Postfix Overview - Introduction - SCN Research

More documents

Recommendations

Info

Postfix Overview - Queue Management attempt, the queue manager gives the queue file a time stamp that is offset into the future by some configurable amount of time. Queue files with future time stamps are normally ignored by the queue manager. Whenever a repeat delivery attempt fails, the queue file time stamp is moved into the future by an amount of time equal to the age of the message. Thus, the time between delivery attempts doubles each time. This strategy effectively implements exponential backoff. Destination status cache The Postfix queue manager maintains a limited, short-term list of unreachable destinations. This list helps it to avoid unnecessary delivery attempts, especially with destinations that have a large mail backlog. Up one level | Introduction | Goals and features | Global architecture | Queue Management | Security Page 2 of 2 http://www.porcupine.org/postfix-mirror/queuing.html 6/26/01
Postfix Overview - Security Page 1 of 2 Postfix Overview - Security Up one level | Introduction | Goals and features | Global architecture | Queue Management | Security Introduction By definition, mail software processes information from potentially untrusted sources. Therefore, mail software must be written with great care, even when it runs with user privileges, and even when it does not talk directly to a network. Postfix is a complex system. The initial release has about 30,000 lines of code (after deleting the comments). With a system that complex, the security of the system should not depend on a single mechanism. If it did, one single error would be sufficient to compromise the entire mail system. Therefore, Postfix uses multiple layers of defense to control the damage from software and other errors. Least privilege Most Postfix daemon programs can be run at fixed low privilege in a chrooted environment. This is especially true for the programs that are exposed to the network: the SMTP server and SMTP client. Although chroot(2), even when combined with low privilege, is no guarantee against system compromise it does add a considerable hurdle. And we all know that every little bit helps. Insulation Postfix uses separate processes to insulate activities from each other. In particular, there is no direct path from the network to the security-sensitive local delivery programs. An intruder first has to break through multiple programs. Some parts of the Postfix system are multi-threaded. However, all programs that interact with the outside world are single-threaded. Separate processes give better insulation than multiple threads within a shared address space. Controlled environment No Postfix mail delivery program runs under control of a user process. Instead, most Postfix programs run under control of a resident master daemon that runs in a controlled environment, without any parent-child relationship to user processes. This approach eliminates exploits that involve signals, open files, environment variables, and other process attributes that the UNIX system passes on from a possibly-malicious parent to a child. Set-uid No Postfix program is set-uid. Introducing the concept was the biggest mistake made in UNIX history. Set-uid (and its weaker cousin, set-gid) causes more trouble than it is worth. Each time a new feature is added to the UNIX system, set-uid causes a security problem: shared libraries, the /proc file system, multi-language support, to mention just a few examples. Set-uid makes it impossible to introduce some of the features that make UNIX successors such as plan9 so attractive, for example, per-process file system name spaces. By default, the maildrop queue directory is world-writable, so that local processes can submit mail without http://www.porcupine.org/postfix-mirror/security.html 6/26/01
Page 1: Postfix Overview - Introduction Pag
Page 4 and 5: Postfix Overview - Goals and Featur
Page 6 and 7: Postfix Overview - Global Architect
Page 10 and 11: Postfix Overview - Security assista
Page 12 and 13: Postfix Anatomy - Receiving Mail Pa
Page 14 and 15: Postfix Anatomy - Delivering Mail p
Page 16 and 17: Postfix Anatomy - Command-line Util
Page 18 and 19: Postfix Configuration - Basics What
Page 20 and 21: Postfix Configuration - Basics My o
Page 23 and 24: Postfix Configuration - UCE Control
Page 33 and 34: Postfix Rate Controls Page 1 of 4 P
Page 35 and 36: Postfix Rate Controls The defer_tra
Page 37 and 38: Postfix Configuration - Resource Co
Page 39: Postfix Configuration - Resource Co
Page 42 and 43: Postfix Configuration - Address Man
Page 44 and 45: Postfix Configuration - Address Man
Page 47 and 48: ACCESS(5) ACCESS(5) Page 1 of 3 NAM
Page 49: 1 Page 3 of 3 http://www.porcupine.
Page 52 and 53: ited to regular files. For example,
Page 54 and 55: BOUNCE(8) BOUNCE(8) Page 1 of 2 NAM
Page 56 and 57: CANONICAL(5) CANONICAL(5) Page 1 of
Page 58 and 59:
canonical_maps List of canonical ma
Page 60 and 61:
CONFIGURATION PARAMETERS The follow
Page 62 and 63:
BOUNCE(8) BOUNCE(8) Page 1 of 2 NAM
Page 64 and 65:
FLUSH(8) FLUSH(8) Page 1 of 3 NAME
Page 66 and 67:
fast_flush_purge_time Remove an emp
Page 68 and 69:
Problems and transactions are logge
Page 70 and 71:
parameter. Page 4 of 5 Timeout cont
Page 72 and 73:
LOCAL(8) LOCAL(8) Page 1 of 7 NAME
Page 74 and 75:
estricts delivery to external comma
Page 76 and 77:
details and for default values. Use
Page 78 and 79:
that is written to upon delivery).
Page 80 and 81:
Page 2 of 3 SIGTERM Upon receipt of
Page 82 and 83:
PCRE_TABLE(5) PCRE_TABLE(5) Page 1
Page 84 and 85:
PICKUP(8) PICKUP(8) Page 1 of 2 NAM
Page 86 and 87:
PIPE(8) PIPE(8) Page 1 of 5 NAME pi
Page 88 and 89:
This macro expands to the extension
Page 90 and 91:
ounce(8) non-delivery status report
Page 92 and 93:
-r When updating a table, do not wa
Page 94 and 95:
POSTCAT(1) POSTCAT(1) Page 1 of 1 N
Page 96 and 97:
POSTDROP(1) POSTDROP(1) Page 1 of 2
Page 98 and 99:
POSTFIX(1) POSTFIX(1) Page 1 of 2 N
Page 100 and 101:
POSTKICK(1) POSTKICK(1) Page 1 of 2
Page 102 and 103:
POSTLOCK(1) POSTLOCK(1) Page 1 of 2
Page 104 and 105:
POSTLOG(1) POSTLOG(1) Page 1 of 1 N
Page 106 and 107:
default, postmap creates a new data
Page 108 and 109:
POSTSUPER(1) POSTSUPER(1) Page 1 of
Page 110 and 111:
LICENSE The Secure Mailer license m
Page 112 and 113:
The queue manager implements a vari
Page 114 and 115:
This parameter also limits the size
Page 116 and 117:
REGEXP_TABLE(5) REGEXP_TABLE(5) Pag
Page 118 and 119:
RELOCATED(5) RELOCATED(5) Page 1 of
Page 120 and 121:
Yorktown Heights, NY 10598, USA Pag
Page 122 and 123:
Page 2 of 5 -C config_file (ignored
Page 124 and 125:
Page 4 of 5 DIAGNOSTICS Problems ar
Page 126 and 127:
SHOWQ(8) SHOWQ(8) Page 1 of 1 NAME
Page 128 and 129:
command after a configuration chang
Page 130 and 131:
Page 4 of 4 smtp_helo_timeout Timeo
Page 132 and 133:
Support older Microsoft clients tha
Page 134 and 135:
Page 4 of 5 smtpd_hard_error_limit
Page 136 and 137:
SPAWN(8) SPAWN(8) Page 1 of 2 NAME
Page 138 and 139:
TRANSPORT(5) TRANSPORT(5) Page 1 of
Page 140 and 141:
the entire domain being looked up.
Page 142 and 143:
details and for default values. Use
Page 144 and 145:
VIRTUAL(5) VIRTUAL(5) Page 1 of 4 N
Page 146 and 147:
site is equal to $myorigin, when si
Page 148 and 149:
VIRTUAL(8) VIRTUAL(8) Page 1 of 4 N
Page 150 and 151:
Specifies a minimum uid that will b
show all

Postfix Overview - Introduction - SCN Research

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?