1 / 44

Postfix retrospective

Postfix retrospective. Wietse Venema IBM T. J. Watson Research Center Hawthorne, NY, USA. Postfix expectations before the first release.

erica
Download Presentation

Postfix retrospective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Postfix retrospective Wietse Venema IBM T. J. Watson Research Center Hawthorne, NY, USA

  2. Postfix expectations before the first release • [Postfix]: No experience yet, but I’d guess something like a wisened old man sitting on the porch outside the postoffice. Looks at everyone who passes by with deep suspicion, but turns out to be friendly and helpful once he realises you’re not there to rob the place. Article in alt.sysadmin.recovery, 1997 • See http://home.xnet.com/~raven/Sysadmin/ASR.Quotes.html for contemporary comments on other mail systems. Postfix retrospective - Wietse Venema - CEAS 2007

  3. Overview • Good PR can have unanticipated impact. • Why write yet another UNIX mail system? • Postfix architecture and inspiration. • Adding antispam/virus support. • Mission accomplished. • Market share. • Lessons learned. Postfix retrospective - Wietse Venema - CEAS 2007

  4. Good PR can have unanticipated impact Postfix retrospective - Wietse Venema - CEAS 2007

  5. New York Times, December 1998 • SHARING SOFTWARE, IBM TO RELEASE MAIL PROGRAM BLUEPRINT • By JOHN MARKOFF • - - - • The program, Secure Mailer, serves as an electronic post office for server computers connected to the Internet. It was developed by Wietse Venema, an IBM researcher and computer security specialist. • - - - • Currently about 70 percent of all e-mail worldwide is handled by Sendmail, a program that has been developed over more. . . Postfix retrospective - Wietse Venema - CEAS 2007

  6. Postfix (Secure Mailer) project • Business model: if it’s good for the Internet, then it’s good for e-business, and therefore it’s good for IBM. • One year after the first public release, several news articles began to mention Postfix as the project that triggered IBM’s adoption of open source. • Reportedly, this started when IBM’s top management saw the NY Times article. Postfix retrospective - Wietse Venema - CEAS 2007

  7. How Postfix (Secure Mailer) helped IBM to embrace Open Source + Linux Postfix retrospective - Wietse Venema - CEAS 2007

  8. Building up momentum • June 1998 IBM joins the open source Apache project. • Sept 1998 JIKES Java compiler open source release. • Sept 1998 PKIX public key infrastructure software open source release under the name “Jonah”. • Dec 1998 Secure Mailer open source release under the name “Postfix”. IBM’s CEO starts asking questions. • 1999 IBM develops an open source license (now CPL), and announces support for Linux on all platforms. Postfix retrospective - Wietse Venema - CEAS 2007

  9. Why (not) write yet another UNIX mail system Postfix retrospective - Wietse Venema - CEAS 2007

  10. New code, new opportunities for bugs(creating bugs faster than they can be found and eliminated) Source code line counts for contemporary software: • Windows/XP: 40 million; Vista 50+ million • Debian 2.2: 56 million; 3.1: 200+ million • Wietse’s pre-Postfix average: 1 bug / 1000 lines1. • Postfix initial release: 30k lines of opportunity1,2. 1Not included: comment lines, or bugs found in development. 2Today: 97k lines of code (194k with comments + documentation). Postfix retrospective - Wietse Venema - CEAS 2007

  11. CERT/CC UNIX mail advisories(it’s not just about Sendmail) Postfix retrospective - Wietse Venema - CEAS 2007

  12. CERT/CC UNIX mail advisories Postfix retrospective - Wietse Venema - CEAS 2007

  13. Postfix primary goals(It’s not just about security) • Compatibility: make transition easy. • Wide deployment by giving it away. • Performance: faster than the competition. • Security: no root shells for random strangers. • Flexibility: C is not an acceptable scripting language. • Reliability: behave rationally under stress. • Easy to configure: simple things should be easy. Postfix retrospective - Wietse Venema - CEAS 2007

  14. Postfix architecture and inspiration Postfix retrospective - Wietse Venema - CEAS 2007

  15. Traditional BSD UNIX mail delivery architecture(impersonation requires privileges; monolithic model hinders damage control) Sendmail* to network from network to |command** to /file/name** /bin/mail* local submission executed as recipient local delivery mailbox file owned by recipient * uses root privileges ** in per-user .forward files and in per-system aliases database Postfix retrospective - Wietse Venema - CEAS 2007

  16. Postfix client-server service-oriented architecture(omitted: non-daemon programs for submission and queue management) input interfaces core output interfaces smtp/lmtp client smtp server mail store internet etc smtp client smtpd smtpd smtpd smtpd internet unprivileged other daemons unprivileged unprivileged local delivery smtpd mailbox |command /file/name local pickup smtpd unprivileged privileged to external transports mail queue uucp fax pager smtpd (local submission) smtpd = root privilege = postfix privilege privileged Postfix retrospective - Wietse Venema - CEAS 2007

  17. Major influences on Postfix architecture • TIS Firewall smap/smapd: least privilege, chroot jail, “air gap” between receiving and delivering processes. • qmail: parallel deliveries; the maildir format (the MH mail handling system introduced a “one file per message” mailbox store 20 years before qmail). • Apache: reuse processes multiple times. • Sendmail: user interface; lookup table interface. • Traditional routers: multiple interfaces/encapsulations, central core, but alas no queue-skipping fast path :-( Postfix retrospective - Wietse Venema - CEAS 2007

  18. Adding anti-spam/virus support, part 1: Use standard protocols whenever you can. • “Junk mail is war. RFCs do not apply.” • Wietse on Postfix mailing list, 2001 Postfix retrospective - Wietse Venema - CEAS 2007

  19. 1999 - Melissa ravages the Internet • You can run from Windows but you can’t hide: Postfix becomes deeply involved with malware distribution. • Short term: block “known to be bad” strings in message header text (body strings come later). • Long-term: delegate deep inspection to third-party software. • Emergence of specialized protocols: CVP, Milter, etc. • We already use SMTP for email distribution. Why can’t we also use SMTP to plug in anti-{spam,virus}? Postfix retrospective - Wietse Venema - CEAS 2007

  20. Postfix content inspection via SMTP (post queue) • Red = dirty, green = clean. • But it can’t be that simple, right? • Using two MTAs must be wasteful! MTA 1 Filter MTA 2 smtp smtp in out Postfix retrospective - Wietse Venema - CEAS 2007

  21. Postfix content inspection via SMTP (post queue) • Folding the two MTAs on top each other saves some resources, but also increases complexity. MTA 1 = MTA 2 smtp server smtp client network network local submit local pickup mail queue local delivery mailbox command file smtp server smtp client content filter Postfix retrospective - Wietse Venema - CEAS 2007

  22. Postfix post-queue anti-spam/virus support • The advantages of post-queue SMTP-based anti-spam/virus filters outweigh the disadvantages: • Compatibility: many products are SMTP enabled. SMTP is well understood, as are the workarounds for common implementation errors. • Performance: decoupling the remote network latencies from local filter concurrencies allows for better resource management than possible with e.g. Milters. • Workarounds for loss of original SMTP client context: • Xforward, etc. Postfix retrospective - Wietse Venema - CEAS 2007

  23. Adding anti-spam/virus support part 2: Embrace de-facto standards. • “It's not the spammers who destroy [email], it's those who insist on broken anti-spam measures.” • Wietse on Postfix mailing list, 2003 Postfix retrospective - Wietse Venema - CEAS 2007

  24. 2005 - Proliferation of authentication technologies • SenderID, Domainkeys, DKIM, SPF, BATV, SRS, and the end is not in sight. • Problem: using SMTP-based filters just to “stamp” or “verify” can be clumsy (e.g., missing original SMTP client context). Tighter coupling to MTA is desirable. • Building into the MTA is not practical; besides, many (Linux) distributions are two years behind on Postfix. • Solution: adopt Sendmail Milter protocol and open up access to a large collection of available applications. Postfix retrospective - Wietse Venema - CEAS 2007

  25. Retrofitting Milter support into a distributed MTA • Red = dirty, green = clean. • The effort was heroic, but the reward was sweet. Postfix (subset) local submit local pickup queue inject mail queue smtp server network smtp events header body... milter application(s) Postfix retrospective - Wietse Venema - CEAS 2007

  26. Postfix author receives Sendmail innovation award MOUNTAIN VIEW, Calif. October 25th, 2006 Today at its 25 Years of Internet Mail celebration event, taking place at the Computer History Museum in Mountain View, California, Sendmail, Inc., the leading global provider of trusted messaging, announced the recipients of its inaugural Innovation Awards. . . . Wietse Venema, author, for his contribution of extending Milter functionality to the Postfix MTA. http://www.sendmail.com/pdfs/pressreleases/Sendmail%20Innovation%20Awards_10%2025%2006_FINAL.pdf Postfix retrospective - Wietse Venema - CEAS 2007

  27. Mission accomplished Postfix retrospective - Wietse Venema - CEAS 2007

  28. Catching up on Sendmail • Initial trigger: the Postfix 2.2 source tar/zip file was larger than the Sendmail 8.13 source tar/zip file. • Analyze eight years of Sendmail, Postfix, and qmail source code: • Strip comments (shrinking Postfix by 45% :-). • Format into the “Kernighan and Ritchie C” coding style (expanding qmail by 25% :-). • Delete repeating (empty) lines. Postfix retrospective - Wietse Venema - CEAS 2007

  29. MTA Source lines versus time Postfix retrospective - Wietse Venema - CEAS 2007

  30. Benefits of Postfix partitioned security architecture • Normally, adding code to an already complex system makes it even more complex. • New code has unexpected interactions with already existing code, thus reducing over-all system integrity. • The Postfix architecture encourages separation of functions into different, untrusting, processes. • Each new major Postfix feature is implemented as a separate server with its own simple protocol. • This separation minimizes interactions with already existing code, thus preserving system integrity. Postfix retrospective - Wietse Venema - CEAS 2007

  31. Mission accomplished • Postfix 2.3 (now 2.4) is complete enough that I am no longer embarassed to recommend it to other people. • Built-in: TLS, SASL, MIME, IPv6, LDAP, SQL, DSN. • Further extension via plug-in interfaces: • DomainKeys, DKIM, SenderID, SPF. • Non-Cyrus SASL authentication, content inspection. • Sendmail Milter applications, SMTP server access policy. • Todo: clean up internals, hard-coded behavior, etc. Postfix retrospective - Wietse Venema - CEAS 2007

  32. Market share (lies, d*mned lies, and ...) Postfix retrospective - Wietse Venema - CEAS 2007

  33. Interesting result, but what does it mean?Query = sendmail, postfix, exim, qmail Relative search volume Postfix retrospective - Wietse Venema - CEAS 2007

  34. Introducing Google trends • Website: trends.google.com. • Search for RELATIVE popularity of search terms in Google queries (recursive Google?). • Result is a time distribution, with each popularity displayed in its own color. • Peaks are correlated with on-line news articles. Postfix retrospective - Wietse Venema - CEAS 2007

  35. Pollution by common words and name collisionsQuery = postfix, prefix, infix Relative search volume Postfix retrospective - Wietse Venema - CEAS 2007

  36. Tweaking the query to avoid biasQuery = sendmail server, postfix server Relative search volume Postfix retrospective - Wietse Venema - CEAS 2007

  37. Google trends caveats • As always, the answer you get is only as good as the question you ask. Beware of name collisions, common words, and other forms of pollution. • Regardless, one thing is clear: only a minority of Google search users are interested in mail server technology, and their proportion is steadily declining. Postfix retrospective - Wietse Venema - CEAS 2007

  38. Fingerprinting 400,000 company domains remotely unknown: 15% other: 20% After: Ken Simpson and Stas Bekman, O’Reilly SysAdmin, January 2007. http://www.oreillynet.com/pub/a/sysadmin/2007/01/05/fingerprinting-mail-servers.html Postfix retrospective - Wietse Venema - CEAS 2007

  39. Postfix lessons learned • Good PR does make a difference. It’s easy to under-estimate how swiftly a large company can move. • Don’t re-invent mechanisms that already work (e.g., SMTP, Milter, maildir, lookup tables). Invent sparingly. • Build the basic stable protols into the MTA: SMTP, LMTP, TLS, SASL, IPv6, DSN, MIME, LDAP, SQL. • Use plug-ins for future proofing: Anti-Spam, Anti-Virus, DKIM, SenderID, SPF, greylist, etc. • Know when to stop, at least for a while. Postfix retrospective - Wietse Venema - CEAS 2007

  40. Postfix Pointers • The Postfix website at http://www.postfix.org/ • Books by other people: • Ralf Hildebrandt, Patrick Koetter, The Book of Postfix (2005). • Kyle Dent, Postfix The Definitive Guide (2003). • Richard Blum, Postfix (2001). • Original books and translations in German, Japanese, Chinese, Czech, and other languages. Postfix retrospective - Wietse Venema - CEAS 2007

  41. Backup Postfix retrospective - Wietse Venema - CEAS 2007

  42. Where did all that code go?(from Postfix alpha to Postfix 2.3) • 4x Growth in size, 8400 lines/year, mostly same author. • Small increase: • 1.3x Average program size (800 to 1100 lines). • Medium increase: • 2.5x Program count (from 15 to 36). • Large increase: • 4x Library code (from 13000 to 52000 lines). • No increase: number of privileged programs. Postfix retrospective - Wietse Venema - CEAS 2007

  43. Postfix content inspection via SMTP (pre-queue) • SMTP “pass-through” hack built into SMTP server. • No decoupling of remote network latencies from local filter concurrencies. • Less scalable, due to poorer resource management. • But the user wanted pre-queue spam/virus filtering. Postfix (subset) smtp server content filter smtp server mail queue Postfix retrospective - Wietse Venema - CEAS 2007

  44. Postfix RFC lines versus time Postfix retrospective - Wietse Venema - CEAS 2007

More Related