- Email: [email protected]
Postfix — a secure alternative to Sendmail
Network Security
Postfix -
July 7999
a secure
alternative to Sendmail A new frontier in the realm of free mailers Dario Forte It is now widely recognized that Sendmail, the most widely used UNIX mailer, has certain security gaps, many of which are discovered and reported on a daily basis by researchers and users. One such researcher is Wietse Venema. Venema is a programmer and inventor of numerous irreplaceable tools for UNIX administrators. Examples Include SATAN (created together with the equally well known researcher, Dan Farmer) and TCPWrappers, of note recently for allegedly having been illicitiy distrlbuted wtth a Trojan horse inside by a group of malicious hackers. For some time now, Venema has been pointing out to the scientific communitV just why Sendmail will never be completely secure. Naturally, criticism of a product should be accompanied by suggestions or better yet - alternatives. Thus, Venema, during his time with the T.J. Watson research laboratories, was driven to launch the Postfix project (a.k.a. Vmailer or Secure Mailer) under the auspices of IBM. As Venema says, there is a dual objective: to give the user an alternate Mail Transfer Agent (MTA) to Sendmail while creating a secure mailer like the well-known Qmail, another program in this category, created by Dan Bernstein.
Replacement for Sendmail As we will repeat below regarding the security model, Posfflx can be defined as a set of modules, each with a specific function. This places a hurdle before anyone attempting to interfere with the overall infrastructure in Irregular The architecture is ways. extremely ‘granular’: for example, two different modules are used for sending and receiving messages via SMTP and so on. The granularity of the setup means that unneeded modules can be replaced or disabled. This characteristic is useful, for example, for reducing the firewall rule loading or putting security policies Into practice more directly. Two main questions are raised in this regard which address the
16
possible impact on system performance and the possibility of interaction between the mailer and frameworks such as CA Unicenter, Tivoli, Solstice and so forth. The first can be answered In the negative since the product’s speed has been demonstrated right from the start. As for the second, there are no official statements from vendors. However, during a recent trip I took to the IBM laboratory in Raleigh (location of Tivoli as well) researchers did not exclude this possibility with regard to Tlvoli itself. Postfix has multiple objectivesThe fact that it is a completely opensource project (hence, free) and that its compatibility with Sendmail Is established, means it can be distributed similarly to Sendmail.
Security and reliability Experience evidently counselled Venema to keep mailer resistance to stress or overload as a goal. It is thus important to recognize that Postfix modules control all processes in their purview, acting as a sort of governor. Another important characteristic Is the possibility of handling several message protocols. Here too, Venema’s experience has borne fruit. The official documentation of the project identifies the alternative scenarios of this MTA in interaction with Internet, DECnet, X400 and naturally UUCPAlthough this inter-operability w/IIsoon be a reality, as I write this, the support is limited to SMTP And what about handling virtual domains? Those who use mailers In Windows NT have none of these problems; a few hours spent studying the manuals, a nice graphic Interface, a pair of wizards and the cat is in the bag. The UNIX postmaster finds himself in a different fix. He has to put in several work sessions to redirection and organize actlvitles (for correlated example: aliasing) to achieve the same result. Postfix gets around the problem via simple table lookup where only one table is necessary.
Security characteristics In the section titled “Replacement for Sendmail”, we indicated the principal features of Postfix, Its differences and the principles of compatibility These principles are naturally necessary to allow simple and painless migration. We are also going to talk about the security characteristics that Venema has incorporated into his creature, comprising over 30 000 excluding lines of code, comments. 0 1999 Elsevier Science Ltd
July 7999
Network Security
In dealing with the analysis model, the creator of Postfix started from the general principle that E-mail services (and the corresponding software) are exposed to information from unknown (and untrusted) sources, both internal and external. Moreover, the software, even when its use is privileged and it does not talk directly with the rest of the network (an example is given by mailers incorporated into the DMZ of a firewall), is potentially at risk from malfunctions and attacks. Often, the second threat exploits the first; think of denial of service (DOS) attacks. To address this problem, Venema set up a multilevel model of defence, based essentially on minimum allocation and granulation of privileges. In distinguishing Postfix from Sendmail, many analysts point out that since the latter incorporates many of its functions into a single executable block, it requires superuser privileges in order to work, something which exposes the entire structure to obvious security risks. Venema identifies the activities at security risk principally in SMTP operations. The Postfix analysis model keeps operations (even multi-thread) insulated from one another and without a direct path to mail delivery programs (SMTP Client and servers). Thus an attack has to be carried out on several processes in parallel in order to achieve a result, and is consequently much more difficult to resist. A further application of the above principle regards the complete lack of connection among Postfix’s mail delivery components and user processes. The mail delivery programs are handled by a master deamon operating in an autonomous and controlled way, without any relation with user processes. When such a
0 1999 Elsevier Science
Ltd
parent-child relationship is excluded, all threats of exploits via heredity phenomena are nipped in the bud. Attention was also dedicated to insulating the Postfix “modules” from any Set-uid or Set-gid processes. These are UNIX functions that create new users and new groups, respectively, also when new components are added. Venema pointed out that each time any sort of feature is added to the operating system, Set-uid causes security problems such as those relative to forced (or arbitrary) sharing of libraries, In order to handle outgoing mail, for example, Postfix gets around the Set-uid problem with the use of a world-writable queue directory called maildrop, which has the task of handling outgoing mail for all users. Practically speaking, queue files will be in a proprietary format and not readable to other users. Hence, interaction between the mail delivery module and Setuid/-gid processes is not required. Whenever it is considered inopportune, for questions of policy, to use open write-only directories, it is possible to opt for privilege enablement via Set-gid. In observance of the general rule that “interaction with securitysensitive processes is forbidden unless necessary”, Postfix does not allow any type of data coming from within the network to interact with the system shell. During our brief exchange of viewpoints, Venema restated one of the fundamental rules: do not allow any data coming from the network to interact with the shell. Keep these two as far away from each other as possible.. , Many Postfix deamon programs can run in a low privilege regime in an environment called “chrooted jail” - a sort of security cell. For those who are not extremely familiar with UNIX: this is
one of the UNIX security precautions. The chroot command is used to call up the root directory in a different position from the actual one. For example, using the chroot command to change the original root to /dario/-jail, the current lamer who types cd /bin will find himself in -jail/bin and not in the original root.
limiting spam Another problem that drives Sendmail administrators crazy (especially if ISP) is the fact that one‘s own mail server can be used as relays by non-authorized users, even if they are outside of the structure. This means that it can be used as a beachhead for spamming, or worse yet, as has happened, to use E-mail for illicit purposes such as mail bombing, exchange of banned pornographic material as so on. In the first event, the best case scenario might be the inclusion of one’s mail domains in the blacklists kept by the anti-spam associations. In the other cases undetermined legal troubles may result since the laws are not yet well defined in this regard. Getting back to the technical stuff, what was just described is a vexation for Sendmail users. However, if the truth be told, I have often found myself sharing experiences of this problem with administrators of other mail servers (for instance, Eudora WorldMail. at least up until last year). In that case, operating with a filter was simpler, for obvious reasons. Postfix deals with this problem with a sort of Access Control List, while waiting for the upcoming implementation of content filtering. Regarding the DOS vulnerability to which such a mailer may be
17
Network Security
exposed, Venema responded with particular care in the dynamic allocation of memory, the breaking up of messages that are too long for subsequent reassembly upon delivery, Venema delegated the management of commands made up of overly long strings to the various UNIX kernels, considering the setup at the SystemV level to be sufficiently safe. Error management merits particular mention. Before returning any error message to the mail client, Postfix pauses, This behaviour is followed in the event of a termination due to a fatal error or of restarting an application that generated an error,
An opening to concurrent engineering Recently I had the chance to exchange a few comments with Venema about this project and other things. We dedicated a bit of attention to the attack suffered by the FTP site that hosted TCPWrappers carried out by malicious hackers, who replaced some versions of the tool with others containing Trojan horses, Venema said that it was not possible to quantify the user downloads carried out before the attack was discovered for reasons: being obvious opensource projects, the practice of shared downloads is very widespread, which means that for one download there may be as many as 50 subsequent disseminations. He went on to say that, besides luck, the saving grace had been the almost immediate discovery of the problem which allowed the damage to be contained. Venema dealt with the problem by physically (or rather, geographically) moving the FTP dissemination site.
18
July 7999
Regarding mailer security in general, Venema does not believe this can be undermined by any attacks in particular.
these here is probably not appropriate, Interested people can visit the Web site at http://www.postfix.org/.
In addition to the previous questions, I asked Venema his opinion on which kind of attacks are the most dangerous for an MTA and how postfix approaches these problems. “A mail transfer agent can be attacked in a variety of ways”, Venema said. “One can try to attack the software itself, or one can try to attack the machine and/or the network infrastructure that Postfix runs on. A direct attack tries to exploit a weakness in the MTA software. For example, the 1988 Internet worm exploited a weakness in Sendmail that allowed an intruder to execute arbitrary programs on the target machine. Postfix is not only written to avoid weaknesses, it uses multiple layers of protection that make weaknesses hard to exploit, should any exist at all. Attacks on the machine and/or network can indirectly affect operation of the MTA: flooding the network with garbage, crashing the network software on the target machine, and so on. A system is only as strong as its weakest link. Postfix is written to be a strong link. For best results, it should be used In combination with quality components that are maintained by knowledgeable people.”
If one experiences a problem, either with the software itself or with its documentation, the problem is addressed by adding additional tests and warnings, by replacing a confusing error message, or by changing the software if it behaves in a nonintuitive manner.”
With regard to ‘concurrent engineering’ (meaning that, if someone sends some criticism or feedback about secure mailer, what consideration would it get?) the Venema answer was very clear. ‘If someone has a useful contribution to Postfix, it will be merged into the software. In the short time since the first public release, several useful contributions were adopted. Discussion of
Postfix administration According to Venema, Postfix is being used In the real world.Severalthousand copies were downloadedin the flrst 24 hours after its first public release. However,there Is no exact total of the number of Postfix installations. Postfix is being used by Internet service providers on their mail servers, run on departmental mall servers, and run on desktopsystems for personal use. After having introduced the Postflx project, it is worthwhile going into further detail, with particular attention as to how this software is presented to the administrator. The electronically autographed (the same method was adopted as a countermeasure after the modification of the TCPWrapper source code) product source code can be downloaded at www.postflx.org. The source code amounts to approximately 1 Mb. Once complled, expanded and constructed, the packet is about 50 Mb, depending on the operating system used. Installation can be effectuated dlfferent ways: l
In
Simple dellvery of mail without modifying the configuration of Sendmail. This Is the recommended option for those who need greater performance and need to keep the configuratlon unchanged;
.
Mail handling via a virtual host. This leaves also the option Sendmall configuratlon of unaltered;
-
The definitive migration of Sendmall to secure mailer.
0 1999 Elsevier Science Ltd
Postfix -
July 7999
a secure
alternative to Sendmail A new frontier in the realm of free mailers Dario Forte It is now widely recognized that Sendmail, the most widely used UNIX mailer, has certain security gaps, many of which are discovered and reported on a daily basis by researchers and users. One such researcher is Wietse Venema. Venema is a programmer and inventor of numerous irreplaceable tools for UNIX administrators. Examples Include SATAN (created together with the equally well known researcher, Dan Farmer) and TCPWrappers, of note recently for allegedly having been illicitiy distrlbuted wtth a Trojan horse inside by a group of malicious hackers. For some time now, Venema has been pointing out to the scientific communitV just why Sendmail will never be completely secure. Naturally, criticism of a product should be accompanied by suggestions or better yet - alternatives. Thus, Venema, during his time with the T.J. Watson research laboratories, was driven to launch the Postfix project (a.k.a. Vmailer or Secure Mailer) under the auspices of IBM. As Venema says, there is a dual objective: to give the user an alternate Mail Transfer Agent (MTA) to Sendmail while creating a secure mailer like the well-known Qmail, another program in this category, created by Dan Bernstein.
Replacement for Sendmail As we will repeat below regarding the security model, Posfflx can be defined as a set of modules, each with a specific function. This places a hurdle before anyone attempting to interfere with the overall infrastructure in Irregular The architecture is ways. extremely ‘granular’: for example, two different modules are used for sending and receiving messages via SMTP and so on. The granularity of the setup means that unneeded modules can be replaced or disabled. This characteristic is useful, for example, for reducing the firewall rule loading or putting security policies Into practice more directly. Two main questions are raised in this regard which address the
16
possible impact on system performance and the possibility of interaction between the mailer and frameworks such as CA Unicenter, Tivoli, Solstice and so forth. The first can be answered In the negative since the product’s speed has been demonstrated right from the start. As for the second, there are no official statements from vendors. However, during a recent trip I took to the IBM laboratory in Raleigh (location of Tivoli as well) researchers did not exclude this possibility with regard to Tlvoli itself. Postfix has multiple objectivesThe fact that it is a completely opensource project (hence, free) and that its compatibility with Sendmail Is established, means it can be distributed similarly to Sendmail.
Security and reliability Experience evidently counselled Venema to keep mailer resistance to stress or overload as a goal. It is thus important to recognize that Postfix modules control all processes in their purview, acting as a sort of governor. Another important characteristic Is the possibility of handling several message protocols. Here too, Venema’s experience has borne fruit. The official documentation of the project identifies the alternative scenarios of this MTA in interaction with Internet, DECnet, X400 and naturally UUCPAlthough this inter-operability w/IIsoon be a reality, as I write this, the support is limited to SMTP And what about handling virtual domains? Those who use mailers In Windows NT have none of these problems; a few hours spent studying the manuals, a nice graphic Interface, a pair of wizards and the cat is in the bag. The UNIX postmaster finds himself in a different fix. He has to put in several work sessions to redirection and organize actlvitles (for correlated example: aliasing) to achieve the same result. Postfix gets around the problem via simple table lookup where only one table is necessary.
Security characteristics In the section titled “Replacement for Sendmail”, we indicated the principal features of Postfix, Its differences and the principles of compatibility These principles are naturally necessary to allow simple and painless migration. We are also going to talk about the security characteristics that Venema has incorporated into his creature, comprising over 30 000 excluding lines of code, comments. 0 1999 Elsevier Science Ltd
July 7999
Network Security
In dealing with the analysis model, the creator of Postfix started from the general principle that E-mail services (and the corresponding software) are exposed to information from unknown (and untrusted) sources, both internal and external. Moreover, the software, even when its use is privileged and it does not talk directly with the rest of the network (an example is given by mailers incorporated into the DMZ of a firewall), is potentially at risk from malfunctions and attacks. Often, the second threat exploits the first; think of denial of service (DOS) attacks. To address this problem, Venema set up a multilevel model of defence, based essentially on minimum allocation and granulation of privileges. In distinguishing Postfix from Sendmail, many analysts point out that since the latter incorporates many of its functions into a single executable block, it requires superuser privileges in order to work, something which exposes the entire structure to obvious security risks. Venema identifies the activities at security risk principally in SMTP operations. The Postfix analysis model keeps operations (even multi-thread) insulated from one another and without a direct path to mail delivery programs (SMTP Client and servers). Thus an attack has to be carried out on several processes in parallel in order to achieve a result, and is consequently much more difficult to resist. A further application of the above principle regards the complete lack of connection among Postfix’s mail delivery components and user processes. The mail delivery programs are handled by a master deamon operating in an autonomous and controlled way, without any relation with user processes. When such a
0 1999 Elsevier Science
Ltd
parent-child relationship is excluded, all threats of exploits via heredity phenomena are nipped in the bud. Attention was also dedicated to insulating the Postfix “modules” from any Set-uid or Set-gid processes. These are UNIX functions that create new users and new groups, respectively, also when new components are added. Venema pointed out that each time any sort of feature is added to the operating system, Set-uid causes security problems such as those relative to forced (or arbitrary) sharing of libraries, In order to handle outgoing mail, for example, Postfix gets around the Set-uid problem with the use of a world-writable queue directory called maildrop, which has the task of handling outgoing mail for all users. Practically speaking, queue files will be in a proprietary format and not readable to other users. Hence, interaction between the mail delivery module and Setuid/-gid processes is not required. Whenever it is considered inopportune, for questions of policy, to use open write-only directories, it is possible to opt for privilege enablement via Set-gid. In observance of the general rule that “interaction with securitysensitive processes is forbidden unless necessary”, Postfix does not allow any type of data coming from within the network to interact with the system shell. During our brief exchange of viewpoints, Venema restated one of the fundamental rules: do not allow any data coming from the network to interact with the shell. Keep these two as far away from each other as possible.. , Many Postfix deamon programs can run in a low privilege regime in an environment called “chrooted jail” - a sort of security cell. For those who are not extremely familiar with UNIX: this is
one of the UNIX security precautions. The chroot command is used to call up the root directory in a different position from the actual one. For example, using the chroot command to change the original root to /dario/-jail, the current lamer who types cd /bin will find himself in -jail/bin and not in the original root.
limiting spam Another problem that drives Sendmail administrators crazy (especially if ISP) is the fact that one‘s own mail server can be used as relays by non-authorized users, even if they are outside of the structure. This means that it can be used as a beachhead for spamming, or worse yet, as has happened, to use E-mail for illicit purposes such as mail bombing, exchange of banned pornographic material as so on. In the first event, the best case scenario might be the inclusion of one’s mail domains in the blacklists kept by the anti-spam associations. In the other cases undetermined legal troubles may result since the laws are not yet well defined in this regard. Getting back to the technical stuff, what was just described is a vexation for Sendmail users. However, if the truth be told, I have often found myself sharing experiences of this problem with administrators of other mail servers (for instance, Eudora WorldMail. at least up until last year). In that case, operating with a filter was simpler, for obvious reasons. Postfix deals with this problem with a sort of Access Control List, while waiting for the upcoming implementation of content filtering. Regarding the DOS vulnerability to which such a mailer may be
17
Network Security
exposed, Venema responded with particular care in the dynamic allocation of memory, the breaking up of messages that are too long for subsequent reassembly upon delivery, Venema delegated the management of commands made up of overly long strings to the various UNIX kernels, considering the setup at the SystemV level to be sufficiently safe. Error management merits particular mention. Before returning any error message to the mail client, Postfix pauses, This behaviour is followed in the event of a termination due to a fatal error or of restarting an application that generated an error,
An opening to concurrent engineering Recently I had the chance to exchange a few comments with Venema about this project and other things. We dedicated a bit of attention to the attack suffered by the FTP site that hosted TCPWrappers carried out by malicious hackers, who replaced some versions of the tool with others containing Trojan horses, Venema said that it was not possible to quantify the user downloads carried out before the attack was discovered for reasons: being obvious opensource projects, the practice of shared downloads is very widespread, which means that for one download there may be as many as 50 subsequent disseminations. He went on to say that, besides luck, the saving grace had been the almost immediate discovery of the problem which allowed the damage to be contained. Venema dealt with the problem by physically (or rather, geographically) moving the FTP dissemination site.
18
July 7999
Regarding mailer security in general, Venema does not believe this can be undermined by any attacks in particular.
these here is probably not appropriate, Interested people can visit the Web site at http://www.postfix.org/.
In addition to the previous questions, I asked Venema his opinion on which kind of attacks are the most dangerous for an MTA and how postfix approaches these problems. “A mail transfer agent can be attacked in a variety of ways”, Venema said. “One can try to attack the software itself, or one can try to attack the machine and/or the network infrastructure that Postfix runs on. A direct attack tries to exploit a weakness in the MTA software. For example, the 1988 Internet worm exploited a weakness in Sendmail that allowed an intruder to execute arbitrary programs on the target machine. Postfix is not only written to avoid weaknesses, it uses multiple layers of protection that make weaknesses hard to exploit, should any exist at all. Attacks on the machine and/or network can indirectly affect operation of the MTA: flooding the network with garbage, crashing the network software on the target machine, and so on. A system is only as strong as its weakest link. Postfix is written to be a strong link. For best results, it should be used In combination with quality components that are maintained by knowledgeable people.”
If one experiences a problem, either with the software itself or with its documentation, the problem is addressed by adding additional tests and warnings, by replacing a confusing error message, or by changing the software if it behaves in a nonintuitive manner.”
With regard to ‘concurrent engineering’ (meaning that, if someone sends some criticism or feedback about secure mailer, what consideration would it get?) the Venema answer was very clear. ‘If someone has a useful contribution to Postfix, it will be merged into the software. In the short time since the first public release, several useful contributions were adopted. Discussion of
Postfix administration According to Venema, Postfix is being used In the real world.Severalthousand copies were downloadedin the flrst 24 hours after its first public release. However,there Is no exact total of the number of Postfix installations. Postfix is being used by Internet service providers on their mail servers, run on departmental mall servers, and run on desktopsystems for personal use. After having introduced the Postflx project, it is worthwhile going into further detail, with particular attention as to how this software is presented to the administrator. The electronically autographed (the same method was adopted as a countermeasure after the modification of the TCPWrapper source code) product source code can be downloaded at www.postflx.org. The source code amounts to approximately 1 Mb. Once complled, expanded and constructed, the packet is about 50 Mb, depending on the operating system used. Installation can be effectuated dlfferent ways: l
In
Simple dellvery of mail without modifying the configuration of Sendmail. This Is the recommended option for those who need greater performance and need to keep the configuratlon unchanged;
.
Mail handling via a virtual host. This leaves also the option Sendmall configuratlon of unaltered;
-
The definitive migration of Sendmall to secure mailer.
0 1999 Elsevier Science Ltd