# HG changeset patch # User meillo@marmaro.de # Date 1234029625 -3600 # Node ID 8ef85e22ff7d035426c2cf96dd2a064b817477b2 # Parent 0d78755132b7377c5b4d0dd25915d7002fdf92cc again lots of fixes and removed fixmes diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/bib/thesis.bib --- a/thesis/bib/thesis.bib Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/bib/thesis.bib Sat Feb 07 19:00:25 2009 +0100 @@ -507,3 +507,25 @@ year = "1979", note = "Available on the Internet: {\small\url{http://dinosaur.compilertools.net/yacc/yacc.ps} (2009-02-07)}", } + +@article{saltzer75, + author = "Jerome~H. Saltzer and Michael~D. Schroeder", + title = "\textit{The Protection of Information in Computer Systems}", + journal = "Proceedings of the IEEE", + volume = "63", + number = "9", + year = "1975", + pages = "1278--1308", + note = "Available on the Internet: {\small\url{http://web.mit.edu/Saltzer/www/publications/protection/} (2009-02-07)}", +} + +@manual{sendmail:config, + author = "Eric Allman", + organization = "Sendmail Consortium, The", + title = "\textit{Sendmail Configuration Files}", + year = "2006", + note = "Available on the Internet: {\small\url{http://sendmail.org/m4/readme.html} (2009-02-07)}", +} + + + diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/bib/websites.bib --- a/thesis/bib/websites.bib Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/bib/websites.bib Sat Feb 07 19:00:25 2009 +0100 @@ -348,3 +348,17 @@ howpublished = "{\small\url{http://ietf.org} (2000-02-07)}", } +@misc{pushemail.co.uk, + author = "unknown", + title = "\textit{Push Email -- An Introduction}", + howpublished = "{\small\url{http://pushemail.co.uk} (2000-02-07)}", +} + +@misc{im2000, + author = "Daniel~J. Bernstein", + title = "\textit{Internet Mail 2000}", + howpublished = "{\small\url{http://cr.yp.to/im2000.html} (2000-02-07)}", +} + + + diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/1-Introduction.tex --- a/thesis/tex/1-Introduction.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/1-Introduction.tex Sat Feb 07 19:00:25 2009 +0100 @@ -47,12 +47,13 @@ \subsubsection{Mail transfer with SMTP} +\label{smtp-intro} Today most of the email is transferred using the \name{Simple Mail Transfer Protocol}\index{smtp} (short: \SMTP), which is defined in \RFC\,821 and the successors \RFC\,2821 and \RFC\,5321. A good entry point for further information is \citeweb{wikipedia:smtp}. A selection of important concepts of \SMTP\index{smtp!concepts of} is explained here. -First the \name{store and forward}\index{smtp!store and forward} transfer concept. This means mail messages are sent from \MTA\ to \MTA, until the final \MTA\ (the one which is responsible for the recipient) is reached. The message is stored for some time on each \MTA, until it is forwarded to the next \MTA. +First the \name{store-and-forward}\index{smtp!store-and-forward} transfer concept. This means mail messages are sent from \MTA\ to \MTA, until the final \MTA\ (the one which is responsible for the recipient) is reached. The message is stored for some time on each \MTA, until it is forwarded to the next \MTA. This leads to the concept of \name{responsibility}\index{smtp!responsibility}. A mail message is always in the responsibility of one system. First it is the \MUA\index{mua}. When it is transferred to an \MTA, this \MTA\ takes over the responsibility for the message, too. The \MUA{} can then delete its copy of the message. This is the same for each transfer---from \MTA\ to \MTA\ and finally from \MTA\ to the \MDA{}---the message gets transferred and if the transfer was successful, the responsibility for the message is transferred as well. The responsibility chain ends at a user's mailbox where he himself has control on the message. @@ -330,7 +331,7 @@ %fixme: hikernet -Additionally does \masqmail\ make it easy to run an \MTA\ on workstations or notebooks. There is no need to do complex configuration or to be a mail server expert. Only a handful of options need to be set; the host name, the local networks, and one route for relaying are sufficient in most times. %fixme: is that true? +Additionally does \masqmail\ make it easy to run an \MTA\ on workstations or notebooks. There is no need to do complex configuration or to be a mail server expert. Only a handful of options need to be set; the host name, the local networks, and one route for relaying are sufficient in most times. \index{notebook} Probably users say it best; in this case \person{Derek Broughton}: diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/2-MarketAnalysis.tex --- a/thesis/tex/2-MarketAnalysis.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/2-MarketAnalysis.tex Sat Feb 07 19:00:25 2009 +0100 @@ -178,10 +178,9 @@ \index{um} \index{store-and-forward} -The use of different hardware to access mail is another opportunity of the market. But as more hardware gets involved, the networks become more complex. Thus the need for more software and infrastructure to transfer mail within the growing network might be a weakness of the email system. %fixme: think about that +The use of different hardware to access mail is another opportunity of the market. But as more hardware gets involved, the networks become more complex. Thus the need for more software and infrastructure to transfer mail within the growing network might be a weakness of the email system. -An opportunity of the market and at the same time a strength of electronic mail is its standardization. Few other communication technologies are standardized, and thus freely available, in a similar way. %fixme: ref -Another opportunity and strength is the modular and extensible structure of electronic mail; it can easily evolve to new requirements. %fixme: ref +An opportunity of the market and at the same time a strength of electronic mail is its standardization. Few other communication technologies are standardized, and thus freely available, in a similar way. Another opportunity and strength is the modular and extensible structure of electronic mail; it can easily evolve to new requirements. \index{email!standardiziation} The increasing integration of communication channels is an opportunity for the market. But deciding whether it is a weakness or strength of email is difficult. Due to the impossibility to integrate synchronous stream data and large binary data, it is a weakness. But it is also a strength, because arbitrary asynchronous communication data already can be integrated. On the other hand, the integration might be a threat too, because integration often leads to complexity of software. Complex software is more error prone and thus less reliable. This, however, could again be a strength of electronic mail because its modular design decreases complexity. @@ -249,22 +248,19 @@ The retrieval of email is a field that is also about to change these days. The old way is to fetch email by polling the server that holds the personal mailbox. This polling is normally done in regular intervals, often once every five to thirty minutes. The mail transfer from the mailbox to the \MUA\ is initiated from the user side. The disadvantage herewith is the delay between the arrival of mail on the server and the time when the user finally has the message on his screen. -To remove this disadvantage, \name{push email} was invented. Here the server is not polled every few minutes about new mail, but the server pushes new mail directly to the client on arrival. The transfer is initiated by the server. This concept became popular with smart phones; they were able to do emailing but the traffic caused by polling the server was expensive. +To remove this disadvantage, \name{push email} \citeweb{pushemail.co.uk} was invented. Here the server is not polled every few minutes about new mail, but the server pushes new mail directly to the client on arrival. The transfer is initiated by the server. This concept became popular with smart phones; they were able to do emailing but the traffic caused by polling the server was expensive. The concept works well with mobile phones where the provider knows about the client, but it does not seem to be a choice for computers, since the provider needs to have some kind of login to push data to the user's computer. Push email, however, could swap over to computers when using a home server and no external provider. A possible scenario is a home server which receives mail from the Internet and pushing it to own workstations and smart phones. The configuration could be done by the user by using some simple interface, like one configures his telephone system to have different telephone numbers ringing on specified phones. -%FIXME: add reference to push email Another problem is when multiple clients share one mailbox. This is only solvable by working directly in the server's mailbox, which causes lots of traffic, or by storing at least information about read messages and the like there. \subsubsection*{New email concepts} -Changing requirements for email communication lead to the need for new concepts and new protocols that cover these requirements. One of these concepts to redesign the email system is named \name{Internet Mail 2000}. It was proposed by \person{Daniel~J.\ Bernstein}, the creator of \qmail. Similar approaches were independently introduced by others, too. -%FIXME: add references for IM2000 +Changing requirements for email communication lead to the need for new concepts and new protocols that cover these requirements. One of these concepts to redesign the email system is named \name{Internet Mail 2000} \citeweb{im2000}. It was proposed by \person{Daniel~J.\ Bernstein}, the creator of \qmail. Similar approaches were independently introduced by others, too. \index{Internet Mail 2000} -As main change, the sender has the responsibility for mail storage; only a notification about a mail message gets sent to the recipient. The recipient can then fetch the message then from the sender's server. This is in contrast to the \NAME{SMTP} mail architecture where mail and the responsibility for it is transferred from the sender to the receiver (see \name{store-and-forward}). -%fixme: reference to the store-and-forward concept +As main change, the sender has the responsibility for mail storage; only a notification about a mail message gets sent to the recipient. The recipient can then fetch the message then from the sender's server. This is in contrast to the \SMTP\ mail architecture where mail and the responsibility for it is transferred from the sender to the receiver. (See page~\pageref{smtp-intro} for the \name{store-and-forward} principle.) \index{smtp!store-and-forward} \MTA{}s are still important in this new email architecture, but in a slightly different way. They do not transfer mail itself anymore, but they transport the notifications about new mail to the destinations. This is a quite similar job as in the \NAME{SMTP} model. The real transfer of the mail, however, can be done in an arbitrary way, for example via \NAME{FTP} or \NAME{SCP}. @@ -289,9 +285,7 @@ Provider independence through running an own mail server at home asks for easy configuration of the \MTA. Providers have specialists to configure the systems, but ordinary people do not. Solutions are either having some home service system for computer configuration established with specialists coming to ones home to set up the systems; like it is already common for problems with the power and water supply systems. Or configuration needs to be easy and fool-proof, so it can be done by the owner himself. The latter solution depends on standardized parts that fit together seamlessly. The technology must not be a problem itself. Only settings that are custom to the users environment should be left open for him to set. This of course needs to be doable using a simple configuration interface like a web interface. Non-technical educated users should be able to configure the system. \index{easy configuration} -Complex configuration itself is not a problem if simplification wrappers provide an easy interface. The approach of wrappers to make it look easier to the outside is a good concept in general. %FIXME: add ref -It still lets the specialist do complex and detailed configuration while also a simple configuration interface to novices is offered. \sendmail\ took this approach with the \name{m4} macros. %fixme: add ref -Further more is this approach well suited to provide various wrappers with different user interfaces (e.g.\ graphical programs, websites, command line programs; all of them either in a questionnaire style or interactive). +Complex configuration itself is not a problem if simplification wrappers provide an easy interface. The approach of wrappers to make it look easier to the outside is a good concept in general. It still lets the specialist do complex and detailed configuration while also a simple configuration interface to novices is offered. \sendmail\ took this approach with the \name{m4} macros \cite{sendmail:config}. Further more is this approach well suited to provide various wrappers with different user interfaces (e.g.\ graphical programs, websites, command line programs; all of them either in a questionnaire style or interactive). \index{sendmail!m4 macros} \paragraph{Performance} @@ -338,7 +332,7 @@ Until Unified Communication will become reality---if ever---electronic mail has a good position, also as basis for Unified Messaging. -\paragraph{SWOT analysis} +\paragraph{\NAME{SWOT} analysis} Not only the market influences email's future safety, but also must the email technology itself evolve to satisfy upcoming needs. Actions to take were discovered by using the \NAME{SWOT} analysis. These are: Prepare against spam. Search solutions for large data transfers and increasing growth and ramification of networks. Exploit standardization, modularity, and extendability. \paragraph{Trends} @@ -350,8 +344,7 @@ \MTA{}s might become more commodity software, like web servers already are today, with the purpose to be included in many systems with only minimal configuration. -\masqmail\ is a valuable program for various situations. Some setups became rare, but others are expected to become popular in the next years. \masqmail's niche will rather grow than shrink. -%fixme: rewrite that last sentence; add a new heading ``conclusion''? think about it! +\masqmail\ is a valuable program for various situations. Some setups became rare, but others are expected to become popular in the next years. It is expected that \masqmail's niche will rather grow than shrink. diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/3-MailTransferAgents.tex --- a/thesis/tex/3-MailTransferAgents.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/3-MailTransferAgents.tex Sat Feb 07 19:00:25 2009 +0100 @@ -73,7 +73,7 @@ \MTA{}s can also be split in other ways. -Due to \sendmail's significance in the early times of email, compatibility interfaces to \sendmail\ are important for Unix \MTA{}s. The reason is that many mail applications simply assume the \sendmail\ \MTA\ to be installed on the system. Being not \name{sendmail-compatible} may not matter for some fields of action, but makes the program ineligible for serving as a general purpose \MTA\ on Unix systems. Hence being sendmail-compatible is a major property of an \MTA. \MTA{}s without \name{sendmail-compatible} interfaces, or at least compatibility add-ons, will not be covered here. One example for such a program is \name{Apache James}. %FIXME: check if correct +Due to \sendmail's significance in the early times of email, compatibility interfaces to \sendmail\ are important for Unix \MTA{}s. The reason is that many mail applications simply assume the \sendmail\ \MTA\ to be installed on the system. Being not \name{sendmail-compatible} may not matter for some fields of action, but makes the program ineligible for serving as a general purpose \MTA\ on Unix systems. Hence being sendmail-compatible is a major property of an \MTA. \MTA{}s without \name{sendmail-compatible} interfaces, or at least compatibility add-ons, will not be covered here. One example for such a program is \name{Apache James}. \index{sendmail!compatibility} Another separation can be done between Free Software \MTA{}s and proprietary ones. Many of the \MTA{}s for Unix systems are Free Software. Only these are regarded throughout this thesis, because comparing Free Software with proprietary or commercial software is not what typical users of programs like \masqmail\ do. Comparison with non-free programs may be a point for large Free Software projects that try to step into the business world. Small projects, mostly used by individuals at home, need to be compared against other projects of similar shape. The document is seen from \masqmail's point of view---an \MTA\ for Unix systems on home servers and workstations---so non-free software is out of the way. diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/4-MasqmailsFuture.tex --- a/thesis/tex/4-MasqmailsFuture.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/4-MasqmailsFuture.tex Sat Feb 07 19:00:25 2009 +0100 @@ -39,9 +39,7 @@ \label{sec:functional-requirements} \index{functional requirements} -Functional requirements are about the function of the software. They define what the program can do and in what way. -%fixme: add ref -The requirements are named ``\NAME{RF}'' for ``requirement, functional''. +Functional requirements are about the function of the software. They define what the program can do and in what way. The requirements are named ``\NAME{RF}'' for ``requirement, functional''. \paragraph{\RF\,1: Incoming and outgoing channels} @@ -58,7 +56,6 @@ \index{outgoing channels} \index{uucp} -%fixme: is the def of MTA: transfer between machines, or transfer between users? Local mail delivery is a job that uses root privilege to be able to switch to any user in order to write to his mailbox. It is possible to deliver without being root privilege, but delivery to user's home folders is not generally possible then. Thus even the modular \MTA{}s \qmail\ and \postfix\ use root privilege for this job. As mail delivery to local users is \emph{not} included in the basic job of an \MTA{} and introduces a lot of new complexity, why should the \MTA\ bother? In order to keep the system simple, reduce privilege, and to have programs that do one job well, the local delivery job should be handed over to a specialist: the \NAME{MDA}. \NAME{MDA}s know about the various mailbox formats and are aware of the problems of concurrent write access and the like. Hence passing the message, and the responsibility for it, over to an \NAME{MDA} seems to be best. \index{local delivery} @@ -241,9 +238,7 @@ \subsection{Non-functional requirements} \index{non-functional requirement} -Now follows a list of non-functional requirements for \masqmail. These requirements specify the quality properties of a software. The list is based on \person{Hafiz} \cite[page~2]{hafiz05}, with inspiration from \person{Spinellis} \cite[page~6]{spinellis06} and \person{Kan} \cite{kan03}. -%fixme: refer to ch01 and ch02 -These non-functional requirements are named ``\NAME{RG}'' for ``requirement, general''. +Now follows a list of non-functional requirements for \masqmail. These requirements specify the quality properties of a software. The list is based on \person{Hafiz} \cite[page~2]{hafiz05}, with inspiration from \person{Spinellis} \cite[page~6]{spinellis06} and \person{Kan} \cite{kan03}. These non-functional requirements are named ``\NAME{RG}'' for ``requirement, general''. \paragraph{\RG\,1: Security} @@ -309,7 +304,6 @@ \index{usability} Usability, not mentioned by \person{Hafiz} \cite{hafiz05} (he focuses on architecture) but by \person{Spinellis} \cite{spinellis06} and \person{Kan} \cite{kan03}, is a property which is very important from the user's point of view. Software with bad usability is rarely used, no matter how good it is. If substitutes with better usability exist, the user will switch to one of them. Here, usability includes setting up and configuring; the term ``users'' includes administrators. Having \MTA{}s on home servers and workstations requires easy and standardized configuration. The common setups should be configurable with little action by the user. Complex configuration should be possible, but the focus should be on the most common form of configuration: choosing one of several common setups. -%fixme: << masqmail as portable app? >> @@ -317,10 +311,7 @@ \label{sec:discussion-mta-arch} \index{architecture} -%fixme: what's this section to do with requirements? - -\masqmail's current architecture is monolithic like \sendmail's and \exim's. But more than the other two is it one block of interweaved code. \exim\ has a highly structured code with many internal interfaces, a good example is the interface for authentication ``modules''. %fixme: add ref -\sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. \masqmail\ has none of them---it is what \sendmail\ was in the beginning: a single large block. +\masqmail's current architecture is monolithic like \sendmail's and \exim's. But more than the other two is it one block of interweaved code. \exim\ has a highly structured code with many internal interfaces, a good example is the interface for authentication ``modules''. \sendmail\ provides now, with its \name{milter} interface, standardized connection channels to external modules. \masqmail\ has none of them---it is what \sendmail\ was in the beginning: a single large block. \index{milter} \index{masqmail!architecture} @@ -364,7 +355,6 @@ Hence, aspiration for modularity, by compartmentalization, improves the overall quality and function of the software. It can be seen as an architectural requirement for a secure and modern \MTA. -%fixme: explain: why are compartments and interfaces so good? @@ -385,7 +375,7 @@ \index{outgoing channels} The incoming and outgoing channels that \masqmail\ already has (depicted in figure~\ref{fig:masqmail-channels} on page \pageref{fig:masqmail-channels}) are the ones required for an \MTA{}s at the moment. Currently, support for other protocols seems not to be necessary, although new protocols and mailing concepts are likely to appear (see section~\ref{sec:email-trends}). As other protocols are not required today, \masqmail\ is regarded to fulfill \RF\,1. Without any support in \masqmail\ for adding further protocols, the best strategy is to delaying such work until the functionality is essential, anyway. -%fixme: << smtp submission >> %fixme +%fixme: << smtp submission >> \paragraph{\RF\,2: Queuing} \index{mail queue} @@ -446,13 +436,11 @@ \hfill\citeweb{masqmail:homepage2} \end{quote} -In summary: Current reliability needs to be improved. -%fixme: state machine +In summary: Current reliability needs to be improved. Implementing a state machine can help here. \paragraph{\RG\,3: Robustness} \index{robustness} The logging behavior of \masqmail\ is good, although it does not cover the whole code. For example, if the queue directory is world writeable by accident (or as action of an intruder), any user can remove messages from the queue or replace them with own ones. \masqmail\ does not even write a debug message in this case. The origin of this problem, however, is \masqmail's trust in its environment. -%fixme: rule of robustness, rule of repair \paragraph{\RG\,4: Extendability} \index{extendability} @@ -471,7 +459,6 @@ Two additional scripts exist to send a set of mails to differend kinds of recipients. They can be used for automated testing, but both check only the function of the whole system, not its parts. \index{test program} -%fixme: think about clean-room testing \paragraph{\RG\,7: Performance} \index{performance} @@ -679,7 +666,7 @@ Adding new functionality to an existing code base seems to be a secure and cheap strategy. The existing code is known to work and features can often be added in small increments. Risks like wasted effort if a new design fails are hardly existent, and the faults in the current design are already made and most probably fixed. -Functionality that is hard to add incrementally into the application, like support for new protocols, may be addable to the outside. \masqmail\ can be secured to a huge amount by guarding it with wrappers that block attackers. Spam and malware scanners can be included by running two instances of \masqmail. All those methods base on the current code which they can indirectly improve. +Functionality that is hard to add incrementally into the application, like support for new protocols, may be addable to the outside. \masqmail\ can be secured to a huge amount by guarding it with wrappers that block attackers \cite[page~71]{graff03}. Spam and malware scanners can be included by running two instances of \masqmail. All those methods base on the current code which they can indirectly improve. \index{wrapper} \index{extendability} @@ -717,7 +704,7 @@ Changing requirements are one possible dead end if the software does not evolve with them. A famous example is \sendmail, which had an almost monopoly for a long time. But when security became important, \sendmail\ was only repaired instead of the problem sources---its insecure design---would have been removed. Thus security problems reappeared and over the years \sendmail's market share shrank as more secure \MTA{}s became available. \sendmail's reaction to the new requirements, in form of \name{sendmail~X} and \name{MeTA1}, came much to late---the users already switched to other \MTA{}s. \index{sendmail} -Redesigning a software as requirements change helps keeping it alive. % fixme: add quote: ``one thing surely remains: change'' (something like that) +Redesigning a software as requirements change helps keeping it alive. The knowledge of the Greek philosopher \person{Heraclitus} shall be an inspriation: ``Nothing endures but change.'' \index{redesign} Another danger is the dead end of complexity which is likely to appear by constant work on the same code base. It is even more likely if the code base has a monolithic architecture. A good example for simplicity is \qmail\ which consists of small independent modules, each with only about one thousand lines of code. Such simple code makes it obvious to understand what it does. The \name{suckless} project \citeweb{suckless.org} for example advertises such a philosophy of small and simple software by following the thoughts of the Unix inventors \cite{kernighan84} \cite{kernighan99}. Simple, small, and clear code avoids complexity and is thus also a strong prerequisite for security. @@ -759,7 +746,7 @@ \subsubsection*{Break Even} \index{Break Even} -It is important to keep the time dimension in mind. This includes the separation into a short-time and a long-time view. The short-time view shall cover between two and four years, here. The long-time view is the following time. % fixme: find sources! +It is important to keep the time dimension in mind. This includes the separation into a short-time and a long-time view. The short-time view shall cover between two and four years, here. The long-time view is the following time. In the short-time view, the effort for improving the existing code is much smaller than the effort for a new design plus improvements. But to have similar quality properties at the end of the short-time frame, a version that is based on current code will probably require nearly as much effort as a new designed version will take. For all further development afterwards, the new design will scale well while the old code will require exponential more work. \index{existing code} @@ -778,12 +765,11 @@ Quality improvement is no popular work, but it is required to avoid dead ends. As more code increases the work that needs to be done for quality and modularity improvements, it is better to do these improvements early. Afterwards, all further development will profit from it. \index{quality improvement} -Also, if some design is bad one should never hesitate to erase it and rebuild it in a sane way. -%fixme: doubled speech! +If some design is bad, it should get replaced by a sane solution. -Again \person{Doug McIlroy} gives valuable advice: ``Don't hesitate to throw away the clumsy parts and rebuild them.'' \cite{mcilroy78}. +\person{Doug McIlroy} gives valuable advice for these situations: ``Don't hesitate to throw away the clumsy parts and rebuild them.'' \cite{mcilroy78}. -However, making such a cut is hard, especially if the bad design is still \dots\ ``good enough''. +Though, making such a cut is hard, especially if the bad design is still \dots\ ``good enough''. diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/5-Improvements.tex --- a/thesis/tex/5-Improvements.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/5-Improvements.tex Sat Feb 07 19:00:25 2009 +0100 @@ -75,7 +75,6 @@ \index{sasl} \begin{quote} -%None of these add-ons is an ideal solution. They require additional code compiled into your existing daemons that may then require special write accesss to system files. They also require additional work for busy system administrators. If you cannot use any of the nonauthenticating alternatives mentioned earlier, or your business requirements demand that all of your users' mail pass through your system no matter where they are on the Internet, SASL is probably the solution that offers the most reliable and scalable method to authenticate users. None of these [authentication methods] is an ideal solution. They require additional code compiled into your existing daemons that may then require special write access to system files. They also require additional work for busy system administrators. If you cannot use any of the nonauthenticating alternatives mentioned earlier, or your business requirements demand that all of your users' mail pass through your system no matter where they are on the Internet, \NAME{SASL} is probably the solution that offers the most reliable and scalable method to authenticate users. \hfill\cite[page~44]{dent04} \end{quote} @@ -106,7 +105,6 @@ For a small \MTA\ like \masqmail, it seems preferable to store the login data in a text file under \masqmail's control. This is the most simple choice for many usage scenarios. But using a central authentication facility has advantages in larger setups, too. \name{Cyrus} \NAME{SASL} supports both, so there is no problem. If \name{gsasl} is chosen, it seems best to start with an authentication file under \masqmail's control. -%fixme: << how could this be covered by architecture (e.g. smtp submission). >> @@ -204,7 +202,6 @@ \end{enumerate} \index{compartmentalization} -%fixme: << conditional compilation >> \subsubsection*{Incoming channels} @@ -213,8 +210,7 @@ The functional requirements for incoming channels were already discussed as \RF\,1 on page~\pageref{rf1}. Two required incoming channels were identified: the \path{sendmail} command for local mail submission and the \SMTP\ daemon for remote connections. \index{sendmail!command} -A bit different is the structure of \name{sendmail~X} at that point: Locally submitted messages go also to the \SMTP\ daemon, which is the only connection to the mail queue. %fixme: is it a smtp dialog? or a back door? -\person{Finch} proposes a similar approach \cite{finch-sendmail}: He wants the \path{sendmail} command to be a simple \SMTP\ client that contacts the \SMTP\ daemon of the \MTA, like it is done by connections from remote. The advantage here is to have one single module where all \SMTP\ dialog with submitters is done. Hence one single point to accept or refuse incoming mail. Additionally does the module which puts mail into the queue not need to be \name{setuid} or \name{setgid}, because it is only invoked from the \SMTP\ daemon. The \MTA's architecture would become simpler and common tasks are not duplicated in modules that do similar jobs. +A bit different is the structure of \name{sendmail~X} at that point: Locally submitted messages go also to the \SMTP\ daemon, which is the only connection to the mail queue. \person{Finch} proposes a similar approach \cite{finch-sendmail}: He wants the \path{sendmail} command to be a simple \SMTP\ client that contacts the \SMTP\ daemon of the \MTA, like it is done by connections from remote. The advantage here is to have one single module where all \SMTP\ dialog with submitters is done. Hence one single point to accept or refuse incoming mail. Additionally does the module which puts mail into the queue not need to be \name{setuid} or \name{setgid}, because it is only invoked from the \SMTP\ daemon. The \MTA's architecture would become simpler and common tasks are not duplicated in modules that do similar jobs. \index{sendmailx} \index{smtp} \index{setuid} @@ -282,8 +278,7 @@ \qmail\ has the principle of ``don't parse'' which propagates the avoidance of parsing as much as possible. The reason is that parsing is a highly complex task which likely makes code exploitable. \index{qmail} -In \masqmail's new design, mail should be stored into the queue without parsing. A scanning module should then parse the message with high care. It seems best to use a \name{parser generator}\footnote{\person{Stephen~C.\ Johnson}'s paper about \name{yacc} is a good introduction into \name{parser generators} \cite{johnson79}.} for this work. The parsed data should then get modified if needed and written into a second queue. This approach has several advantages. First, the receiving parts of the system are independent from content, they simply store it into the queue. Second, one single module does the parsing and generates new messages that contain only valid data. Third, the sending parts of the system will thus only work on messages that consist of valid data. Of course, it must be ensured that each message passes through the \name{scanning} module, but this is already required for spam and malware scanning. -%fixme: ref for parser generator +In \masqmail's new design, mail should be stored into the queue without parsing. A scanning module should then parse the message with high care. \person{Spinellis} proposes reliable approaches to do this work \cite[pages~17--18]{spinellis06}; using a \name{parser generator}\footnote{\person{Stephen~C.\ Johnson}'s paper about \name{yacc} is a good introduction into \name{parser generators} \cite{johnson79}.} is the best solution here. The parsed data should then get modified if needed and written into a second queue. This approach has several advantages. First, the receiving parts of the system are independent from content, they simply store it into the queue. Second, one single module does the parsing and generates new messages that contain only valid data. Third, the sending parts of the system will thus only work on messages that consist of valid data. Of course, it must be ensured that each message passes through the \name{scanning} module, but this is already required for spam and malware scanning. \index{parser generator} The mail body will never get modified, except for removing and adding transfer protocol specific requirements like dot stuffing or special line ending characters. These translations are only done in receiving and sending modules. @@ -310,8 +305,7 @@ \subsubsection*{Route management} \index{online routes} -The online state is only important for the sending modules of the system, thus it should be queried in the \name{queue-out} module which selects ready messages from the \name{outgoing} queue and transfers them to the appropriate sending module. Route-based aliasing, which was described in the last section, %fixme: is this still true? -should be done in the same go. +The online state is only important for the sending modules of the system, thus it should be queried in the \name{queue-out} module which selects ready messages from the \name{outgoing} queue and transfers them to the appropriate sending module. Route-based aliasing, which was described in the last section, should be done in the same go. @@ -431,6 +425,7 @@ \paragraph{Receiver modules} \index{incoming channels} They are the communication interface between external senders and the \name{queue-in} module. Each protocol needs a corresponding \name{receiver module} to be supported. Most popular is the \name{sendmail} module, which is a command to be called from the local host, and the \name{smtpd} module which usually listens on port 25. Other modules to support other protocols may be added as needed. Receiving modules that need to listen on ports should get invoked by \name{inetd}, or by \person{Bernstein}'s more secure \name{ucspi-tcp}. This makes it possible to run them with least privilege. +\index{least privilege} \paragraph{The \name{queue-in} module} @@ -534,7 +529,7 @@ Another possibility is to run a master process as daemon which starts and restarts the system parts. \postfix\ has such a master process, \qmail\ lacks it. The jobs of a master process can be done by other tools of the operating system too, thus making a master process abdicable. \masqmail\ does probably better go without a master process, because it aims to save resources, not to get the best performance. \index{master process} -A sane permission management is very important for secure software in general. The \name{principle of least privilege}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root and let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd}, or one of its substitutes, listens on the port instead of the \name{smtpd} module. \name{inetd} will then launch the \name{smtpd} module to handle the connection whenever a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way. +A sane permission management is very important for secure software in general. The \name{principle of least privilege} \cite[section~I.A.3.f]{saltzer75}, as it is often called, should be respected. If it is possible to use lower privilege then it should be done. An example for doing so is the \name{smtpd} module. It is a server module which listens on a port. One way is to start it as root and let it bind to the port and drop all privilege before it does any other work. But root privilege is avoidable completely if \name{inetd}, or one of its substitutes, listens on the port instead of the \name{smtpd} module. \name{inetd} will then launch the \name{smtpd} module to handle the connection whenever a connection attempt to the port is made. The \name{smtpd} module needs no privilege at all this way. diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/abstract.tex --- a/thesis/tex/abstract.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/abstract.tex Sat Feb 07 19:00:25 2009 +0100 @@ -34,7 +34,6 @@ \vspace{1ex} This document was typeset in Palatino and Computer Modern font, using the LaTeX document preparation system on machines running the Debian GNU/Linux operating system. Text editing was done with Vim. The PIC language and troff were used to generate the diagrams, in exception of figure \ref{fig:masqmail-arch} which was produced with Egypt and GraphVis. Mercurial was chosen for version control. Further programs and scripts were used for minor tasks---it was all Free Software, though. -%FIXME: check programs used \vspace{1ex} The final version of this thesis, in Portable Document Format and PostScript as well as the complete source code, can be retrieved from my website: http://marmaro.de/docs\,. diff -r 0d78755132b7 -r 8ef85e22ff7d thesis/tex/official.tex --- a/thesis/tex/official.tex Sat Feb 07 14:47:27 2009 +0100 +++ b/thesis/tex/official.tex Sat Feb 07 19:00:25 2009 +0100 @@ -17,4 +17,3 @@ \vspace{36ex} Breitingen, 2009-02-09 \hfill \person{Markus Schnalke} -%FIXME: insert correct date