In-depth analysis of Security Analysis and Improvement of Qmail mail system (1)

This article first points out the famous open-source email systemQmailIn terms of security, the existing security tools on UNIX systems are used to solve the existing security risks of Qmail, next we introduce a Base91 encoding technology that is more efficient than Base64 encoding to improve the mail encoding. Finally, the high-speed, concise, and secure email system is basically implemented using the lab platform.

Introduction

The Mail service is second only to WWW in Internet usage. a Mail server has three main functions: the Mail Transmission proxy MTA (Mail Transport Agent ), the Mail distribution Agent MDA (Mail Delevery Agent) and The Mail User Agent MUA (Mail User Agent ). The first two are the core modules, responsible for sending and receiving emails and processing.

Qmail is the Sendmail mail server software installed by default on Linux/Unix. So far, Qmail's MTA is still the fastest-forward mail proxy in the world [1]. qmail is compatible with almost all Linux/Unix operating systems. Sendmail is installed by default in Linux/Unix operating systems, so its usage ranks first in this field, but its configuration is cumbersome, in addition, only a single file (/var/spool/mail/$ USER) is supported to store all users' emails. As a result, sending and receiving emails can only be processed in a serial mode, which is inefficient. Once an error occurs when accessing the file, all emails of the user will be lost. Qmail supports managing users' emails in the form of directories [3] ($ HOME/Maildir), which has obvious advantages over the former in terms of data security and access speed. Qmail's overall module 1 [2] is mainly composed of three parts: MTA, MDA, and MUA.

Because the architecture is simpler than the X.400 MHS (Message Handling System) System and is based on the TCP/IP Protocol, SMTP (Simple Mail Transfer Protocol) has become the de facto Mail Protocol standard, because the protocol is too simple to design, its packets are transmitted in plain text on the network, which brings great convenience to network listeners. the MTA protocol of Qmail system uses SMTP, emails are easily intercepted during transmission.

Currently, spam, reactionary, and virus-infected mails on the Internet are rampant. During the design of Qmail, security issues in these three aspects are insufficient.

Based on the new encoding technology and some existing security tools of UNIX systems, this paper studies and improves the above problems.

1. Question proposal

Spam, reactionary emails, and virus emails are currently the greatest threat to all mail users. From the framework diagram, qmail's MTA and MDA do not have any measures to detect and filter emails, and there is no protection against the above security issues.

1.1 For Spam

By default, Qmail does not support Smtp User Authentication. This means that any user who can access the Qmail server can use it to send emails to any address, hackers who want to use the mailing list to publish mail advertisements, or want to use others' hosts to send a large number of attacking emails, can be easily used for direct purposes. In fact, 90% of spam mails are sent from servers with Open Relay permissions.

1.2 Illegal emails such as reactionary and pornographic emails

Reactionary and pornographic emails mainly refer to reactionary and pornographic information in the content of the emails that violates national laws. These information is usually transmitted through the mail list, which is worse than commercial spam, it has a great negative impact on society. Qmail does not have any Content-Based Filtering module and cannot intercept such emails.

1.3 virus-targeted emails

Virus mail refers to a mail message carrying a virus body. Such mail generally carries virus files through attachments. If you want to filter this type of malicious mail, at least one of the MTA, MDA, and MUA modules is required to have a virus detection and removal module. This is not taken into account in the Qmail design, which is also a major security problem in the Qmail system.

1.4 plaintext transmission of packets

Qmail Based on SMTP protocol directly sends and receives emails. the packets are simply encoded, And the email body is not even encoded. The network listening tool can be used to easily obtain the mail content, figure 2 is an email message intercepted by ethereal, a famous network listening device, we know the email address of the recipient, the MDA used for sending, the encoding method, the type of the email body, and all the content of the email. If there is an attachment, we can use the known encoding method to decomcode it to obtain the final original file, so there is no confidentiality.

1.5 user-specific management

Qmail is designed to share users with the operating system. The user database of the UNIX operating system is a file. The default value is the/etc/passwd file, the problem that arises is that the Mail User must add a system user at the same time, because one more system user is equivalent to one more system user that can be used for intrusion on the server, it is equivalent to consuming one more storage space for user configuration files, which will mainly lead to security risks and waste of system resources.

1.6 access permission Control

Inetd is a special daemon used by UNIX operating systems to call some basic services such as Ftp and Telnet. It can also be used to start Smtp and Pop (Post Office Protocol) protocols, qmail can only be called using Inetd without the support of third-party tools. The problem with Inetd is that it cannot control the IP address range for access to the mail service. When the IP addresses of illegal users or malicious attackers are known, it cannot refuse to provide services to them, this is not conducive to server security.

2. Existing UNIX-based security tools

There are many open-source software packages in UNIX systems, which are generally developed by many programmers. In the security field, many popular software packages can solve most of the security problems of Qmail.

2.1 password authentication tool

2.1.1 checkpassword

Is a tool for authentication based on/etc/passwd. A third-party program can act as a proxy for interaction with the System user database to authenticate system users.

2.1.2 listen 5checkpw [4]

Cmd5checkpw is a tool compatible with checkpasswd that supports CRAM-MD5 algorithm authentication. All programs that support checkpasswd for system user authentication can use it to support CRAM-MD5 algorithms to abstract data and prevent password theft.

2.1.3 vchkpw

Vchkpw is an authentication tool in the Vpopmail tool,

2.1.4 qmail-Smtp-auth [5]

Qmail-Smtp-auth is Mrs. the Brisby upgrade version of the patch that enables Qmail to support Smtp authentication. The latter only supports LOGIN-based authentication, the former is added to the PLAIN and CRAM-MD5 authentication mechanisms and also supports subsequent addition of authentication methods.

2.2 transmission encryption tools

2.2.1 OPENSSL [6]

OPENSSL is an open-source SSL (Secure Sockets Layer) protocol developed by volunteers all over the world. It supports SSL v2/v3 and TLS v1 (Transport Layer Security) protocol and has a very powerful password library.

SSL [7] is a protocol for secure transmission over the Internet after user data is encrypted using asymmetric encryption, this protocol can be used to prevent eavesdroppers from capturing plaintext information with the sniffer.

2.3 access control tools

2.3.1 Ucspi-tcp [8]

Ucspi-tcp is a UNIX-based program that provides secure TCP connections for network applications. It consists of two parts: the service module (tcpserver) and the customer module (tcpclient, the access control feature is available in the server module. This feature allows you to restrict the access permissions of the client.

2.4 user management tools

2.4.1 vpopmail

Vpopmail is a tool kit for creating and managing Virtual domains on UNIX, including tools for managing Virtual domains and user management and Password Authentication Modules, it allows an email server to provide multiple "@ domain" for users to choose from, and supports database storage and user authentication.

2.4.2 Mysql database [9]

Mysql is the most widely used open-source database software in the world. It runs in the Server-Client mode. Currently, it is supported by large UNIX-based applications, including the Vpopmail toolkit mentioned above.