Postfix Overview - Introduction - SCN Research
Postfix Overview - Introduction - SCN Research
Postfix Overview - Introduction - SCN Research
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Postfix</strong> <strong>Overview</strong> - Security<br />
Page 1 of 2<br />
<strong>Postfix</strong> <strong>Overview</strong> - Security<br />
Up one level | <strong>Introduction</strong> | Goals and features | Global architecture | Queue Management | Security<br />
<strong>Introduction</strong><br />
By definition, mail software processes information from potentially untrusted sources. Therefore, mail software<br />
must be written with great care, even when it runs with user privileges, and even when it does not talk directly<br />
to a network.<br />
<strong>Postfix</strong> is a complex system. The initial release has about 30,000 lines of code (after deleting the comments).<br />
With a system that complex, the security of the system should not depend on a single mechanism. If it did, one<br />
single error would be sufficient to compromise the entire mail system. Therefore, <strong>Postfix</strong> uses multiple layers of<br />
defense to control the damage from software and other errors.<br />
Least privilege<br />
Most <strong>Postfix</strong> daemon programs can be run at fixed low privilege in a chrooted environment. This is especially<br />
true for the programs that are exposed to the network: the SMTP server and SMTP client. Although chroot(2),<br />
even when combined with low privilege, is no guarantee against system compromise it does add a considerable<br />
hurdle. And we all know that every little bit helps.<br />
Insulation<br />
<strong>Postfix</strong> uses separate processes to insulate activities from each other. In particular, there is no direct path from<br />
the network to the security-sensitive local delivery programs. An intruder first has to break through multiple<br />
programs. Some parts of the <strong>Postfix</strong> system are multi-threaded. However, all programs that interact with the<br />
outside world are single-threaded. Separate processes give better insulation than multiple threads within a<br />
shared address space.<br />
Controlled environment<br />
No <strong>Postfix</strong> mail delivery program runs under control of a user process. Instead, most <strong>Postfix</strong> programs run<br />
under control of a resident master daemon that runs in a controlled environment, without any parent-child<br />
relationship to user processes. This approach eliminates exploits that involve signals, open files, environment<br />
variables, and other process attributes that the UNIX system passes on from a possibly-malicious parent to a<br />
child.<br />
Set-uid<br />
No <strong>Postfix</strong> program is set-uid. Introducing the concept was the biggest mistake made in UNIX history. Set-uid<br />
(and its weaker cousin, set-gid) causes more trouble than it is worth. Each time a new feature is added to the<br />
UNIX system, set-uid causes a security problem: shared libraries, the /proc file system, multi-language support,<br />
to mention just a few examples. Set-uid makes it impossible to introduce some of the features that make UNIX<br />
successors such as plan9 so attractive, for example, per-process file system name spaces.<br />
By default, the maildrop queue directory is world-writable, so that local processes can submit mail without<br />
http://www.porcupine.org/postfix-mirror/security.html<br />
6/26/01