Security Architecture of qmail and Postfix

Authors: Munawar Hafiz Ralph E. Johnson

Prepared by Geoffrey FooteCSC 593 Secure Software Engineering

SeminarSpring Semester 2006Instructors: Dr. James Walden

Dr. Charles Frank

Overview

Introduction Architecture of qmail as a set of

Design Decisions Architecture of Postfix as a

parallel to qmail Similarities Differences

Conclusions/Comments

Introduction qmail was designed as sendmail’s replacement

Addressed Security issues Architecture made system easier to

understand and maintain Postfix used qmail’s architecture as reference

Design built towards performance Reduced redundancy Still achieved high level of security

Both systems hold unblemished security report Both use similar security patterns Both evidence that security doesn’t have to

come at the cost of performance`

Introduction

Architecture of Systems (qmail and Postfix) Key Principle: Defense in Depth

System does not depend on any single idea to achieve security

Modularity Decreases the damage caused by

security break-ins Ensures that many kinds of errors

are not possible Makes inspection easier

qmail Architecture sendmail runs as one process, if compromised an

attacker gains access to all processes TO AVOID: qmail follows Compartmentalization

Security Pattern – Compartmentalization Separate system into different security

domains Therefore, when one part of the system is

compromised the others remain secure sendmail runs as a super-user

Causes privilege issues TO AVOID: qmail follows the Distributed

Responsibility Security Pattern Partition responsibility across compartments

qmail Architecture Mail queue must avoid Race Condition

TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request

ensure ever write request is to a different location

Mailbox Management System crash leaves message in unreliable

state TO AVOID: qmail follows the Reliability

Pattern – Checkpointed System Design the system as a finite state machine.

Make the state information persistent

qmail Architecture Multithreading can exhaust resources

TO AVOID: qmail follows the Small Processes, Performance Pattern

Make processes small, single task, limit memory Inherent problems using standards – C Library

TO AVOID: qmail follows the Safe Data Structure, Security Pattern

Represent strings with a data structure sendmail, program could execute body of

message TO AVOID: qmail follows the Content Dependent

Processing, Security Pattern Treat the received contents as mail message

only

qmail Architecture Trust Partitioning – not trusting

communication Payload TO AVOID: qmail follows the Trust

Partitioning, Security Pattern Design the components to not trust inputs

from other groups and to validate inputs

Postfix Architecture Similarities between qmail and Postfix

Partitioning and responsibility distribution among processes

Neither have a configuration language, this was one of the main problems with sendmail

Postfix follow the qmail pattern Unique Location for Each Write Request

qmail implements mail queue as single dir Postfix as single dir

Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash

Postfix Architecture Differences

Postfix uses lookup tables Mail Queue

qmail uses one, Postfix has five Separate processes for sending mail using

different protocols Postfix uses only one user to simplify

configuration management. Qmail uses multiple user and group ids

Creates a security risk, since everything is running under one id

Introduces Security Pattern – chroot Jail Run processes under a separate least

privilege user ids in a controlled environment

Postfix Architecture Postfix uses pre-forking, qmail forks on

demand Security Pattern – Secure Preforking

Consequences of daemon process compromises are especially bad b/c of their long life

Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment

Postfix uses a softupdate file system, while qmail uses an async file system.

Postfix Architecture Postfix uses a Single-Threaded Facade

Security Pattern Problem: multithreaded processes

communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved?

Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.

Postfix Architecture Postfix uses a Batch Transaction Performance

Pattern Batch transactions to eliminate overhead Group related task to avoid task switching

and process creation overhead Reliability Pattern – DoS Safety

Protecting against Denial of Service attacks by setting resource limits

Security Pattern – Policy Enforcement Point Channel all outside communication through

one point where security mechanisms can be applied by defining security policies

Postfix has spam filters, qmail does not

Conclusion/Questions While qmail’s and Postfix’s designs

are not the same they both use common security patterns

Both where designed with security as an original requirement

Both are evidence that security does not have to come at the cost of performance

Comments/Questions???