Articles / Open Source E-mail Security

Open Source E-mail Security

Richard Blum's Open Source E-mail Security is poorly organized, rarely topical, and betrays the author's fundamental failure to understand the topic at hand. While some of the underlying technical material is useful and relevant, the author seldom supplies the details needed to proceed to a general understanding.

The book is divided into three sections. The first section, "E-mail Principles", covers chapters one through six. Section two, "Server Security", covers chapters seven through thirteen. Section three, "E-mail Service Security", covers chapters fourteen through seventeen.

The division between parts two and three in particular seems bizarre and arbitrary. The popular SMTP daemons Sendmail, qmail, and Postfix are covered in part two, but SASL, POP3, and IMAP are covered in part three. As users interact with SMTP daemons whenever they send mail, these are services, exactly as much as mail reader protocols may be. The organization of the book, however, is the least of its faults.

Chapter one, "E-mail Basics", attempts to cover the architecture of Internet e-mail. In particular, the chapter covers Mail Delivery Agents (MDAs), Mail Transfer Agents (MTAs), and Mail User Agents (MUAs), and how they interact.

This chapter begins running into serious problems in the MUA protocols section, wherein Blum claims that "in a multiuser environment, multiple users need to access their mailboxes to read their messages, which is practically impossible to do from a single console screen." Clearly, the idea of logging into a multiuser system from a remote location and having an interactive session with the machine has never occurred to Mr. Blum. One wonders if he has heard of telnet or Secure Shell, which have, for several decades, allowed multiple users to read mail on a single multiuser server without worrying about who, if anyone, is logged onto the console.

In chapter two, which covers SMTP, Blum bizarrely claims in reference to the messages conveyed over SMTP, "there is no wrong way to send a message... any combination of valid ASCII characters will be transferred to recipients." The difference between SMTP's willingness to carry any traffic and the idea that message formats have been standardized (by RFC 822, now obsoleted by RFC 2822) is important. Two pages later, Blum admits that RFC 822 "specifies a standard format for sending text mail messages." The idea that it is not the SMTP daemon's job to determine conformance of a message with the standard seems to be lost on the author of the book.

Closing out the SMTP chapter, Blum claims that the Bcc (Blind Carbon-Copy) fields "do not show up in the e-mail reader." In point of fact, these fields are never sent to the target system, and as such are not available. While seemingly a minor point, this error demonstrates Blum's failure to understand the underlying protocols and their respective functions. Perhaps it is this failure which is responsible for the odd organization of the book.

In Chapter 3, on the POP3 protocol, Blum covers only one POP3 client, Eric Raymond's Fetchmail. While Fetchmail is indeed an excellent tool, most Unix mail clients (including PINE, Mutt, Mozilla, and many others) have built-in support for POP3. The only POP3 server covered is qpopper, indeed another excellent tool.

Actual "coverage" of these tools is quite slim, and is typically limited to downloading, compiling, and installing the packages. No security considerations are covered at this point. Of course, all of these topics are also covered in later chapters, another unusual feature of the book's organization.

Another example of the book's disorganized nature is that, in chapter three, POP clients (or Fetchmail, at least) are covered prior to POP servers. In chapter 4, IMAP servers are covered before IMAP clients. The IMAP server discussed is the University of Washington IMAP server. Inexplicably, Blum never so much as mentions that UW IMAP also can serve as a POP3 server. The "IMAP Client" section is limited to two additional paragraphs about Fetchmail.

While chapters two through four cover every single standard command the protocols offer, this material is not particularly security-relevant. When an opportunity arises to cover security topics, such as the IMAP protocol's AUTHENTICATE command, the actual security features are not covered. Blum simply states that "It is the responsibility of the client to respond to the authentication method with the appropriate response." The actual, security-specific information as to how the protocol functions is simply not covered.

Chapter five describes MIME, the message formatting protocol used to transmit binary data. No security concerns of MIME, such as executable attachments, are discussed. S/MIME, one method of digital signatures and encryption for e-mail is discussed, while PGP-MIME, which is more popular among individual users, is not even mentioned. While PGP itself is discussed, the differences between clearsigned plain-text messages and MIME-encoded messages are not described in even minimal terms, nor are any PGP or S/MIME mailer integration products.

Chapter six covers the interpretation of e-mail headers, ostensibly as a method of tracking down spammers. The discussion of how spammers send messages is off-base and once again demonstrates the limits of Blum's knowledge. In particular, Blum never makes clear the fact that MTAs entirely ignore the To: field, and that this is only a convenience required for RFC 822 mail readers. This thorough lack of understanding can only confuse the reader of the book, and provides no practical security knowledge.

Worse still, Blum is fixated on forged To: and From: headers of messages. While he discusses reading Received: headers, he never discusses the possibility of forged Received: headers, nor how such fakes might be detected.

In Chapter Seven, "Securing the Unix Server", Blum covers inetd and Linux's IPChains firewall. The material on inetd is only modestly useful and on-topic. Secure replacements for inetd are not discussed at this point, though Dan Bernstein's tcpserver is discussed in Chapter 11. Not only is IPChains deprecated, but it is unavailable on most platforms. Security on BSD systems and modern Linux systems is essentially uncovered. Furthermore, Blum conflates firewalling and Network Address Translation (NAT). While IPChains can support both of these features, NAT is emphatically not a security tool.

Chapter eight covers Sendmail. The material in this chapter covers basic Sendmail configuration, but virtually ignores the .m4 configuration file, concentrating only on the .cf file built from the .m4 file. Eric Allman, Sendmail's original author and primary architect, is on record as saying that the .cf file should not be edited by end users. The details of .cf file parsing are, for the most part, not relevant to the security of either the server or the message, and are only rarely examined by system administrators. The .m4 file is not covered in any similar depth, though that would have provided a useful (if still off-topic) service for readers.

The last three pages of the chapter come under the heading of "Securing Sendmail", which should have been the focus of the entire chapter. However, only a handful of Sendmail directives are discussed, and the use of these functions in improving system security is not explained.

For example, the Sendmail restricted shell (smrsh), which allows only certain programs to be executed while forwarding messages, is dispatched in two paragraphs. Criteria one might use while selecting programs to be executed by smrsh are not specified, nor is the basic information that shells and commands such as "cat" should not be accessible. No information at all is provided about Sendmail 8.12's ability to run as a user other than root, a critical security feature. In short, nobody who reads this chapter will have the slightest idea of how to secure a server running Sendmail.

Chapter 9, on Dan Bernstein's qmail, does not have any security-specific information. Neither does chapter 10, on Postfix. Both chapters repeatedly discuss multiple mail queues, but this is not a security benefit, and even Sendmail now has this feature. Why Sendmail's implementation is totally ignored is a complete mystery.

Chapter 11, on preventing open relays, seems unnecessary. After all, not one of the three discussed MTAs has shipped configured as an open relay in at least four years. Futhermore, on page 277, Blum cautions "Be careful if using the relay_entire_domain and relay_local_from features [of Sendmail]. It is not difficult for a hacker to masquerade the SMTP session addresses to impersonate a server on your network." This seems to be the central issue in this chapter, but Blum never expands on this statement, or describes how one might be careful while using these features. Every opportunity to discuss actual e-mail security is completely ignored, as elsewhere in the book.

Chapter 11 also mentions using Realtime Blackhole Lists to block spam. This has nothing to do with open relays, specifically. More importantly, the only RBL covered is the MAPS RBL, which became a pay service several years prior to publication of this book. Blum never mentions that this is a pay service, nor does he list where one might locate alternatives, nor the fact that these lists are becoming progressively less useful as spammers develop new techniques.

Chapter 12, "Blocking Spam", covers only fixed-text blocking of either offending hosts or offending subject lines. These techniques, too, are becoming progressively more useless as spam-blocking techniques. Sendmail's milter interface for filters is ignored entirely, as are any techniques that tag messages as likely spam rather than outright discarding suspect mail.

Still-useful techniques such as rule-based tools like SpamAssassin and distributed checksum systems like Vipul's Razor are not mentioned either, a major flaw in coverage of this subject. (Bayesian spam filtering, the third major class of techniques used to block spam, may be newer than the book.)

In addition, while discussing qmail's third-party filtering capabilities, Blum recommends configuring qmail-filter with a temporary directory of /tmp. This is, potentially, a serious security hole, but Blum never gives any hint that this choice of temporary file locations is anything less than perfectly secure. One certainly gets the feeling that Blum lacks any meaningful understanding of computer security.

The antivirus chapter, chapter 13, covers the AMaViS package. Security implications of this tool and its integration are ignored, as elsewhere in the book. Chapter 14 ostensibly covers e-mail firewalls, but the discussion says nothing about how this may protect servers from being compromised. In fact, Blum's conception of e-mail firewalls is limited to blocking spammers from using To: address scanning. This is a lot of effort for relatively little benefit, given that few spammers check for the existence of a particular address before spamming it.

Chapter 15 is a surprisingly credible discussion of the Simple Authentication and Security Layer (SASL), used for validating users to SMTP servers. However, other popular authentication techniques, such as SMTP after POP, are ignored. Chapter sixteen, on "Secure IMAP and POP servers", covers running IMAP and POP3 over SSL. SMTP over SSL, an increasingly popular configuration, is entirely uncovered. Unfortunately, so are the details of SSL and SSL certificate validation.

A number of attacks against SSL certificates are quite popular, and this represents one of the most fruitful avenues for attack, but certificate hierarchies and the weaknesses of self-signed certificates are not covered. Like most technical security topics, Blum ignores it so profoundly that one must wonder if he has ever considered the existence or nature of computer security.

Chapter 17, on Webmail, covers only one package in depth. Popular Webmail packages such as Squirrelmail and IMP are ignored entirely. Coverage of TWIG is limited, as in other chapters, to the installation and use of the package. No security-specific concerns are covered. Example passwords used for the MySQL backend are obvious; TWIG is configured to log into the MySQL server as that server's root user, an obvious breach of security best practices.

This book might prove useful for readers who wish to have their hands held when building popular e-mail programs. However, readers using Linux systems rarely need to build these tools manually. The author never adequately covers any security topics, and his understanding of the technologies beneath the surface is far from strong. It seems as though the book title was merely chosen for marketing reasons, and reflects nothing whatsoever about the content of the book. This book should be avoided by all readers; better material, at all levels and on all topics, can be found elsewhere.

Recent comments

22 Apr 2007 07:28 Avatar shingui

Other books?
What books would you recommend instead? Brief summary of their pros and cons?

07 Jun 2004 13:31 Avatar AndrewCates

nice to...
read reviews written by people who tell it like it is. How cheering... I'll have to hang around!
BozMo (http://catesfamily.org.uk/)

21 Nov 2002 20:03 Avatar mudskinny

mutt via ssh
That is messed up this book doesnt talk about the best way to check mail. ssh-ing into your isp and using mutt.

thanks for the warning. :-)

17 Nov 2002 01:07 Avatar autechre

Don't hold back, Jon.
Tell us what you really think. :)

Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.