Why these programs
I wanted mandatory TLS and AUTH for message submission without patching
ofmipd(8),
and opportunistic TLS for incoming deliveries without patching
qmail-smtpd(8).
Reasons:
- To avoid patch conflicts, so I can easily and safely keep up with the latest qmail-remote half of the TLS patch.
- To sow a more qmail-ish design, and reap new user-controlled features.
Already using one of the popular AUTH patches? acceptutils is different. Compare and contrast, noting that:
- TLS is included
- Message submission has been redesigned to cohere
- Submission and incoming SMTP are distinct services
- Neither of them runs weird privileged child processes
- POP3 has been improved, too
- These improvements come from new programs, not patches
Without these programs
TLS, if available, is provided by a patch that links OpenSSL directly into your SMTP and/or POP3 services, running in the same address space with the same privileges.
AUTH, if available, is provided by a patch that continues to run as a hardcoded
unprivileged user but needs checkpassword to be marked setuid-root
and invokes it strangely. The service can be abused to dictionary-attack
the root password.
POP3 is provided by vanilla DJB qmail. It can also be abused to
dictionary-attack the root password, and runs as the authenticated
user even if that happens to be root.
(Both fixed in notqmail 1.08.)
With these programs
TLS is provided by an external program (such as
s6-ucspitlsd
or
sslserver)
in its own address space.
Such a program may be able to run its TLS engine in a further
privilege-separated process.
Relying on the
UCSPI-TLS interface,
acceptutils then offers TLS for incoming SMTP, message submission, and POP3 —
via fixsmtpio, authup, and authup, respectively.
AUTH is provided by authup, a program derived from qmail-popup
that extends its design to SMTP: it speaks just enough protocol to parse
a username and password and invoke checkpassword normally (no
setuid-root required). Thanks to checknotroot, a new program that
refuses to run as UID 0, anyone who manages to guess the root password
won’t know they did: it looks exactly like any other failed
checkpassword login. Once authenticated, the service runs with the
authenticated user’s privileges, which arguably improves security and
unarguably enables new features. ofmipd and qmail-smtpd run
unmodified because of fixsmtpio, a new program that filters their I/O
and exit status to suit authup.
POP3 authentication is also provided by authup, a plug-in replacement for
qmail-popup. Once authenticated, the qmail-pop3d service runs with the
authenticated user’s privileges. Thanks to checknotroot, this will
never be root.
Not included
If you’re relying on TLS and AUTH in qmail-remote, keep those patches.
(Whether or not you stop patching qmail-smtpd and ofmipd, acceptutils will work with them.)
Extending the acceptutils approach to qmail-remote will be a separate project.
Security
Please consider carefully the risks and mitigations and decide for yourself whether acceptutils might safely improve your incoming SMTP, message submission, and/or POP3 service.
Get these programs
(Generated with git diff netqmail-1.06 netqmail-1.06-acceptutils-20230511.)
acceptutils adds new programs and manual pages. It’s distributed as a patch, but that doesn’t mean it needs to be merged into your main qmail source tree. I recommend applying it to vanilla netqmail:
- Extract netqmail into
qmail-acceptutils. - Apply netqmail-1.06-acceptutils-20230511.patch there.
- Copy over
conf-*from your main qmail source tree.
Then simply:
# make acceptutils
# make acceptutils-install
Then switch from your current setup and enjoy new user-controlled features.
Possible future directions
Here are some ideas for the future of acceptutils.
Improve these programs
If you see a simpler way to do it, I’d love to know.