# HG changeset patch # User meillo@marmaro.de # Date 1232732412 -3600 # Node ID 2b1da14922f7931026ad0fc0dc6f522317644ff4 # Parent d13bddf0f9941790f1b0f118f6cfcc5efe625269 reworked section about design decisions and here and there further bits diff -r d13bddf0f994 -r 2b1da14922f7 thesis/tex/5-Improvements.tex --- a/thesis/tex/5-Improvements.tex Fri Jan 23 12:58:52 2009 +0100 +++ b/thesis/tex/5-Improvements.tex Fri Jan 23 18:40:12 2009 +0100 @@ -156,208 +156,157 @@ \section{A new design} \label{sec:new-design} -The last chapter identified the requirements for a modern and securt \masqmail. Now the various jobs of an \MTA\ get assigned to modules, of which the new architecture is created. It is inspired by existing \MTA{}s and driven by the identified requirements. +The last chapter identified the requirements for a modern and secure \masqmail. Now the various jobs of an \MTA\ get assigned to modules of which a new architecture is created. It is inspired by existing \MTA{}s and driven by the identified requirements. One wise experience was kept in mind during the design: ``Many times in life, getting off to the right start makes all the difference.'' \cite[page~32]{graff03}. + +\subsection{Design decisions} + Major design ideas of the design were: -\begin{itemize} - \item free the internal system from in and out channels - \item arbitrary protocol handlers have to be addable afterwards - \item a single facility for scanning (all mail goes through it) - \item concentrate on mail transfer -\end{itemize} +\begin{enumerate} + \item compartmentalization throughout + \item free the internal system from the in and out channels + \item provide interfaces to add arbitrary protocol handlers afterwards + \item have a single point where all mail goes through for scanning + \item concentrate on the mail transfer job; use specialized external programs for other jobs + \item keep it simple, clear, and general +\end{enumerate} -\subsection{Architectural design} - \subsubsection*{Incoming channels} -\sendmail-compatible \mta{}s must support at least two incoming channels: mail submitted using the \sendmail\ command, and mail received via the \SMTP\ daemon. It is therefor common to split the incoming channel into local and remote. This is done by \qmail\ and \postfix. The same way is \person{Hafiz}'s view. +\sendmail-compatible \mta{}s must support at least two incoming channels: mail submitted using the \sendmail\ command, and mail received via the \SMTP\ daemon. It is therefore common to split the incoming channel into local and remote. This is done by \qmail\ and \postfix. The same way is \person{Hafiz}'s view \cite{hafiz05}. %fixme: specify page -In contrast is \name{sendmail X}: Its locally submitted messages go to the \SMTP\ daemon, which is the only connection towards the mail queue. %fixme: is it a smtp dialog? or a second door? -\person{Finch} proposes a similar approach. He wants the \texttt{sendmail} command to be a simple \SMTP\ client that contacts the \SMTP\ daemon of the \MTA\ like it is done by connections from remote. The advantage here is one single module where all \SMTP\ dialog with submitters is done. Hence one single point to accept or refuse incoming mail. Additionally does the module to put mail into the queue not need to be \name{setuid} or \name{setgid} because it is only invoked from the \SMTP\ daemon. The \MTA's architecture would become simpler and common tasks are not duplicated in modules that do similar jobs. +In contrast is \name{sendmail X}: Its locally submitted messages go to the \SMTP\ daemon, which is the only connection towards the mail queue. %fixme: is it a smtp dialog? or a back door? +\person{Finch} proposes a similar approach. He wants the \texttt{sendmail} command to be a simple \SMTP\ client that contacts the \SMTP\ daemon of the \MTA\ like it is done by connections from remote. The advantage here is one single module where all \SMTP\ dialog with submitters is done. Hence one single point to accept or refuse incoming mail. Additionally does the module which puts mail into the queue not need to be \name{setuid} or \name{setgid} because it is only invoked from the \SMTP\ daemon. The \MTA's architecture would become simpler and common tasks are not duplicated in modules that do similar jobs. -But merging the input channels in the \SMTP\ daemon makes the \MTA\ heavily dependent on \SMTP\ being the main mail transfer protocol. To \qmail\ and \postfix\ new modules to support other ways of message receival may be added without change of other parts of the system. Also is it better to have more independent modules if each one is simpler then. +But merging the input channels in the \SMTP\ daemon makes the \MTA\ heavily dependent on \SMTP. To \qmail\ and \postfix\ new modules to support other ways of message receival may be added without change of other parts of the system. Also the \SMTP\ modules can be removed if it is not needed. And it is better to have more independent modules if each one is simpler then---it makes the modules more complicated if each one needs to implement an \SMTP\ client. -With the increasing need for new protocols in mind, it seems better to have single modules for each incoming channel, although this leads to duplicated acceptance checks. +With the increasing need for new protocols in mind, it seems better to have single modules for each incoming channel, although this leads to duplicated acceptance checks. Independent checks in different modules, however, have also the advantage to simply apply different policies. Thus it is possible to run two \SMTP\ modules that listen on different ports; one accessable from the Internet but requires authentication, the other only accessable from the local network but does not require authentication. + +The approach of simple independent modules, one for each incoming channel, should be taken. + +A module which is a \NAME{POP} or \NAME{IMAP} client to import contents of other mail boxes into the system may be added afterwards as it is desired. + \subsubsection*{Outgoing channels} -Outgoing mail is commonly either sent using \SMTP, piped into local commands (for example \texttt{uucp}), or delivered locally by appending to a mailbox. +Outgoing mail is commonly either sent using \SMTP, piped into local commands (for example \path{uucp}), or delivered locally by appending to a mailbox. -Outgoing channels are similar for \qmail, \postfix, and \name{sendmail X}: All of them have a module to send mail using \SMTP, and one for writing into a local mailbox. Local mail delivery is a job that requires root priveledge to be able to switch to any user in order to write to his mailbox. Modular \MTA{}s do not need \name{setuid root}, but the local delivery process (or its parent) needs to run as root. +Outgoing channels are similar for \qmail, \postfix, and \name{sendmail X}: All of them have a module to send mail using \SMTP, and one for writing into a local mailbox. Local mail delivery is a job that requires root privilege to be able to switch to any user in order to write to his mailbox. Modular \MTA{}s do not need \name{setuid root}, but the local delivery process (or its parent) needs to run as root\footnote{root privilege is actually not a mandatory requirement, but any other approach has some disadvantages, so commonly root privilege is used.}. -As mail delivery to local users, is \emph{not} included in the basic job of an \MTA{}, why should it care about it? In order to keep the system simple and to have programs that do one job well, the local delivery job should be handed over to a specialist: the \name{mail delivery agent}. \NAME{MDA}s know about the various mailbox formats and are aware of the problems of concurrent write access and thelike. Hence handling the message and the responsiblity over to a \NAME{MDA}, like \name{procmail} or \name{maildrop}, seems to be the right way to go. +Local mail delivery should not be done by the \MTA, but by an \NAME{MDA}. This decision was discussed in section \ref{sec:functional-requirements}. This means only an outgoing channel that pipes mail into a local command is required for local delivery. -This means an outgoing connection that pipes mail into local commands is required. Other outgoing channels, one for each supportet protocol, may be designed like it was done in other \MTA{}s. +Other outgoing channels, one for each supportet protocol, may be designed like it was done in other \MTA{}s. -\subsubsection*{Mail queue} +\subsubsection*{The mail queue} -Mail queues are probably used in all \mta{}s, excluding the simple forwarders. A mail queue is a essential requirement for \masqmail, as it is to be used for non-permanent online connections. This means, mail must be queued until a online connection is available to send the message. +The mail queue is the central part of an \MTA. This demands especially for robustness and reliability as a failure here can lead to loosing mail. -The mail queue and the module to manage it are the central part of the whole system. This demands especially for robustness and reliability, as a failure here can lead to loosing mail. An \MTA\ takes over responsibility for mail in accepting it, hence loosing mail messages is absolutely to avoid. This covers any kind of crash situation too. The worst thing acceptable to happen is a mail to be sent twice. +%\sendmail, \exim, \qmail, \name{sendmail X}, and \masqmail\ feature one single mail queue. \postfix\ has more of them. +Common \MTA{}s feature one or more mail queues, they sometimes have effectly several queues within one physical representation. -\sendmail, \exim, \qmail, \name{sendmail X}, and \masqmail\ feature one single mail queue. \postfix\ has more of them. +\MTA\ setups that include content scanning tend to require two separate queues. To use \sendmail\ in such setups requires two independent instances with two separate queues. \exim\ can handle it with special \name{router} and \name{transport} rules but the data flow gets complicated. Hence an idea is to use two queues, \name{incoming} and \name{active} in \postfix's terminology, with the content scanning within the move from \name{incoming} to \name{active}. -\MTA\ setups that include content scanning tend to require two separate queues. To use \sendmail\ in such setups requires two independent instances, with two separate queues, running. \exim\ can handle it with special \name{router} and \name{transport} rules, but the data flow gets complicated. Hence an idea is to use two queues, \name{incoming} and \name{active} in \postfix's terminology, with the content scanning within the move from \name{incoming} to \name{active}. +\sendmail, \exim, \qmail, and \masqmail\ all use at least two files to store one message in the queue: one file contains the message body, another the envelope and header information. The one containing the mail body is not modified at all. \postfix\ takes a different approach in storing queued messages in an internal format within one file. \person{Finch} suggest yet another approach: storing the whole queue in one single file with pointers to separating positions \cite{finchFIXME}. %fixme: check, cite, and think about -\sendmail, \exim, \qmail, and \masqmail\ all use at least two files to store one message in the queue: one file contains the message body, another the envelope and header information. The one containing the mail body is not modified at all. \postfix\ takes a different approach in storing queued messages in an internal format within one file. \person{Finch} takes yet another different approach in suggesting to store the whole queue in one single file with pointers to separating positions \cite{finchFIXME}. -%fixme: check, cite, and think about +All of the presented \MTA{}s use the file system to hold the queue; none uses a database to hold it. A database could improve the reliability of the queue through better persistence. This might be a choice for larger \MTA{}s but is none for \masqmail\ which should be kept small and simple. A running database system does likely require much more resources than \masqmail\ itself does. And as the queue's job is more storing data than running data selection queries, a database does not gain so much that it outweighs its costs. -%fixme: discuss: filesystem vs. database -<< \masqmail\ uses the filesytem to store the queue, storing the queue in a databases might improve the reliability through better persistence. >> %fixme +Hence here the choice is having a directory with simple text files in it. This is straight forward, simple, clear, and general \dots\ and thus a good basis for reliability. It is additionally always of advantage if data is stored in the operation system's natural form, which in the case of \unix\ is plain text. -%fixme: what about the ``rule of repair''? +Robustness for the queue is covered in the next section. %fixme: ist this sentence neccessary? Is it still correct. -\subsection{Functional design} + +\subsubsection*{Mail sanitizing} + +Mail coming into the system may be may be malformed, lacking headers, or be an attempt to exploit the system. Care must be taken. + +In \postfix, this is done by the \name{cleanup} module, which invokes \name{rewrite}. The position in the message flow is after the message comes from one of the several incoming channels and before the message is stored into the \name{incoming} queue. \name{cleanup} does a complete check to make the mail header complete and valid. + +\qmail\ has the principle of ``don't parse'' which propagades the avoidance of parsing as possible in the system. The reason is that parsing is a highly complex task which often makes code exploitable. + +Mail should be stored into the queue as it is in \masqmail's new design. A scanning module should then parse the message with high care. It seems best to use a \name{parser generator} for this work. The parsed data should then be modified if needed and written into a second queue. This approach has several advantages. First, the receiving parts of the system do not bother about content, they simply store it into the queue. Second, one single modules does the parsing and generates new messages that contain only valid data. Third, the sending parts of the system will only work on messages that consist of valid data. Of course it must be ensured that each message passes through the \name{scanning} module, but this is required for spam and malware scanning too. + +The mail body will never get modified, except of removing and adding transfer protocol specific requirements like dot stuffing or special line ending characters. + +\person{Jon Postel}'s robustness principle ``Be liberal in what you accept, and conservative in what you send.'', which can be found in this wording in \RFC\,1122 and in different wordings in numerous \RFC{}s, is respected in the \name{scanning} module. It parses the given input in some liberal way and generates clean output. \person{Raymond}'s \name{Rule of Repair} ``Repair what you can -- but when you must fail, fail noisily and as soon as possible.'' can be applied too. But it is important to repair only obvious problems, because repairing functionality is likely a target of attacks. + + \subsubsection*{Aliasing} -Where should aliases get expanded? They appear in different kind. Important are the ones available in the \path{aliases} file. Aliases can be: -\begin{enumerate} - \item a different local user (e.g.\ ``\texttt{bob: alice}'') - \item a remote user (e.g.\ ``\texttt{bob: john@example.com}'') - \item a list of users (e.g.\ ``\texttt{bob: alice, john@example.com}'') - \item a command (e.g.\ ``\texttt{bob: |foo}'') -\end{enumerate} -Addresses expanding to lists of users lead to more envelopes. Aliases changing the reciptients domain part may make the message unsuitable for a specific online route. +The main question about aliasing is: Where should aliases get expanded? -Aliasing is often handled in expanding the alias and reinjecting the mail into the system. Unfortunately, the mail is processed twice then; additionally does the system have to handle more mail this way. If it is wanted to check the new recipient address for acceptance and do all processing again, then reinjecting it is the best choice. +Two facts are important to consider: Addresses expanding to lists of users lead to more envelopes. And aliases changing the reciptient's domain part may make the message unsuitable for a specific online route. + +Aliasing is often handled in expanding the alias and reinjecting the mail into the system. Unfortunately, the mail is processed twice then; additionally does the system have to handle more mail this way. If it is wanted to check the new recipient address for acceptance and do all processing again, then reinjecting it is the best choice. But already accepted messages may get rejected in the second go, because of an replacement address from within the system. This seems not to be wanted. + +Doing the alias expansion in the scanning module appears to be the best solution. Unfortunately a second alias expansion must be made on delivery, because only at that point in time is clear which route is used for the message. This compromise is accepted. \subsubsection*{Route management} -%fixme: rework!! -One key feature of \masqmail\ is its ability to send mail out in different ways. The decision is based on the current online state and whether a route may be used for a message or not. The online state can be retrieved in tree ways, explained in \ref{sec:fixme}. A route to send is found by checking every available route for being able to transfer the current message, until one matches. +The online state is only important for the sending modules of the system, thus it should be queried in the \name{queue-out} module which selects ready messages from the \name{outgoing} queue and transfers them to the appropriate sending module. Route-based aliasing, which was described in the last section, %fixme: is this still true? +should to be done in the same go. -This functionality should be implemented in the module that is responsible to invoke one of the outgoing channel modules (for example the one for \SMTP\ or the pipe module). -\masqmail\ can rewrite the envelope's from address and the \texttt{From:} header, dependent on the outgoing route to use. This rewrite must be done \emph{after} it is clear which route a mail will take, of course, so this may be not the module where other header editing is done. -%fixme: see hafiz05 page 57: maybe put the rewriting into the sending module (like smx, exim, courier) (problem with archiving of all outgoing mail?) +\subsubsection*{Authentication and Encryption} -\subsubsection*{Authentication} +Both topics were discussed several time throughout this thesis, amoung other places on page \pageref{} and \pageref{}. -One thing to avoid is being an \name{open relay}. Open relays allow to relay mail from everywhere to everywhere. This is a major source of spam. The solution is restricting relay\footnote{Relaying is passing mail, that is not from and not for the own system, through it.} access. +Authentication should be done within the receiving modules. Similar should authentication for outgoing connections be handled by the sending modules. -Several ways to restrict access are available. The most simple one is restrictiction by the \NAME{IP} address. No extra complexity is added this way, but static \NAME{IP} addresses are mandatory. This kind of restriction may be enabled using the operating system's \path{hosts.allow} and \path{hosts.deny} files. To allow only connections to port 25 from localhost or the local network \texttt{192.168.100.0/24} insert the line ``\texttt{25: ALL}'' into \path{hosts.deny} and ``\texttt{25: 127.0.0.1, 192.168.100.}'' into \path{hosts.allow}. +To encryption applies the same as to authentication here. Only receiving and sending modules should come in contact with it. -If static access restriction is not possible, for example if mail from locations with changing \NAME{IP} addresses wants to be accepted, some kind of authentication mechanism is required. Three common kinds exist: -\begin{enumerate} - \item \SMTP-after-\NAME{POP}: uses authenication on the \NAME{POP} protocol to permit incoming \SMTP\ connections for a limited time afterwards. - \item \SMTP authentication: is an extension to \SMTP. Authentication can be requested before mail is accepted. - \item Certificates: confirm the identity of someone. -\end{enumerate} +In order to avoid code duplicates, the actual implementation of both functionalities should be provided by a central source which gets invoked by the various modules. -\subsubsection*{Encryption} -Electronic mail is very weak to sniffing attacks, because all data transfer is unencrypted. This concerns the message's content, as well as the email addresses in header and envelope, but also authentication dialogs that may transfer plain text passwords (\NAME{PLAIN} and \NAME{LOGIN} are examples). Adding encryption is therefor wanted. -The common way to encrypt \SMTP\ dialogs is using \name{Transport Layer Security} (short: \TLS, successor of \NAME{SSL}). \TLS\ encrypts the datagrams of the \name{transport layer}. This means it works below the application protocols and can be used by any of them\citeweb{wikipedia:tls}. -\TLS\ allows to create secure tunnels through which arbitrary programs can communicate. Hence one can add secure communication afterwards to programs without changing them. \name{OpenSSL} for example---a free implementation---allows traffic to be piped into a command; a secure tunnel is created and the traffic is forwarded through it. Or a secure tunnel can be set up between a local and a remote port; this tunnel can then be used by any application. +\subsubsection*{Spam and malware handling} -The \NAME{POP} protocol, for example, is good suited for such tunneling, but \SMTP\ is is not generally. Outgoing \SMTP\ client connections can be tunneled without problem---\masqmail\ already provides a configure option called \texttt{wrapper} to do so. Tunneling incomming connections to a server leads to problems with \SMTP. As data comes encrypted through the tunnel to the receiving host and gets then decrypted and forwarded on local to the port the application listens on. From the \MTA's view, this makes all connections appear to come from localhost, unfortunately. Figure \ref{fig:stunnel} depicts the data flow. - -For incoming connections, \NAME{STARTTLS}---defined in \RFC2487---is what \mta{}s implement. - -\masqmail\ is already able to encrypt outgoing connections, but encryption of incoming connections, using \NAME{STARTTLS} should be implemented. This only affects the \SMTP\ server module. - - - - - -\subsubsection*{Spam prevention} - ---- - -Spam is a major threat nowadays and the goal is to reduce it to a bearable level (see section \ref{sec:swot-analysis}). Spam fighting is a war in which the good guys tend to lose. Putting too much effort there will result in few gain. Real success will only be possible with new---better---protocols and abandonning the weak legacy technologies. Hence \masqmail\ should be able to provide state-of-the-art spam protection, but not more. - ---- - -Spam is a major threat to email, as described in section \ref{sec:swot-analysis}. The two main problems are forgable sender addresses and that it is cheap to send hundreds of thousands of messages. Hence, spam senders can operate in disguise and have minimal cost. - -As spam is not just a nuisance for end users but also for the infrastructure---the \mta{}s---by increasing the amount of mail messages. Thus \MTA{}s need to protect themself. Two different approaches are used: +The two approaches for spam handling were already presented to the reader in section \ref{}. Here they are described in more detail: \begin{enumerate} \item Refusing spam during the \SMTP\ dialog. This is the way it was meant by the designers of the \SMTP\ protocol. They thought checking the sender and reciptient mail addresses would be enough, but as they are forgable it is not. More and more complex checks need to be done. Checking needs time, but \SMTP\ dialogs time out if it takes too long. Thus only limited time can be used, during the \SMTP\ dialog, for checking if a message seems to be spam. The advantage is that acceptance of bad messages can be simply refused---no responsibility for the message is taken and no further system load is added. See \RFC2505 (especially section 1.5) for detail. -\item -Checking for spam after the mail was accepted and queued. Here more processing time can be invested, so more detailed checks can be done. But, as responsibility for messages was taken by accepting them, it is no choice to simply delete spam mail. Checks for spam do not lead to sure results, they just indicate the possibility the message is unwanted mail. \person{Eisentraut} indicates actions to take after a message is recognized as probably spam \cite[pages 18--20]{eisentraut05}. The only acceptable one, for mail the \MTA\ is responsible for, is adding further or rewriting existent header lines. Thus all further work on the message is the same as for non-spam messages. +\item Checking for spam after the mail was accepted and queued. Here more processing time can be invested, so more detailed checks can be done. But, as responsibility for messages was taken by accepting them, it is no choice to simply delete spam mail. Checks for spam do not lead to sure results, they just indicate the possibility the message is unwanted mail. \person{Eisentraut} indicates actions to take after a message is recognized as probably spam \cite[pages 18--20]{eisentraut05}. The only acceptable one, for mail the \MTA\ is responsible for, is adding further or rewriting existent header lines. Thus all further work on the message is the same as for non-spam messages. \end{enumerate} -Modern \MTA{}s use both techniques in combination. Checks during the \SMTP\ dialog tend to be implemented in the \mta\ to make it fast; checks after the message was queued are often done using external programs (\name{spamassassin} is a well known one). \person{Eisentraut} sees the checks during the \SMTP\ dialog to be essentiell: ``Ganz ohne Analyse w\"ahrend der \SMTP-Phase kommt sowieso kein \MTA\ aus, und es ist eine Frage der Einsch\"atzung, wie weit man diese Phase belasten m\"ochte.''\cite[page 25]{eisentraut05} (translated: ``No \MTA\ can go without analysis during the \SMTP\ phase anyway, but the amount of stress one likes to put on this phase is left to his discretion.'') +Modern \MTA{}s use both techniques in combination. Checks during the \SMTP\ dialog tend to be implemented in the \mta\ to make it fast; checks after the message was queued are often done using external programs (\name{spamassassin} is a well known one). \person{Eisentraut} sees the checks during the \SMTP\ dialog to be essentiell: ``Ganz ohne Analyse w\"ahrend der \SMTP-Phase kommt sowieso kein \MTA\ aus, und es ist eine Frage der Einsch\"atzung, wie weit man diese Phase belasten m\"ochte.'' \cite[page 25]{eisentraut05} (translated: ``No \MTA\ can go without analysis during the \SMTP\ phase anyway, but the amount of stress one likes to put on this phase is left to his discretion.'') -\NAME{DNS} blacklists (short: \NAME{DNSBL}) and \name{greylisting} are checks to be done before accepting the message. Invoking \name{spamassassin}, to add headers containing the estimated spam probability, is best to be invoked after the message is queued. +Checking before a message is accepted, like \NAME{DNS} blacklists and \name{greylisting}, needs to be invoked from within the receiving modules. Like for authentication and encryption, the implementation of the functionality should be provided by a central source. +All checking after the message was queued should be done by pushing the message through external scanners like \name{spamassassin}. The \name{scanning} module is the best place to handle this. Hence this module needs interfaces to external scanners. +Malware scanning is similar like the second type of spam scanning. The \name{amavis} framework is a popular mail scanning framework that includes all kinds of malware and also spam scanners; it communicates by using \SMTP. -\subsubsection*{Virus checking} +Providing \SMTP\ in and out channels from the \name{scanning} module to external scanner applications seems to be a desired goal. Using further instances of the already available \name{smtp} and \name{smtpd} modules therefore appears to be the best solution. -Related to spam is malicous content (short: \name{malware}) like viruses, worms, trojan horses. They, in contrast to spam, do not affect the \MTA\ itself, as they are in the mail body. The same situation in the real world is post offices opening letters to check if they contain something that could harm the recipient. This is not a mail transport concern. Apart of not being the right program to do the job, the \MTA\---the one which is responsible for the recipient---is at a good position to do this work. -In any way should malware checking be done by external programs that may be invoked by the \mta. But using mail deliver and processing agents, like \name{procmail}, seem to be better suited locations to invoke content scanners. -A popular email filter framework is \name{amavis} which integrates various spam and virus scanners. The common setup includes a receiving \MTA\ which sends it to \name{amavis} using \SMTP, \name{amavis} processes the mail and sends it then to a second \MTA\ that does the outgoing transfer. \postfix\ and \exim\ can be configured so that one instance can work as both, the \MTA\ for incoming and outgoing transfer. A setup with \sendmail\ needs two separate instances running. It must be quarateed that all mail flows through the scanner. - -A future \masqmail\ would do good to have a single point, where all traffic flows through, that is able to invoke external programs to do mail processing of any kind. - - -%AMaViS (amavisd-new): email filter framework to integrate spam and virus scanner -%\begin{verbatim} -%internet -->25 MTA -->10024 amavis -->10025 MTA --> reciptient - %| | - %+----------------------------+ -%\end{verbatim} -% -%postfix and exim can habe both mta servises in the same instance, sendmail needs two instances running. -% -%MailScanner: -%incoming queue --> MailScanner --> outgoing queue -% -%postfix: with one instance possible, exim and sendmail need two instances running - - -%message body <-> envelope, header -% -%anti-virus: clamav -%postfix: via amavis -%exim: via content-scanning-feature called from acl -%sendmail: with milter -%procmail -% -%virus scanner work on file level -%amavis receives mail via smtp or pipe, splits it in its parts (MIME) and extracks archives, the come the virus scanners -%if the mail is okay, it goes via smtp to a second mta - -%what amavis recognizes: -%- invalid headers -%- banned files -%- viruses -%- spam (using spam assassin) -% -%mimedefang: uses milter interface with sendmail \subsubsection*{Archiving} -Mail archiving and auditability become more important as electronic mail becomes more important. Ability to archive verbatim copies of every mail coming into and every mail going out of the system, with relation between them, appears to be a goal to achieve. +The best point to archive copies of every incoming mail is the \name{queue-in} module, respectively the \name{queue-out} module for copies outgoing mail. But not respected with this approach are the changes that are made by the receiving modules (adding further headers) and sending modules (address rewrites). -\postfix\ for example has a \texttt{always\_bcc} feature, to send a copy of every mail to a definable reciptient. At least this funtionality should be given, although a more complete approach is preferable. +\qmail\ has the ability to log complete \SMTP\ dialogs. Logging the complete data transaction into and out of the system into a separate log file is a great feature which should be implemented into each receiving and sending module. But as it will produce a huge amount of output, it should be cared to disabled it by default. @@ -365,18 +314,6 @@ -\subsection{Security design} - -\subsubsection*{Sanitize mail} - -Mail coming into the system often lacks important header lines. At least the required ones must be added from the \MTA. A good example is the \texttt{Message-Id:} header. - -In \postfix, this is done by the \name{cleanup} module, which invokes \name{rewrite}. The position in the message flow is after coming from one of the several incoming channels and before the message is stored into the \name{incoming} queue. Modules that handle incoming channels may also add headers, for example the \texttt{From:} and \texttt{Date:} headers. \name{cleanup}, however, does a complete check to make the mail header complete and valid. - -Apart from deciding where to sanitize the mail header, is the question where to generate the envelope. The envelope specifies the actual recipient of the mail, no matter what the \texttt{To:}, \texttt{Cc:}, and \texttt{Bcc:} headers tell. Multiple reciptients lead to multiple different envelopes, containing all the same mail message. - - -