Well, in terms of sharing our ideas before you go off on a tangent and start a badly designed project, I think in some ways you're already accepting certain limitations in your design. DJB designed qmail the way he did (unsual dir structure and all) precisely because the alternatives are less secure or more prone to misconfiguration. That aside, my only useful suggestion (I'm not versed in SMTP) is to consider the Secure Linux/UNIX coding HOWTO in general: http://www.linuxdoc.org/HOWTO/Secure-Programs-HOWTO/ Another suggestion ... completely off the top of my head (again, I have no experience with this) is you might have the SMTP server not only bind then setuid to an insecure user, but also run in a chroot jail. It can deliver to a queue in the jail and the dequeuing program (an entirely seperate process) can read messages out of the jail and into the mail spool (since it is not chrooted). I'd be interested to watch this develop and maybe even participate if you're looking for help. Regards, Sheer On Thu, 28 Feb 2002, dalek wrote: > I have been thinking long and hard about the design of a secure MTA, > preferably one that does SMTP and local (to the spool) as well as > remote (SMTP) delivery. > > Now please, I know all about qmail and I am using it at a site I admin, > I am not looking for suggestions on what to use, what I am looking for > are some links and papers that deal with things like safely binding to > a high port (25) and dropping privileges, safe email address parsing so > as to exclude characters which might be used to redirect the mail or > even launch programs on the machine running the MTA, etc... > > Also, input and opinions about currently operating MTAs and their > strengths and weaknesses would be appreciated. > > Let me give you an idea on some of the thoughts that have been going > through my head regarding MTAs. > > 1) I dont want to write a monolithic single binary server that forks off > parts of itself at different privilege levels to do different tasks. I dont > know > if it is even possible to exploit, but having ALL the functions to ALL the > different tasks of the MTA in the same address space as the instance > that accepts user input makes me uneasy. > > 2) I dont want to rewrite major, well known, used everywhere unix system > components to run my mailserver, like DJB did with his inetd replacement. > > 3) I dont want to put the MTA binaries and configuration files in non > traditionaly unix directories (once again like qmail), Configurations go > in /etc and binaries go into either /usr/local, /usr or /bin depending on > the distro / flavour of unix you prefer. > > 4) I dont want to modify the directory structure or other misc. bits of > metadata like directory ownership and permissions of the traditional > unix mail spools, eg: /var/spool/mqueue, /var/mail (on OpenBSD) > > Please share your opinions about this idea before I head off on a tangent > and > start a big project that might or might not be fundamentally broken due to > bad design. > > Thanks > > Wynand van Dyk > >
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 09:22:03 PST