Postfix Overview - Introduction - SCN Research
Postfix Overview - Introduction - SCN Research
Postfix Overview - Introduction - SCN Research
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Postfix</strong> <strong>Overview</strong> - Security<br />
assistance from a set-uid or set-gid command or from a mail daemon process. The maildrop directory is not<br />
used for mail coming in via the network, and queue files are not readable for other users.<br />
A writable directory opens up opportunities for annoyance: a local user can make hard links to someone else's<br />
maildrop files so they don't go away and/or are delivered multiple times; a local user can fill the maildrop<br />
directory with garbage and try to make the mail system crash; and a local user can hard link someone else's files<br />
into the maildrop directory and try to have them delivered as mail. However, <strong>Postfix</strong> queue files have a specific<br />
format; less than one in 10^12 non-<strong>Postfix</strong> files would be recognized as a valid <strong>Postfix</strong> queue file.<br />
If a world-writable maildrop directory is not acceptable, sites can revoke world write permission, and enable<br />
set-gid privileges for a small helper program that is provided for this purpose.<br />
Trust<br />
As mentioned elsewhere in the overview, <strong>Postfix</strong> programs do not trust the contents of queue files or of the<br />
<strong>Postfix</strong> internal IPC messages. Queue files have no on-disk record for deliveries to sensitive destinations such<br />
as files or commands. Instead, programs such as the local delivery agent attempt to make security-sensitive<br />
decisions on the basis of first-hand information.<br />
Of course, <strong>Postfix</strong> programs do not trust data received from the network, either. In particular, <strong>Postfix</strong> filters<br />
sender-provided data before exporting it via environment variables. If there is one lesson that people have<br />
learned from Web site security disasters it is this one: don't let any data from the network near a shell. Filtering<br />
is the best we can do.<br />
Large inputs<br />
• Memory for strings and buffers is allocated dynamically, in order to prevent buffer overrun problems.<br />
• Long lines in message input are broken up into sequences of reasonably-sized chunks, and are<br />
reconstructed upon delivery.<br />
• Diagnostics are truncated (in one single place!) before they are passed to the syslog(3) interface, in order<br />
to prevent buffer overruns on older platforms. However, no general attempt is made to truncate data<br />
before it is passed to system calls or to library routines. On some platforms, the software may still exhibit<br />
buffer overrun problems, due to vulnerabilities in the underlying software.<br />
• No specific attempt is made to defend against unreasonably-long command-line arguments. UNIX<br />
kernels impose their own limits, which should be sufficient to deal with runaway programs or with<br />
malicious users.<br />
Other defenses<br />
• The number of in-memory instances of any object type is limited, to prevent the mail system from<br />
becoming wedged under heavy load.<br />
Page 2 of 2<br />
• In case of problems, the software pauses before sending an error response to a client, before terminating<br />
with a fatal error, or before attempting to restart a failed program. The purpose is to prevent runaway<br />
conditions that only make problems worse.<br />
Up one level | <strong>Introduction</strong> | Goals and features | Global architecture | Queue Management | Security<br />
http://www.porcupine.org/postfix-mirror/security.html<br />
6/26/01