Mercurial > dovecot > core-2.2

annotate doc/design.txt @ 4343:407e6c620d70 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
dovecot-config now contains module_dir
author Timo Sirainen <tss@iki.fi>
date Fri, 16 Jun 2006 12:25:19 +0300
parents 6e893f3f9837
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
1 Design
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2 ------
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 Security is the major goal of this project, with reliability coming second.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
5 I also try to keep things fast, extensible and portable.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
6
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
7 Things are broken into multiple processes running with minimal required
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
8 privileges. Communication between processes is trusted as little as
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9 possible. Processes running as root are kept as simple as possible even if
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
10 it means minor performance hits.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
11
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
12
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13 imap-master
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
14 -----------
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
15
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
16 Runs as root. Executes new processes, some by itself and some by request of
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
17 another process. The requested processes can never be started as root, and
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
18 the allowed UID range can also be limited.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
19
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
20 It's also possible to configure everything to be run under a single UID.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
21 This is useful only if you wish to use imap somewhere you don't have root
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
22 access.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
23
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
24
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
25 imap-login
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
26 ----------
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
27
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
28 Runs as non-privileged user (imapd). Handles accepting new client
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
29 connections and parsing commands until the client is authenticated. There
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
30 can be either a few of them which handle multiple connections, or one
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
31 process per connection. One per connection is much more secure in case it's
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
32 ever found to be exploitable, but it's also less efficient.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
33
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
34 SSL and TLS connections are also fully handled by the login process.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
35 Instead of passing the connection's fd to imap process, login creates a new
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
36 anonymous UNIX socket and uses it to translate communication between imap
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
37 process and the client. If you're using one login process per connection,
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
38 this also means that you have actually two processes all the time for an
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
39 active SSL IMAP connection.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
40
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
41 Since SSL protocol is quite complex and I'm using gnutls which is still in
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
42 beta, it shouldn't be trusted to be fully secure. Using one login process
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
43 per connection should however make it quite safe to use, as the login is
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
44 running in a chrooted environment without any privileges. However, the
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
45 attacker could get your private SSL key..
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
46
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
47 Note that if you let a single login process handle multiple connections, a
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
48 security flaw would allow the attacker to see all the other user
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
49 connections connecting to it, possibly hijacking them or stealing their
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
50 passwords if plaintext authentication was used.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
51
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
52
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
53 imap-auth
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
54 ---------
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
55
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
56 Runs under minimal required privileges to be able to authenticate users.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
57 In case of shadow passwords or PAM, that's root. Communicates with
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
58 imap-login and imap-master to authenticate users.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
59
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
60 * imap-login
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
61 - Receives LOGIN or AUTHENTICATE command
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
62 - Begins authentication with imap-auth process, with AUTHENTICATE
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
63 continuing passing data between client and imap-auth until done
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
64 - If successful, we've received a cookie which we send to imap-master
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
65 * imap-master
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
66 - Requests data from imap-auth for the cookie. Data includes
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
67 UID, GID and mail format and mail format specific data (eg.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
68 mail directory). Optionally also receives chroot directory.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
69 - Checks that the UID is in valid range, and that it's allowed
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
70 to be chrooted under given directory
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
71 - If everything is valid, pass the connection to imap process
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
72 - Replies to imap-login whether everything was valid
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
73 - If successful, stop processing the connection, imap process takes
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
74 care of the rest
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
75
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
76 * imap-auth
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
77 a) Receives authentication request with given protocol
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
78 - Initialize the request in protocol-specific manner
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
79 - If failed, send a failure-reply to client
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
80 - Otherwise send a cookie to client
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
81 b) Receives continued authentication request for given cookie
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
82 - Verifies that the cookie is valid, replying if not
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
83 - Handle the data in protocol-specific manner
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
84 - Reply to client with information whether the authentication
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
85 is finished
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
86 - Reset cookie expiration time
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
87 c) Receives a request to receive data associated to cookie
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
88 - Verifies that the cookie is valid, replying if not
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
89 - Reply with the data
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
90
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
91 Cookies are associated to a specific imap-login process, so one process
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
92 cannot steal another one's authentication request by pretending to be it.
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
93
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
94
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
95 imap
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
96 ----
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
97
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
98 Runs non-privileged and optionally chrooted (when it's safe). Since this is
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
99 the largest part of the imapd, this is where most of the potential security
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
100 flaws are.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
101
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
102 Maildir and mbox formats use a few index files to look up data fast, the
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
103 actual mail files aren't opened unless they're really needed. The index
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
104 files are accessed using shared memory maps and locked using fcntl().
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
105
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
106 Using memory maps creates a security problem if the file isn't trusted. It
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
107 might well be possible to create a buffer overflow in some function by
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
108 modifying the file as while it's being used. Currently this should not be a
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
109 problem as we require write access to the files ourself, so attacker
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
110 shouldn't be able to get any extra privileges by exploiting the imap
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
111 process.
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
112
969
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
113 Other than the memory mapping problem, index files are not trusted to
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
114 contain valid data. Everything in them is validated before being used.
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
115
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
116 Supporting shared mailboxes will be a small problem. We probably shouldn't
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
117 even try to support using non-trusted index files but rather create trusted
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
118 indexes separately for each user. If however the users don't have direct
13f27425cb88 updates
Timo Sirainen <tss@iki.fi>
parents: 430
diff changeset
119 access to the indexes files, they could optionally be shared.
0
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
120
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
121
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
122 indexer
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
123 -------
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
124
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
125 Indexer may be started by master process when it thinks there's some extra
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
126 time to be used. It goes through users' mailboxes and compresses or
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
127 rebuilds indexes when it sees a need for it. The actual indexing is done by
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
128 dropping root privileges just as with imap process.
3b1985cbc908 Initial revision
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
129
1240
6e893f3f9837 updates
Timo Sirainen <tss@iki.fi>
parents: 969
diff changeset
130 Well, this is the plan anyway. The indexer doesn't exist yet.