I have been thinking long and hard about the design of a secure MTA, preferably one that does SMTP and local (to the spool) as well as remote (SMTP) delivery. Now please, I know all about qmail and I am using it at a site I admin, I am not looking for suggestions on what to use, what I am looking for are some links and papers that deal with things like safely binding to a high port (25) and dropping privileges, safe email address parsing so as to exclude characters which might be used to redirect the mail or even launch programs on the machine running the MTA, etc... Also, input and opinions about currently operating MTAs and their strengths and weaknesses would be appreciated. Let me give you an idea on some of the thoughts that have been going through my head regarding MTAs. 1) I dont want to write a monolithic single binary server that forks off parts of itself at different privilege levels to do different tasks. I dont know if it is even possible to exploit, but having ALL the functions to ALL the different tasks of the MTA in the same address space as the instance that accepts user input makes me uneasy. 2) I dont want to rewrite major, well known, used everywhere unix system components to run my mailserver, like DJB did with his inetd replacement. 3) I dont want to put the MTA binaries and configuration files in non traditionaly unix directories (once again like qmail), Configurations go in /etc and binaries go into either /usr/local, /usr or /bin depending on the distro / flavour of unix you prefer. 4) I dont want to modify the directory structure or other misc. bits of metadata like directory ownership and permissions of the traditional unix mail spools, eg: /var/spool/mqueue, /var/mail (on OpenBSD) Please share your opinions about this idea before I head off on a tangent and start a big project that might or might not be fundamentally broken due to bad design. Thanks Wynand van Dyk
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 08:26:37 PST