1. Security Architecture of qmail and Postfix Authors: Munawar Hafiz Ralph E. Johnson Prepared by Geoffrey Foote CSC 593 Secure Software Engineering Seminar Spring Semester 2006 Instructors: Dr. James Walden Dr. Charles Frank

2. Overview Introduction Architecture of qmail as a set of Design Decisions Architecture of Postfix as a parallel to qmail Similarities Differences Conclusions/Comments

3. Introduction qmail was designed as sendmail’s replacement Addressed Security issues Architecture made system easier to understand and maintain Postfix used qmail’s architecture as reference Design built towards performance Reduced redundancy Still achieved high level of security Both systems hold unblemished security report Both use similar security patterns Both evidence that security doesn’t have to come at the cost of performance`

4. Introduction Architecture of Systems (qmail and Postfix) Key Principle: Defense in Depth System does not depend on any single idea to achieve security Modularity Decreases the damage caused by security break-ins Ensures that many kinds of errors are not possible Makes inspection easier

5. qmail Architecture sendmail runs as one process, if compromised an attacker gains access to all processes TO AVOID: qmail follows Compartmentalization Security Pattern – Compartmentalization Separate system into different security domains Therefore, when one part of the system is compromised the others remain secure sendmail runs as a super-user Causes privilege issues TO AVOID: qmail follows the Distributed Responsibility Security Pattern Partition responsibility across compartments

6. qmail Architecture Mail queue must avoid Race Condition TO AVOID: qmail follows the Reliability Pattern, Unique Location for each Request ensure ever write request is to a different location Mailbox Management System crash leaves message in unreliable state TO AVOID: qmail follows the Reliability Pattern – Checkpointed System Design the system as a finite state machine. Make the state information persistent

7. qmail Architecture Multithreading can exhaust resources TO AVOID: qmail follows the Small Processes, Performance Pattern Make processes small, single task, limit memory Inherent problems using standards – C Library TO AVOID: qmail follows the Safe Data Structure, Security Pattern Represent strings with a data structure sendmail, program could execute body of message TO AVOID: qmail follows the Content Dependent Processing, Security Pattern Treat the received contents as mail message only

8. qmail Architecture Trust Partitioning – not trusting communication Payload TO AVOID: qmail follows the Trust Partitioning, Security Pattern Design the components to not trust inputs from other groups and to validate inputs

9. Postfix Architecture Similarities between qmail and Postfix Partitioning and responsibility distribution among processes Neither have a configuration language, this was one of the main problems with sendmail Postfix follow the qmail pattern Unique Location for Each Write Request qmail implements mail queue as single dir Postfix as single dir Postfix follows the Checkpointed System pattern to ensure that the system can restart gracefully from a crash

10. Postfix Architecture Differences Postfix uses lookup tables Mail Queue qmail uses one, Postfix has five Separate processes for sending mail using different protocols Postfix uses only one user to simplify configuration management. Qmail uses multiple user and group ids Creates a security risk, since everything is running under one id Introduces Security Pattern – chroot Jail Run processes under a separate least privilege user ids in a controlled environment

11. Postfix Architecture Postfix uses pre-forking, qmail forks on demand Security Pattern – Secure Preforking Consequences of daemon process compromises are especially bad b/c of their long life Solution – limit the lifetime of daemon processes and fork the again after a configurable, short life and run the daemons in a contained environment Postfix uses a softupdate file system, while qmail uses an async file system.

12. Postfix Architecture Postfix uses a Single-Threaded Facade Security Pattern Problem: multithreaded processes communicating with the outside environment are more vulnerable. Therefore they should be made simple in architecture, how can his be achieved? Solution: Processes on the perimeter should be single threaded and perform single tasks b/c multithreading involves complex resource management.

13. Postfix Architecture Postfix uses a Batch Transaction Performance Pattern Batch transactions to eliminate overhead Group related task to avoid task switching and process creation overhead Reliability Pattern – DoS Safety Protecting against Denial of Service attacks by setting resource limits Security Pattern – Policy Enforcement Point Channel all outside communication through one point where security mechanisms can be applied by defining security policies Postfix has spam filters, qmail does not

14. Conclusion/Questions While qmail’s and Postfix’s designs are not the same they both use common security patterns Both where designed with security as an original requirement Both are evidence that security does not have to come at the cost of performance Comments/Questions???