1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
Dovecot processes
=================
Dovecot is split into multiple processes where each process does only one
thing. This is partially because it makes the code cleaner, but alsobecause it
allows setting up different privileges for each process. Themost important
processes are:
* Master process (dovecot)
* Login processes (imap-login, pop3-login)
* Authentication process (dovecot-auth)
* Mail processes (imap, pop3)
Master process
--------------
This process keeps all the other processes running. If a child process dies,
another one is restarted automatically. It always runs as root,unless you're
specifically running everything under a single normal UID.
The master process reads the configuration file and exports the settings to
other processes via environment variables.
All logging also goes through master process. This avoids problems with
rotating log files, as there's only a single process to send a signal toreopen
the log file. Also writing to the same log file (if not using syslog)isn't
necessarily safe to do in multiple processes concurrently.
Making the logging go through master process also gives a couple of advantages
from security and reliability point of view: All log lines canbe prefixed with
the process's name and the username of the user who was logged in, withoutthe
possibility for the process itself to forge them. Flooding logs canalso be
prevented. By default Dovecot allows non-privileged processes towrite 10 lines
per second before it begins to delay reading their input,which finally causes
the badly behaving process to start blocking onwriting to stderr instead of
eating all the CPU and disk space.
In the Dovecot 2.0 design, the master process is split to three parts: the
Masterprocess which does nothing more than keep the processes running, the
configprocess which handles reading the configuration file (supporting also eg.
SQL storages!) and the log process which handles the logging.
Login processes
---------------
The login processes implement the required minimum of the IMAP and POP3
protocolsbefore a user logs in successfully. There are separate processes (and
binaries) to handle IMAP and POP3 protocols.
These processes are run with least possible privileges. Unfortunately the
default UNIX security model still allows them to do much more than theywould
have to: Accept new connections on a socket, connect to new UNIXsockets and
read and write to existing file descriptors. Still, the loginprocess is by
default run under a user account that has no special accessto anything, and
inside a non-writable chroot where only a couple of filesexist. Doing any
damage inside there should be difficult.
When a new connection comes, one of the login processes accept()s it. After
that the client typically does nothing more than ask the server'scapability
list and then log in. The client may also start TLS sessionbefore logging in.
Authentication is done by talking to the authentication process. The login
process is completely untrusted by the authentication process, so even if
anattacker is able to execute arbitrary code inside a login process, they won't
be able tolog in without a valid username and password.
After receiving a successful authentication reply from the authentication
process, the login process sends the file descriptor to the master processwhich
creates a new mail process and transfers the fd into it. Before doingthat, the
master process verifies from the authentication process that theauthentication
really was successful.
By default each login process will handle only a single connection and
afterwards kill itself (but see SSL proxying below). This way attacker can't
see other people'sconnections. This can however be disabled
('login_process_per_connection=no'), in which case the security of the design
suffers greatly.
The login processes handle SSL/TLS connections themselves completely. They keep
proxying the connection to mail processes for the entire lifetime ofthe
connection. This way if a security hole is found from the SSL library,an
authenticated user still can't execute code outside the login process.
See <LoginProcess.txt> for more information about different settings related to
login processes.
Authentication process
----------------------
The authentication process handles everything related to the actual
authentication: SASL authentication mechanisms, looking up and verifyingthe
passwords and looking up user information.
It listens for two different kinds of connections: untrusted authentication
client connections (from login processes) and master connections (frommaster
process, but also from Dovecot LDA). The client connections are onlyallowed to
try to authenticate. The master connections are allowed to askif an
authentication request with a given ID was successful, and also to lookup user
information based on a username. This user lookup feature is usedby Dovecot
LDA.
Each client connection tells their process ID to the authentication process in
a handshake. If a connection with the same PID already exists, an erroris
logged and the new connection is refused. Although this makes DoSattacks
possible, it won't go unnoticed for long and I don't see this as areal issue
for now.
Having the authentication process know the PID of the client connection allows
all authentication requests to be mapped to one specific client
connection.Since the master process knows the login process's real PID, it's
used whenasking from authentication process if the request was successful. This
makes it impossible for a login process to try to fake another login
process'slogin requests. Faking PIDs will also be quite pointless.
Once the master process has done the verification request for a successful
authentication request, the request is freed from memory. The requests arealso
freed about 2 minutes after their creation, regardless of the statethey
currently are in.
For blocking password and user database backends (eg. MySQL) separate "worker
processes" are used. Initially only one of them exists, butmore are created as
needed. <PAM> [PasswordDatabase.PAM.txt] can be configured to use worker
processes instead of doing the forking itself, but this isn'tcurrently done by
default and there may be problems related to it. Also <checkpassword>
[PasswordDatabase.CheckPassword.txt] currently does the forking itself.
Mail processes
--------------
These processes handle the actual post-login mail handling using the privileges
of the logged in user. It's possible to chroot these processes,but practically
it's usually more trouble than worth.
See <mail process design> [Design.MailProcess.txt] for their internal design
documentation.
(This file was created from the wiki on 2019-06-19 12:42)
|