140 likes | 266 Views
Security Architecture of qmail and Postfix. Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank. Overview. Introduction
E N D
Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank
Overview • Introduction • Architecture of qmail as a set of Design Decisions • Architecture of Postfix as a parallel to qmail • Similarities • Differences • Conclusions/Comments
Introduction • qmail was designed as sendmail’s replacement • Addressed Security issues • Architecture made system easier to understand and maintain • Postfix used qmail’s architecture as reference • Design built towards performance • Reduced redundancy • Still achieved high level of security • Both systems hold unblemished security report • Both use similar security patterns • Both evidence that security doesn’t have to come at the cost of performance`
Introduction • Architecture of Systems (qmail and Postfix) • Key Principle: Defense in Depth • System does not depend on any single idea to achieve security • Modularity • Decreases the damage caused by security break-ins • Ensures that many kinds of errors are not possible • Makes inspection easier
qmail Architecture • sendmail runs as one process, if compromised an attacker gains access to all processes • TO AVOID: qmail follows Compartmentalization • Security Pattern – Compartmentalization • Separate system into different security domains • Therefore, when one part of the system is compromised the others remain secure • sendmail runs as a super-user • Causes privilege issues • TO AVOID: qmail follows the Distributed Responsibility Security Pattern • Partition responsibility across compartments
qmail Architecture • Mail queue must avoid Race Condition • TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request • ensure ever write request is to a different location • Mailbox Management • System crash leaves message in unreliable state • TO AVOID: qmail follows theReliability Pattern – Checkpointed System • Design the system as a finite state machine. Make the state information persistent
qmail Architecture • Multithreading can exhaust resources • TO AVOID: qmail follows the Small Processes, Performance Pattern • Make processes small, single task, limit memory • Inherent problems using standards – C Library • TO AVOID: qmail follows the Safe Data Structure, Security Pattern • Represent strings with a data structure • sendmail, program could execute body of message • TO AVOID: qmail follows the Content Dependent Processing, Security Pattern • Treat the received contents as mail message only
qmail Architecture • Trust Partitioning – not trusting communication Payload • TO AVOID: qmail follows the Trust Partitioning, SecurityPattern • Design the components to not trust inputs from other groups and to validate inputs
Postfix Architecture • Similarities between qmail and Postfix • Partitioning and responsibility distribution among processes • Neither have a configuration language, this was one of the mainproblems with sendmail • Postfix follow the qmail pattern Unique Location for Each Write Request • qmail implements mail queue as single dir • Postfix as single dir • Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash
Postfix Architecture • Differences • Postfix uses lookup tables • Mail Queue • qmail uses one, Postfix has five • Separate processes for sending mail using different protocols • Postfix uses only one user to simplify configuration management. Qmail uses multiple user and group ids • Creates a security risk, since everything is running under one id • Introduces Security Pattern – chroot Jail • Run processes under a separate least privilege user ids in a controlled environment
Postfix Architecture • Postfix uses pre-forking, qmail forks on demand • Security Pattern – Secure Preforking • Consequences of daemon process compromises are especially bad b/c of their long life • Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment • Postfix uses a softupdate file system, while qmail uses an async file system.
Postfix Architecture • Postfix uses a Single-Threaded Facade Security Pattern • Problem: multithreaded processes communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved? • Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.
Postfix Architecture • Postfix uses a Batch Transaction Performance Pattern • Batch transactions to eliminate overhead • Group related task to avoid task switching and process creation overhead • Reliability Pattern – DoS Safety • Protecting against Denial of Service attacks by setting resource limits • Security Pattern – Policy Enforcement Point • Channel all outside communication through one point where security mechanisms can be applied by defining security policies • Postfix has spam filters, qmail does not
Conclusion/Questions • While qmail’s and Postfix’s designs are not the same they both use common security patterns • Both where designed with security as an original requirement • Both are evidence that security does not have to come at the cost of performance • Comments/Questions???