Postfix Overview - Introduction - SCN Research

More documents

Recommendations

Info

Postfix Overview - Security assistance from a set-uid or set-gid command or from a mail daemon process. The maildrop directory is not used for mail coming in via the network, and queue files are not readable for other users. A writable directory opens up opportunities for annoyance: a local user can make hard links to someone else's maildrop files so they don't go away and/or are delivered multiple times; a local user can fill the maildrop directory with garbage and try to make the mail system crash; and a local user can hard link someone else's files into the maildrop directory and try to have them delivered as mail. However, Postfix queue files have a specific format; less than one in 10^12 non-Postfix files would be recognized as a valid Postfix queue file. If a world-writable maildrop directory is not acceptable, sites can revoke world write permission, and enable set-gid privileges for a small helper program that is provided for this purpose. Trust As mentioned elsewhere in the overview, Postfix programs do not trust the contents of queue files or of the Postfix internal IPC messages. Queue files have no on-disk record for deliveries to sensitive destinations such as files or commands. Instead, programs such as the local delivery agent attempt to make security-sensitive decisions on the basis of first-hand information. Of course, Postfix programs do not trust data received from the network, either. In particular, Postfix filters sender-provided data before exporting it via environment variables. If there is one lesson that people have learned from Web site security disasters it is this one: don't let any data from the network near a shell. Filtering is the best we can do. Large inputs • Memory for strings and buffers is allocated dynamically, in order to prevent buffer overrun problems. • Long lines in message input are broken up into sequences of reasonably-sized chunks, and are reconstructed upon delivery. • Diagnostics are truncated (in one single place!) before they are passed to the syslog(3) interface, in order to prevent buffer overruns on older platforms. However, no general attempt is made to truncate data before it is passed to system calls or to library routines. On some platforms, the software may still exhibit buffer overrun problems, due to vulnerabilities in the underlying software. • No specific attempt is made to defend against unreasonably-long command-line arguments. UNIX kernels impose their own limits, which should be sufficient to deal with runaway programs or with malicious users. Other defenses • The number of in-memory instances of any object type is limited, to prevent the mail system from becoming wedged under heavy load. Page 2 of 2 • In case of problems, the software pauses before sending an error response to a client, before terminating with a fatal error, or before attempting to restart a failed program. The purpose is to prevent runaway conditions that only make problems worse. Up one level | Introduction | Goals and features | Global architecture | Queue Management | Security http://www.porcupine.org/postfix-mirror/security.html 6/26/01
Postfix Anatomy - Receiving Mail Page 1 of 2 Postfix Anatomy - Receiving Mail Up one level | Receiving Mail | Delivering Mail | Behind the Scenes | Command-line Utilities When a message enters the Postfix mail system, the first stop on the inside is the incoming queue. The figure below shows the main components that are involved with new mail. For an explanation of the symbols used, click on the icon in the upper left-hand corner of this page. • Mail is posted locally. The Postfix sendmail program deposits the message into the world-writable maildrop directory, where the message is picked up by the pickup daemon. This daemon does some sanity checks, in order to protect the rest of the Postfix system. In order to avoid accidents, the directory permissions on the maildrop directory must be such that a user cannot delete someone elses mail. • Mail comes in via the network. The Postfix SMTP server receives the message and does some sanity checks, in order to protect the rest of the Postfix system. The SMTP server can be configured to implement UCE controls on the basis of local or network-based black lists, DNS lookups, and other client request information. • Mail is generated internally by the Postfix system itself, in order to return undeliverable mail to the sender. The bounce or defer daemon brings the bad news. • Mail is forwarded by the local delivery agent, either via an entry in the system-wide alias database, or via an entry in a per-user .forward file. This is indicated with the unlabeled arrow. • Mail is generated internally by the Postfix system itself, in order to notify the postmaster of a problem (this path is also indicated with the unlabeled arrow). The Postfix system can be configured to notify the postmaster of SMTP protocol problems, UCE policy violations, and so on. • The cleanup daemon implements the final processing stage for new mail. It adds missing From: and other message headers, arranges for address rewriting to the standard user@fully.qualified.domain form, and optionally extracts recipient addresses from message headers. The cleanup daemon inserts the result as a single queue file into the incoming queue, and notifies the queue manager of the arrival of new mail. The cleanup daemon can be configured to transform addresses on the basis of canonical and virtual table lookups. • On request by the cleanup daemon, the trivial-rewrite daemon rewrites addresses to the standard http://www.porcupine.org/postfix-mirror/receiving.html 6/26/01
Page 1: Postfix Overview - Introduction Pag
Page 4 and 5: Postfix Overview - Goals and Featur
Page 6 and 7: Postfix Overview - Global Architect
Page 8 and 9: Postfix Overview - Queue Management
Page 12 and 13: Postfix Anatomy - Receiving Mail Pa
Page 14 and 15: Postfix Anatomy - Delivering Mail p
Page 16 and 17: Postfix Anatomy - Command-line Util
Page 18 and 19: Postfix Configuration - Basics What
Page 20 and 21: Postfix Configuration - Basics My o
Page 23 and 24: Postfix Configuration - UCE Control
Page 33 and 34: Postfix Rate Controls Page 1 of 4 P
Page 35 and 36: Postfix Rate Controls The defer_tra
Page 37 and 38: Postfix Configuration - Resource Co
Page 39: Postfix Configuration - Resource Co
Page 42 and 43: Postfix Configuration - Address Man
Page 44 and 45: Postfix Configuration - Address Man
Page 47 and 48: ACCESS(5) ACCESS(5) Page 1 of 3 NAM
Page 49: 1 Page 3 of 3 http://www.porcupine.
Page 52 and 53: ited to regular files. For example,
Page 54 and 55: BOUNCE(8) BOUNCE(8) Page 1 of 2 NAM
Page 56 and 57: CANONICAL(5) CANONICAL(5) Page 1 of
Page 58 and 59: canonical_maps List of canonical ma
Page 60 and 61:
CONFIGURATION PARAMETERS The follow
Page 62 and 63:
BOUNCE(8) BOUNCE(8) Page 1 of 2 NAM
Page 64 and 65:
FLUSH(8) FLUSH(8) Page 1 of 3 NAME
Page 66 and 67:
fast_flush_purge_time Remove an emp
Page 68 and 69:
Problems and transactions are logge
Page 70 and 71:
parameter. Page 4 of 5 Timeout cont
Page 72 and 73:
LOCAL(8) LOCAL(8) Page 1 of 7 NAME
Page 74 and 75:
estricts delivery to external comma
Page 76 and 77:
details and for default values. Use
Page 78 and 79:
that is written to upon delivery).
Page 80 and 81:
Page 2 of 3 SIGTERM Upon receipt of
Page 82 and 83:
PCRE_TABLE(5) PCRE_TABLE(5) Page 1
Page 84 and 85:
PICKUP(8) PICKUP(8) Page 1 of 2 NAM
Page 86 and 87:
PIPE(8) PIPE(8) Page 1 of 5 NAME pi
Page 88 and 89:
This macro expands to the extension
Page 90 and 91:
ounce(8) non-delivery status report
Page 92 and 93:
-r When updating a table, do not wa
Page 94 and 95:
POSTCAT(1) POSTCAT(1) Page 1 of 1 N
Page 96 and 97:
POSTDROP(1) POSTDROP(1) Page 1 of 2
Page 98 and 99:
POSTFIX(1) POSTFIX(1) Page 1 of 2 N
Page 100 and 101:
POSTKICK(1) POSTKICK(1) Page 1 of 2
Page 102 and 103:
POSTLOCK(1) POSTLOCK(1) Page 1 of 2
Page 104 and 105:
POSTLOG(1) POSTLOG(1) Page 1 of 1 N
Page 106 and 107:
default, postmap creates a new data
Page 108 and 109:
POSTSUPER(1) POSTSUPER(1) Page 1 of
Page 110 and 111:
LICENSE The Secure Mailer license m
Page 112 and 113:
The queue manager implements a vari
Page 114 and 115:
This parameter also limits the size
Page 116 and 117:
REGEXP_TABLE(5) REGEXP_TABLE(5) Pag
Page 118 and 119:
RELOCATED(5) RELOCATED(5) Page 1 of
Page 120 and 121:
Yorktown Heights, NY 10598, USA Pag
Page 122 and 123:
Page 2 of 5 -C config_file (ignored
Page 124 and 125:
Page 4 of 5 DIAGNOSTICS Problems ar
Page 126 and 127:
SHOWQ(8) SHOWQ(8) Page 1 of 1 NAME
Page 128 and 129:
command after a configuration chang
Page 130 and 131:
Page 4 of 4 smtp_helo_timeout Timeo
Page 132 and 133:
Support older Microsoft clients tha
Page 134 and 135:
Page 4 of 5 smtpd_hard_error_limit
Page 136 and 137:
SPAWN(8) SPAWN(8) Page 1 of 2 NAME
Page 138 and 139:
TRANSPORT(5) TRANSPORT(5) Page 1 of
Page 140 and 141:
the entire domain being looked up.
Page 142 and 143:
details and for default values. Use
Page 144 and 145:
VIRTUAL(5) VIRTUAL(5) Page 1 of 4 N
Page 146 and 147:
site is equal to $myorigin, when si
Page 148 and 149:
VIRTUAL(8) VIRTUAL(8) Page 1 of 4 N
Page 150 and 151:
Specifies a minimum uid that will b
show all

Postfix Overview - Introduction - SCN Research

Create successful ePaper yourself

Delete template?

Save as template?