashed lines indicate server responses.)} 1.268 - \index{figure!State diagram of the \NAME{IPC} protocol.} 1.269 \label{fig:ipc-protocol} 1.270 \end{figure} 1.271 1.272 @@ -501,6 +535,10 @@ 1.273 1.274 \paragraph{Syntax} 1.275 Data transfer is done by sending plain text data. \name{Line Feed} (`\texttt{\textbackslash{}n}')---the native line separator on Unix---is used as line separator. The terminator sequence used to indicate the end of the data transfer is the \NAME{ASCII} \name{null} character (`\texttt{\textbackslash0}'). Replies are one-digit numbers with `\texttt{0}' meaning success and any other number (`\texttt{1}'--`\texttt{9}') indicating failure. 1.276 +\index{Line Feed} 1.277 +\index{ascii} 1.278 +\index{Unix} 1.279 +\index{plain text} 1.280 1.281 1.282 1.283 @@ -510,6 +548,10 @@ 1.284 \index{permission} 1.285 1.286 The set of system users that is required for \qmail\ seems to be too complex for \masqmail. One system user, like \postfix\ uses, is more appropriate. \name{root} privilege and \name{setuid} permission should to be avoided if feasible. 1.287 +\index{system user management} 1.288 +\index{postfix} 1.289 +\index{qmail} 1.290 +\index{root privilege} 1.291 1.292 The \name{queue-in} module is the part of the system that is most critical about permission. It either needs to run as deamon or be \name{setuid} or \name{setgid} in order to avoid a world-writable queue. \person{Ian~R.\ Justman} recommends to use \name{setgid} in this situation: 1.293 \index{setuid} 1.294 @@ -522,14 +564,20 @@ 1.295 \person{Bernstein} chose \name{setuid} for the \name{qmail-queue} module, \person{Venema} uses \name{setgid} in \postfix, yet the differences are small. Better than running the module as a deamon is each of them. A deamon needs more resources and therefore becomes inefficient on systems with low mail amount, like the ones \masqmail\ will probably run on. Short running processes are additionally higher obstacles for intruders, because a process will die soon if an intruder managed to take one over. 1.296 \index{qmail} 1.297 \index{postfix} 1.298 +\index{setuid} 1.299 1.300 1.301 The modules \name{scanning} and \name{queue-out} are candidates for all-time running daemon processes. Alternatively they could be started by \name{cron} to do single runs. 1.302 +\index{cron} 1.303 1.304 Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by other tools of the operating system too, thus making a master process abdicable. \masqmail\ does probably better go without a master process, because it aims to save resources, not to get the best performance. 1.305 +\index{qmail} 1.306 \index{master process} 1.307 1.308 A sane permission management is very important for secure software in general. The \name{principle of least privilege} \cite[section~I.A.3.f]{saltzer75}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root and let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd}, or one of its substitutes, listens on the port instead of the \name{smtpd} module. \name{inetd} will then launch the \name{smtpd} module to handle the connection whenever a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way. 1.309 +\index{least privilege, principle of} 1.310 +\index{inetd} 1.311 +\index{root privilege} 1.312 1.313 1.314