1 / 14

Security Architecture of qmail and Postfix

Security Architecture of qmail and Postfix. Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank. Overview. Introduction

Download Presentation

Security Architecture of qmail and Postfix

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank

  2. Overview • Introduction • Architecture of qmail as a set of Design Decisions • Architecture of Postfix as a parallel to qmail • Similarities • Differences • Conclusions/Comments

  3. Introduction • qmail was designed as sendmail’s replacement • Addressed Security issues • Architecture made system easier to understand and maintain • Postfix used qmail’s architecture as reference • Design built towards performance • Reduced redundancy • Still achieved high level of security • Both systems hold unblemished security report • Both use similar security patterns • Both evidence that security doesn’t have to come at the cost of performance`

  4. Introduction • Architecture of Systems (qmail and Postfix) • Key Principle: Defense in Depth • System does not depend on any single idea to achieve security • Modularity • Decreases the damage caused by security break-ins • Ensures that many kinds of errors are not possible • Makes inspection easier

  5. qmail Architecture • sendmail runs as one process, if compromised an attacker gains access to all processes • TO AVOID: qmail follows Compartmentalization • Security Pattern – Compartmentalization • Separate system into different security domains • Therefore, when one part of the system is compromised the others remain secure • sendmail runs as a super-user • Causes privilege issues • TO AVOID: qmail follows the Distributed Responsibility Security Pattern • Partition responsibility across compartments

  6. qmail Architecture • Mail queue must avoid Race Condition • TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request • ensure ever write request is to a different location • Mailbox Management • System crash leaves message in unreliable state • TO AVOID: qmail follows theReliability Pattern – Checkpointed System • Design the system as a finite state machine. Make the state information persistent

  7. qmail Architecture • Multithreading can exhaust resources • TO AVOID: qmail follows the Small Processes, Performance Pattern • Make processes small, single task, limit memory • Inherent problems using standards – C Library • TO AVOID: qmail follows the Safe Data Structure, Security Pattern • Represent strings with a data structure • sendmail, program could execute body of message • TO AVOID: qmail follows the Content Dependent Processing, Security Pattern • Treat the received contents as mail message only

  8. qmail Architecture • Trust Partitioning – not trusting communication Payload • TO AVOID: qmail follows the Trust Partitioning, SecurityPattern • Design the components to not trust inputs from other groups and to validate inputs

  9. Postfix Architecture • Similarities between qmail and Postfix • Partitioning and responsibility distribution among processes • Neither have a configuration language, this was one of the mainproblems with sendmail • Postfix follow the qmail pattern Unique Location for Each Write Request • qmail implements mail queue as single dir • Postfix as single dir • Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash

  10. Postfix Architecture • Differences • Postfix uses lookup tables • Mail Queue • qmail uses one, Postfix has five • Separate processes for sending mail using different protocols • Postfix uses only one user to simplify configuration management. Qmail uses multiple user and group ids • Creates a security risk, since everything is running under one id • Introduces Security Pattern – chroot Jail • Run processes under a separate least privilege user ids in a controlled environment

  11. Postfix Architecture • Postfix uses pre-forking, qmail forks on demand • Security Pattern – Secure Preforking • Consequences of daemon process compromises are especially bad b/c of their long life • Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment • Postfix uses a softupdate file system, while qmail uses an async file system.

  12. Postfix Architecture • Postfix uses a Single-Threaded Facade Security Pattern • Problem: multithreaded processes communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved? • Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.

  13. Postfix Architecture • Postfix uses a Batch Transaction Performance Pattern • Batch transactions to eliminate overhead • Group related task to avoid task switching and process creation overhead • Reliability Pattern – DoS Safety • Protecting against Denial of Service attacks by setting resource limits • Security Pattern – Policy Enforcement Point • Channel all outside communication through one point where security mechanisms can be applied by defining security policies • Postfix has spam filters, qmail does not

  14. Conclusion/Questions • While qmail’s and Postfix’s designs are not the same they both use common security patterns • Both where designed with security as an original requirement • Both are evidence that security does not have to come at the cost of performance • Comments/Questions???

More Related