E-mail - Servers
Volin Karagiozov
- V.Karagiozov@mgu.bg
University of Mining and
Geology "St. Ivan Rilsky", Bulgaria
Terminology
(RFC 1711 - Classifications
in E-mail Routing )
- Message Transfer Agent (MTA)
is used to describe a routing entity, which can be an X.400 MTA, a UNIX
mailer, or any other piece of software performing mail routing functions.
An MTA processes the so called envelope information of a message.
- User Agent (UA)
is used to describe a piece of software performing
user related mail functions. It processes the contents of a message's envelope,
i.e., the header fields and body parts.
- e-mail route -
a path between two leaves in a directed Message Transfer
System (MTS) graph that a message travels for one originator/recipient
pair.
(IMC - Internet Mail Consortium)
Internet mail standards and protocols fall into some broad categories.
Of course, some standards straddle more than one category, but they can
all fit into at least one of the following:
- Host-to-host
mail transfer (SMTP) - RFC 821,
Jonathan B. Postel (August 1982)
- Client-to-host
communication (POP- RFC 1939,
IMAP - RFC 2060)
- Basic message
format and encoding (RFC 822)
- Multipurpose
Internet Mail Extensions - MIME
( RFC 2045, RFC
2046, RFC 2047, RFC
2048, RFC 2049 )
- Message
encryption and authentication -
- Security Multiparts for MIME
- PGP Message Exchange Formats
- Privacy-Enhanced Mail (PEM)
- MD5 Message-Digest Algorithm, etc.
- Gateways
to non-Internet mail (mostly X.400, UUCP, Gateways to commercial mail
systems)
- Directory
access - ( LDAP, X.500, Whois++)
- Calendaring and Scheduling (none yet)
- Miscellaneous
-
- Administering large mailing lists - RFC
1211
- Electronic mail vocabulary - RFC
1711
- Etiquette on the Internet - RFC
1855
- Architectural Principles of the Internet - RFC
1958
- PNG (Portable Network Graphics) Specification Version
1.0 - RFC 2083
- etc.
Sendmail
qmail
History
Beta testing for qmail began
in January 1996. Gamma
testing began in August 1996. The final
gamma release, 0.96, has been running at hundreds of sites since January
1997. There are no code changes between 0.96 and 1.00.
- 1996/11/29: There are approximately
793 SMTP servers running test versions of qmail. This estimate is based
on a survey of 500000 randomly selected hosts.
- 1997/01/12: There are approximately
1279 SMTP servers running test versions of qmail. This estimate is based
on a survey of 100000 randomly selected hosts.
- 1997/02/18: There are approximately
1534 SMTP servers running test versions ofqmail. This estimate is based
on a survey of 100000 randomly selected hosts.
- 1997/03/28: There are approximately 1791 SMTP servers
running qmail. This estimate is based on a survey of 100000 randomly selected
hosts.
Background
qmail (original site
is http://www.qmail.org) is a
secure, reliable, efficient, simple
message transfer agent.
It is meant as a replacement for the entire sendmail-binmail system on
typical Internet-connected UNIX hosts.
- Secure:
Security isn't just a goal, but an absolute requirement.
Mail delivery is critical for users; it cannot be turned off, so it must
be completely secure. (This is why I started writing qmail: I was sick
of the security holes in sendmail and other MTAs. - D.J.Bernstein)
- Reliable:
qmail's straight-paper-path philosophy guarantees that
a message, once accepted into the system, will never be lost. qmail also
supports maildir, a new, super-reliable user mailbox format. Maildirs,
unlike mbox files and mh folders, won't be corrupted if the system crashes
during delivery. Even better, not only can a user safely read his mail
over NFS, but any number of NFS clients can deliver mail to him at the
same time.
- Efficient:
On a Pentium under BSD/OS, qmail can easily sustain 200000
local messages per day---that's separate messages injected and delivered
to mailboxes in a real test! Although remote deliveries are inherently
limited by the slowness of DNS and SMTP, qmail overlaps 20 simultaneous
deliveries by default, so it zooms quickly through mailing lists. (This
is why I finished qmail: I had to get a big mailing list set up.)
- Simple:
- Replacement for sendmail:
qmail supports:
- host and user masquerading,
- full host hiding,
- virtual domains,
- null clients,
- list-owner rewriting,
- relay control,
- double-bounce recording,
- arbitrary RFC 822 address lists,
- cross-host mailing list loop detection,
- per-recipient checkpointing,
- downed host backoffs,
- independent message retry schedules, etc.
Features:
Setup:
- automatic adaptation to your UNIX variant---no configuration
needed
- AIX, BSD/OS, FreeBSD, HP/UX, Irix, Linux, OSF/1, SunOS,
Solaris, and more
- automatic per-host configuration (qmail-config)
- quick installation---no big list of decisions to make
Security:
- clear separation between addresses, files, and programs
- minimization of setuid code (qmail-queue)
- minimization of root code (qmail-start, qmail-lspawn)
- five-way trust partitioning---security in depth
- optional logging of one-way hashes, entire contents,
etc. (QUEUE_EXTRA)
Message construction (qmail-inject):
- RFC 822, RFC 1123
- full support for address groups
- automatic conversion of old-style headers to RFC 822
format
- header line length limited only by memory
- host masquerading (control/defaulthost)
- user masquerading (MAILUSER, MAILHOST)
- sendmail hook for compatibility with current user agents
SMTP service (qmail-smtpd):
- RFC 821, RFC 1123, RFC 1651, RFC 1652, RFC 1854
- 8-bit clean
- 931/1413/ident/TAP callback (tcp-env)
- relay control---stop unauthorized relaying by outsiders
(control/rcpthosts)
- no interference between relay control and forwarding
- tcpd hook---reject SMTP connections from known abusers
- automatic recognition of local IP addresses
- per-buffer timeouts
- hop counting
Queue management (qmail-send):
- instant handling of messages added to queue
- parallelism limit (control/concurrencyremote, control/concurrencylocal)
- split queue directory---no slowdown when queue gets big
- quadratic retry schedule---old messages tried less often
- independent message retry schedules
- automatic safe queueing---no loss of mail if system crashes
- automatic per-recipient checkpointing
- automatic queue cleanups (qmail-clean)
- queue viewing (qmail-qread)
- detailed delivery statistics (qmailanalog, available
separately)
Bounces (qmail-send):
- QSBMF (qmail-send Bounce Message Format)
bounce messages---both machine-readable and human-readable
- HCMSSC (Hash Convention For Mail System Status
Codes) support --- language-independent RFC 1893 error
codes
- double bounces sent to postmaster
Routing by domain (qmail-send):
- any number of names for local host (control/locals)
- any number of virtual domains (control/virtualdomains)
- domain wildcards (control/virtualdomains)
- configurable percent hack support (control/percenthack)
- UUCP hook
SMTP delivery (qmail-remote):
- RFC 821, RFC 974, RFC 1123
- 8-bit clean
- automatic downed host backoffs
- artificial routing---smarthost, localnet, mailertable
(control/smtproutes)
- per-buffer timeouts
- passive SMTP queue---perfect for SLIP/PPP (serialmail,
available separately)
Forwarding and mailing lists (qmail-local):
- address wildcards (.qmail-default, .qmail-foo-default,
etc.)
- sendmail/smail /etc/aliases compatibility (qmsmac, available
separately)
- mailing list owners---automatically divert bounces and
vacation messages
- VERPs (Variable Envelope Return Paths)---automatic
recipient identification for mailing list bounces
- Delivered-To---automatic loop prevention, even across
hosts
- automatic subscription management (qlist)
Local delivery (qmail-local):
- user-controlled address hierarchy---fred controls fred-anything
- mbox delivery
- reliable NFS delivery (maildir)
- user-controlled program delivery: procmail etc. (qmail-command)
- optional new-mail notification (qbiff)
- optional NRUDT return receipts (qreceipt) (Notice-Requested-Upon-Delivery-To)
Return-Receipt-To (RRT) in sendmail lists the sender's address,
while NRUDT lists the recipient's address
- conditional filtering (condredirect)
POP3 service (qmail-popup, qmail-pop3d):
- RFC 1939
- UIDL support
- TOP support
- APOP hook
- modular password checking (checkpassword, available separately)
Qmail data flow
qmail-smtpd --- qmail-queue --- qmail-send --- qmail-rspawn --- qmail-remote
/ | \
qmail-inject _/ qmail-clean \_ qmail-lspawn --- qmail-local
Every message is added to a central queue directory by
qmail-queue. qmail-queue is invoked as needed, usually by qmail-inject
for locally generated messages, qmail-smtpd for messages received
through SMTP, qmail-local for forwarded messages, or qmail-send
for bounce messages.
Every message is then delivered by qmail-send,
in cooperation with qmail-lspawn and qmail-rspawn, and cleaned
up by qmail-clean. These four programs are long-running daemons.
Aliases
- qmail lets each user control all
addresses of the form user-anything. Addresses that don't start with a
username are controlled by a special user, alias. Delivery instructions
for foo go into ~alias/.qmail-foo; delivery instructions for user-foo go
into user/.qmail-foo.
- qmail doesn't have any built-in
support for /etc/aliases. If you have a big /etc/aliases and you'd like
to keep it, install the qmsmac package, available separately.
- Postmaster.
You're not an Internet citizen if this address doesn't work. Simply touch
(and chmod 644) ~alias/.qmail-postmaster; any mail for Postmaster will
be delivered to ~alias/Mailbox.
- MAILER-DAEMON.
Not required, but users sometimes respond to bounce messages. Touch (and
chmod 644) ~alias/.qmail-mailer-daemon.
- root.
Under qmail, root never receives mail. Set up an alias for root in alias/.qmail-root.
- Other non-user
accounts. Under qmail, non-user accounts don't
get mail; "user'' means a non-root account that owns ~account. Set
up aliases for any non-user accounts that normally receive mail.
- Default.
If you want, you can touch ~alias/.qmail-default to catch everything else.
Beware: this will also catch typos and other addresses that should probably
be bounced instead. It won't catch addresses that start with a user name---the
user can set up his own ~/.qmail-default.
Mailing lists
- qmail lets each user handle his own mailing lists. The
delivery instructions for user-whatever go into ~user/.qmail-whatever.
- qmail makes it really easy to set up mailing list owners.
If the user touches ~user/.qmail-whatever-owner, all bounces will come
back to him.
- qmail automatically prevents mailing list loops, even
across hosts.
- qlist, included in the qmail package, deals with subscription
requests
safely and automatically.
Example: I'd like
me-sos@my.host.name to be forwarded
to a bunch of people.
Put a list of addresses into ~me/.qmail-sos,
one per line. Then incoming mail for me-sos will be forwarded to each of
those addresses. You should also touch ~me/.qmail-sos-owner
so that bounces come back to you rather than the original sender. If you
want subscriptions to be handled automatically, put |
qlist2 sos my.host.name into ~me/.qmail-sos-request.
Anyone who wants to subscribe can simply send a message to me-sos-request@my.host.name.
Masquarading
- host masquerading - All
the users on host zippy.af.mil, are users on af.mil. When joe sends a message
to fred, the message should say "From: joe@af.mil'' and "To:
fred@af.mil'', without "zippy'' anywhere.
- user masquerading - if you
like your own From lines to show boss@af.mil rather than god@heaven.af.mil
- Add MAILHOST=af.mil and MAILUSER=boss to your environment. To
override From lines supplied by your MUA, add QMAILINJECT=f to your environment.
Security considerations
- Programs and files are not addresses. Don't treat them
as addresses.
- Do as little as possible in setuid programs
(Of the twelve most recent sendmail security holes, six worked only
because the entire sendmail system is setuid. Only one qmail program is
setuid: qmail-queue. Its only purpose is to
add a new mail message to the outgoing queue.)
- Do as little as possible as root
(The entire sendmail system runs as root, so there's no way that
its mistakes can be caught by the operating system's built-in protections.
In contrast, only two qmail programs, qmail-start
and qmail-lspawn, run as root.)
- Move separate functions into mutually untrusting programs
- Don't parse
(The essence of user interfaces is _parsing_--- converting an unstructured
sequence of commands, in a format usually determined more by psychology
than by solid engineering, into structured data.)
- Keep it simple, stupid
- Write bug-free code
BUGS
Three qmail bugs have been reported
recently by Wietse Venema:
- Trivial denial
of service attack (1). By sending SMTP commands of unlimited length,
an attacker can make the machine run
out of memory, thus rendering it completely unusable.
- Denial
of service problem in qmail-smtpd(2). By sending an unlimited
number of recipient addresses, a malicious SMTP client can
run the qmail host out of memory, rendering the
system unusable.
- Trivial denial
of service attack(3). By sending SMTP commands of unlimited length,
an attacker can make the machine run
out of memory, thus rendering it completely unusable.
All these bugs can be blocked by defining upper
bound on the number of RCPT commands
per message (2), some upper bound on the
amount of data that qmail-smtpd reads
per command (1,3).
References and further
readings:
Email References: links
to RFCs and drafts about MIME, SMTP, Internet
security, and other related topics.
[for
more logo suggestions] 