Enterprise Open source e-mail system security (i) principle and sendmail, qmail security protection combat

Enterprise Open Source Email system Introduction

Enterprise Open source e-mail system model can be divided into the mail delivery agent MTA, mail storage and acquisition agent MSA and mail client Agent MUA three modules, the following on the composition of the mail system introduced.

Message Delivery Agent (MTA)

The Mail-delivery agent (mail Transfer agent) under the Enterprise Linux open source system usually uses Sendmail, which has a corresponding version on almost any UNIX platform. In addition, there are Qmail of D.J Bernstein and Venema system of Wietse Postfix. They are responsible for receiving and transmitting mail. While this may seem simple, the setting can actually be quite complex. A series of routing and camouflage options are required for messaging policy management, and many features are implemented by language programming to filter or modify the header information of a relay message. In addition, the process of message routing and addressing mail store mailboxes involves complex interactions with various directory services that may include DNS, password files, NIS, LDAP alias/database management files, and a variety of common database systems.

Today's MTA also implements anti-spam features that control the to and from address formats of headers to allow or limit specific domain names or address ranges, primarily by modifying access control tables and rules. This process typically involves querying a datasheet or directory service, such as the real-time Black hole list program RBL of Paul Vixie, the Messaging abuse prevention system MAPS, and similar dorkslayer/orbs systems. The MTA has been growing to enable enhanced policy control and anti-virus and anti-worm capabilities.

In most cases, it is easier to install and set up an MTA system, but the implementation of powerful functionality is at the expense of high complexity. If the user's organization chooses a custom MTA to meet specific routing, system, security, and anti-spam requirements, more complex setup options are required, including the design and handling of complex relationships between the MTA and various subsystems such as LDAP and DNS servers.

Of the many MTA software, the most influential should be Sendmail, Qmail and Postfix. Sendmail is one of the oldest MTAs and has a fixed set of users; Qmail is a new generation of MTA representatives, characterized by speed, small size, and easy to configure installation. Postfix originated in 1996, it uses modular design, using a lot of excellent technology to achieve safe and efficient purposes. Postfix has become an excellent MTA software with very rich, scalable and secure features.

First, talk about Sendmail. Many of the advanced features of the MTA software were first implemented on Sendmail. But Sendmail also has a typical historical problem, mainly is the entire program does not achieve good modularity, runtime needs SID permissions, and configuration files complex difficult to understand. These are some objective problems that hinder the Sendmail of the use of the better.

Then the Qmail. Qmail is a new generation of MTA representatives, the realization of the modular design, to avoid the SID problem, the basic function is complete, the configuration is Sendmail simple, and users are very wide. But Qmail's development efforts in recent years have largely stopped and patches have been relatively messy, which have been the subject of serious consideration by users or mail service providers who have long used Qmail. In addition, the scalability of the Qmail is not very good, often requiring patches to complete the extension of the function.

Finally, introduce Postfix. Postfix is the new generation of MTA representatives, it is fast, small size, easy to configure and install features such as the famous. Postfix in the design can be said to be the most beautiful, it has achieved good modularity, mail processing process is through the invocation of various functional modules to complete, in terms of efficiency, function, availability, expansion and security are considered more fully. Postfix is intended to replace Sendmail and provides a more secure and high-performance flexible system. It also uses modular design, using a lot of excellent technology, to achieve the goal of safety. Since the author's unique design concept, after 7, 8 years, Postfix today has developed into a very rich, scalable and secure excellent MTA.

Mail storage and Acquisition agent (MSA)

Once the MTA is installed and set up, the same configuration process is done for the MSA system. Most organizations today do not send mail directly to the desktop client system, but instead store messages to the server, allowing users to read their messages via POP or IMAP.

There are many kinds of protocols for managing mail storage, but POP3 and IMAP4 are most commonly used today. For the MTA, the services of the corresponding protocol are implemented by some programs, or called the Daemon (daemon). Most MSA (Mail submission agents) can interact with common MTA, and these systems also include locks or other security mechanisms that allow multiple MSA to work in parallel without conflict.

This means that some users can get mail through the POP protocol while others can use the IMAP protocol, while others can log on to the system and use local mail client agents such as Pine, Mutt, or ELM to process messages. Individual users can also switch from one access protocol to another without the need for system administrator intervention. It's pretty easy to set up a POP service on a Linux system that's already installed, and it doesn't even require any action. Typically, POP Daemon have been set up in the initial Linux operating system installation, as is the case with IMAP. The POP forwards the message to the client and removes it from the server. IMAP allows users to store messages in a server-side folder, while the client's copy is a cache or a working copy, which requires more server storage, but allows IT departments to centralize on the server for backup and recovery, and to The client retains considerable flexibility and security. IMAP can also set imaging POPs to delete server-side mail after the client reads it, which is no different from the operation.

Mail Client Agent (MUA)

The Mail client Agent MUA (mail User agent) is a wide variety, and is endless. Most of these agents conform to the POP and IMAP protocols. This also includes Microsoft's Outlook series, Foxmail and so on. Under Linux, many people use Fetchmail to crawl messages and save them in a local mailbox. Then use any mail client Agent MUA, such as ELM, Pine, Mutt, MH/EXMH, EMACS rmail,vmail, Mh-e, Gnus, and a large number of GUI interfaces such as Balsa, mahogany, etc. to process the message. There are also a number of Linux users who choose to use Netscape Communicator's built-in mail client.