Mail system components
Electronic Mail
SMTP
PRINCIPLES – DNS – ARCHITECTURES – SPAM
MDA
(Local)
MTA
MDA
MDA
(SMTP)
(SMTP)
MSA
David Byers
IMAP/POP3
MDA
(Local)
MSA
SMTP
MAA
MTA
SMTP
MUA
MUA
IMAP/POP3
MAA
MRA
davby@ida.liu.se
IDA/ADIT/IISLAB
MUA
©2003–2004 David Byers
©2003–2004 David Byers
MUA
MRA
Mail User Agent
ƒ Reads and writes e-mail
ƒ Writes e-mail to MTA
using SMTP (usually)
ƒ Reads e-mail delivered by
MDA or retrieved by MRA
Mail Retrieval Agent
ƒ Retrieves e-mail from MAA
ƒ Makes mail available to MUA
©2003–2004 David Byers
Examples
ƒ Mozilla Thunderbird
ƒ Outlook Express
©2003–2004 David Byers
Examples
ƒ Fetchmail
ƒ Integrated in Thunderbird etc.
MSA
Mail Submission Agent
ƒ Accepts mail from MUA
ƒ Prepares and delivers to MTA
Examples
ƒ Courier IMAPD
Examples
ƒ Postfix postdrop+pickup
ƒ sendmail-msa
©2003–2004 David Byers
Mail Access Agent
ƒ Authenticates MUA/user
ƒ Reads e-mail from mailbox
ƒ Makes e-mail available to MUA
©2003–2004 David Byers
MAA
1
MTA
MDA
Mail Transfer Agent
ƒ Routes incoming mail
ƒ Determines which MDA to
send mail to
ƒ May alter mail being routed
Mail Delivery Agent
ƒ Accepts mail from MTA
ƒ Delivers mail to local mailbox
ƒ Delivers mail to other MTA
©2003–2004 David Byers
©2003–2004 David Byers
Examples
ƒ Postfix local, smtp, pipe
ƒ mail.local (local delivery)
ƒ procmail (local delivery)
Examples
ƒ Postfix cleanup + qmgr +
+ trivial-rewrite
ƒ Sendmail
Mail system components
Path of a message
1. New message written
ƒ Mail is written in MUA
ƒ Mail is submitted to MSA
SMTP
MDA
(Local)
MTA
MDA
MDA
(SMTP)
(SMTP)
MSA
SMTP
MAA
IMAP/POP3
MTA
MDA
(Local)
2. Reception of message at MSA
ƒ MSA authenticates user
ƒ MSA checks that user is
authorized to submit mail
ƒ MSA may rewrite headers
ƒ MSA submits message to MTA
ƒ MSA reports success to MUA
MSA
SMTP
MUA
MUA
IMAP/POP3
MAA
MRA
3. Reception of message at MTA
ƒ MTA checks that sender and
recipient are valid and permitted
ƒ MTA checks that contents are
valid and permitted
ƒ MTA may run content filters
ƒ MTA may rewrite headers
ƒ MTA determines which MDA to
submit mail to (SMTP, local etc)
ƒ MTA submits mail to MDA
ƒ If unsuccessful, MTA queues
mail for later delivery
©2003–2004 David Byers
©2003–2004 David Byers
MUA
5. Rcpt of message at remote MTA
ƒ Same as step 3
ƒ Message submitted to MDA
8. Message read
ƒ MUA presents message to user
trivial-rewrite
Network Æ
qmqpd
Network Æ
smtpd
cleanup
trivial-rewrite
qmgr
pickup
local
Æ File, Command
lmtp
Æ Network
smtp
Æ Network
virtual
Æ File
pipe
6. Reception of message at MDA
ƒ MDA may check filters/rules
ƒ MDA delivers message to
appropriate local mail store
Æ Command
postdrop
©2003–2004 David Byers
Local Æ
Deferred queue
Postdrop queue
sendmail
©2003–2004 David Byers
7. MAA detects new message
ƒ MAA signals MUA
ƒ MUA retrieves message
Active queue
4. Reception of message at MDA
ƒ MDA sends message to remote
MTA using SMTP (example)
Postfix architecture
Incoming queue
Path of a message
2
SMTP
Problem: which server to contact for a mail address?
Solution: look up MX record in DNS
%telnet mail.ida.liu.se 25
Trying 130.236.177.25...
Connected to mail.ida.liu.se.
Escape character is '^]'.
220 mail.ida.liu.se ESMTP Sendmail 8.13.3/8.13.3; Mon, 29 Aug 2005
13:34:42 +0200 (CEST)
EHLO lap-65.ida.liu.se
250-mail.ida.liu.se Hello gedrix.ida.liu.se [130.236.176.11],
pleased to meet you
MAIL FROM:<davby@ida.liu.se>
250 2.1.0 <davby@ida.liu.se>... Sender ok
RCPT TO:<info@samizdat.se>
250 2.1.5 <info@samizdat.se>... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
From: David Byers <davby@ida.liu.se>
To: Samizdat Info <info@samizdat.se>
Date: Mon, 29 Aug 2005 13:38:00 +0100
Subject: Testing SMTP
Structure of a message
Return-Path: andjo@ida.liu.se
Delivery-Date: Fri May 14 08:38:34 2004
Received: from diag7.ida.liu.se (diag7.ida.liu.se [130.236.177.217])
by portofix.ida.liu.se (8.12.11/8.12.11) with ESMTP id i423760;
Fri, 14 May 2004 08:38:31 +0200 (MEST)
Received: (from andjo@localhost)
by diag7.ida.liu.se (8.12.10+Sun/8.12.10/Submit) id i401197;
Fri, 14 May 2004 08:38:31 +0200 (CEST)
Date: Fri, 14 May 2004 08:38:31 +0200
From: Andreas Johansson <andjo@ida.liu.se>
To: David Byers <davby@ida.liu.se>
Cc: pjn@ida.liu.se
Subject: Re: =?ISO-8859-1?Q?N=E4tverksproblem?=
Message-Id: <20040514083831.495c66a2.andjo@ida.liu.se>
In-Reply-To: <41r7togybd.fsf@obel19.ida.liu.se>
References: <41r7togybd.fsf@obel19.ida.liu.se>
Organization: =?ISO-8859-1?Q?Link=F6pings?= universitet
X-Mailer: Sylpheed version 0.9.6 (GTK+ 1.2.10; sparc-sun-solaris2.9)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Scanned: clamd / ClamAV 0.70, clamav-milter 0.70j
X-Spam-Flag: NO
X-Scanned-By: milter-spamc/0.15.245 ( [130.236.177.25]); pass
Header rewriting
ƒ Addition of received header
ƒ Addition of Message-ID
ƒ Address rewriting
Mail routing
ƒ Find server for recipient address
ƒ Queue mail for submission
ƒ Re-submit failed messages
ƒ Send delivery status notifications
Example rewriting
ƒ Removal of host name
ƒ Addition of domain name
ƒ davby Æ david.byers
SMTP example
ƒ Find MX records for address
ƒ Try records in ascending order
ƒ Try A record for address
©2003–2004 David Byers
Syntax
message::= headers CRLF body
headers ::= header headers | ε
header ::= name ”:” value CRLF
Things the MTA does
©2003–2004 David Byers
Envelope
ƒ From SMTP dialog
Header
ƒ Message metadata
ƒ Specified in RFC 2822
Body
ƒ Sequence of ASCII characters
ƒ Separated from body by CRLF
10 mail1.example.com.
10 mail2.example.com.
20 mx.nodomain.edu.
©2003–2004 David Byers
Body text.
.
250 2.0.0 j7TBYgXf001051 Message accepted for delivery
QUIT
221 2.0.0 portofix.ida.liu.se closing connection
Example:
example.com MX
example.com MX
example.com MX
Postfix address rewriting
(rewrite)
Incoming queue
Active queue
trivial-rewrite
qmgr
(resolve)
trivial-rewrite
cleanup
(rewrite)
Incoming queue
Active queue
trivial-rewrite
qmgr
(resolve)
lmtp
local
smtpd
lmtp
local
smtpd
©2003–2004 David Byers
pickup
trivial-rewrite
cleanup
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
smtpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
qmqpd
pickup
smtpd
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
qmqpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Postfix address rewriting
©2003–2004 David Byers
ƒ Text-based protocol
ƒ No encryption
ƒ No authentication
Example
©2003–2004 David Byers
Simple Mail Transfer Protocol
ƒ Default: TCP port 25
ƒ RFC 2821
ƒ ESMTP – Extensions
The role of DNS
3
Postfix address rewriting
Incoming queue
Active queue
trivial-rewrite
(resolve)
(rewrite)
Incoming queue
Active queue
trivial-rewrite
qmgr
(resolve)
©2003–2004 David Byers
local
lmtp
smtpd
local
lmtp
smtpd
Postfix address rewriting
Incoming queue
Active queue
trivial-rewrite
qmgr
(resolve)
trivial-rewrite
cleanup
(rewrite)
Incoming queue
Active queue
trivial-rewrite
qmgr
(resolve)
©2003–2004 David Byers
local
lmtp
smtpd
lmtp
local
smtpd
Things the MTA does
Three flavors
ƒ Built-in content inspection
ƒ After queue content filter
ƒ Before queue content filter
smtpd
Authorization
ƒ Check submitting host IP
ƒ Check from address
ƒ Check recipient address
ƒ Check contents
pickup
(filter)
Built-in content inspection
ƒ ”Body checks”, ”Header checks”
ƒ Regexp checks on message
ƒ For stopping specific problems
Typically permitted
ƒ Mail from local systems
ƒ Mail to local recipients
ƒ Mail from trusted hosts to any
recipient
©2003–2004 David Byers
Common spam checks
ƒ Keyword/feature filters
ƒ IP address blacklists
ƒ Greylisting
Postfix content filters
qmqpd
Content filtering
ƒ Scan for virus content
ƒ Check validity of attachments
ƒ Check size of messages
ƒ Check for spam
©2003–2004 David Byers
(rewrite)
pickup
trivial-rewrite
cleanup
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
smtpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
qmqpd
pickup
smtpd
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
qmqpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Postfix address rewriting
cleanup
bounce
local (forwarded)
Incoming queue
©2003–2004 David Byers
qmgr
trivial-rewrite
cleanup
©2003–2004 David Byers
(rewrite)
pickup
trivial-rewrite
cleanup
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
smtpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
qmqpd
pickup
smtpd
Rewrite addresses to standard form
Canonical address mapping
Address masquerading
Automatic BCC recipients
Virtual aliasing
Resolve address to destination
Mail transport switch
Deferred queue
Relocated users table
Generic mapping table
Local alias database
Local per-user .forward files
Local catch-all address
qmqpd
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Postfix address rewriting
4
Postfix content filters
Three flavors
ƒ Built-in content inspection
ƒ After queue content filter
ƒ Before queue content filter
smtpd
pickup
qmqpd
Three flavors
ƒ Built-in content inspection
ƒ After queue content filter
ƒ Before queue content filter
Postfix content filters
smtpd
Content
filter
(filter)
local (forwarded)
Before queue content filter
ƒ Before mail is accepted
ƒ Heavy-duty filtering
ƒ Only for low-volume sites
Content
filter
local
qmgr
pipe
Postfix
sendmail
(filter)
cleanup
Incoming queue
©2003–2004 David Byers
Postfix queues
©2003–2004 David Byers
Postfix
postdrop
smtp
After queue content filter
ƒ After mail has been accepted
ƒ Heavy-duty filtering
ƒ Need to avoid spurious DSNs
smtpd
bounce
cleanup
Spam protection
SMTP Restrictions
ƒ Relay restrictions
ƒ Greylisting
ƒ DNS-based blocklists
Denying relay
220 solzhenitsyn.samizdat.se ESMTP Postfix
HELO gedrix.ida.liu.se
250 solzhenitsyn.samizdat.se
MAIL FROM:<davby@ida.liu.se>
250 Ok
RCPT TO:<byers@lysator.liu.se>
554 <byers@lysator.liu.se>: Relay access denied
Greylisting in action
©2003–2004 David Byers
©2003–2004 David Byers
220 portofix.ida.liu.se ESMTP Sendmail 8.13.3/8.13.3
HELO metzengerstein.visit.se
250 portofix.ida.liu.se Hello metzengerstein.visit.se [212.214.112.221]
MAIL FROM:<info@samizdat.se>
250 2.1.0 <info@samizdat.se>... Sender ok
RCPT TO:<davby@ida.liu.se>
451 4.7.1 Greylisting in action, please come back in 00:10:00
DNS-based blocklists
Blocklists work like in-addr.arpa lookup
%host -t TXT 1.185.167.195.l1.spews.dnsbl.sorbs.net
1.185.167.195.l1.spews.dnsbl.sorbs.net TXT
"! [1] XPD Limited, see http://spews.org/ask.cgi?S3007"
Architectures
©2003–2004 David Byers
©2003–2004 David Byers
%host -t TXT 1.185.167.195.dnsbl.sorbs.net
1.185.167.195.dnsbl.sorbs.net
TXT
"Spam Received See:
http://www.sorbs.net/lookup.shtml?195.167.185.1"
5
Client-side outgoing mail
Outgoing mail
Client has an MTA
ƒ Client MTA queues mail
MTA
Client
MUA
Smarthost
ƒ All mail through one MTA
ƒ Central configuration
Client
Client
MTA
Client
Client
Client has no MTA
ƒ If central MTA is down, no
mail can be sent
MTA
Client
MTA
©2003–2004 David Byers
Client
MUA
Failover
ƒ Better reliability
MTA
Client
Client
Client
Client
Client
Client
Client
Client
Client
Client
L4 Switch
MTA
MTA
MTA
L4 Switch
Load balancing
ƒ Better reliability
ƒ Better performance
©2003–2004 David Byers
Client
MUA
Incoming mail
Mail storage
Multiple MTAs
Single storage server
MTA
MDA
MTA
MDA
MTA
MDA
MTA
MDA
MTA
MDA
MTA
MDA
Load-balanced MTAs
MTA
MDA
MTA
MDA
Storage
Distributed filesystem on SAN
L4 Switch
L4 Switch
MTA
MDA
MTA
MDA
SAN
Username-based load balancing
MTA
MTA
MDA
MTA
MDA
MTA
MDA
Users a-m
Storage
Users m-z
©2003–2004 David Byers
Storage
©2003–2004 David Byers
MTA
MTA
Reading mail
Load-balanced MAAs with SAN
L4 Switch
Centralized example
MAA
MTA
MAA
MTA
MTA/MSA
SMTP (AUTH)
L4 Swich
IMAP MAA
SAN
IMAP MAA
POP MAA
MAA
Users a-j
MAA
Users k-r
MAA
Users s-z
MUA
MUA
IMAP MAA
MAA
L4 Swich
MUA
IMAP
Webmail
SAN
©2003–2004 David Byers
L7 Switch
Storage
Client
Storage
User-base load balancing
©2003–2004 David Byers
Client
MDA
MTA
MDA
One front-end multiple backends
MTA
MTA
6
Corporate example (I)
Corporate example (II)
mx.eng.example.com
smtp.example.com
mx.eng.example.com
smtp.example.com
MTA
MTA
L4 Swich
L4 Swich
MTA
L4 Swich
MTA
MTA
MTA
L4 Swich
mail.sales.example.com
MTA
Address rewrite
MTA
MTA
mail.sales.example.com
MTA
eng.example.com MX smtp.example.com.
sales.example.com MX smtp.example.com.
rnd.example.com MX smtp.example.com.
example.com MX smtp.example.com.
Split DNS
Split DNS
©2003–2004 David Byers
eng.example.com MX mx.eng.example.com.
sales.example.com MX mail.sales.example.com.
rnd.example.com MX pluto.rnd.example.com.
©2003–2004 David Byers
eng.example.com MX mx.eng.example.com.
sales.example.com MX mail.sales.example.com.
rnd.example.com MX pluto.rnd.example.com.
E-mail components
ƒ MTA, MDA, MUA etc
Spam protection
ƒ Relaying, greylisting
Postfix architecture
ƒ Address rewriting
ƒ Content filtering
Mail system architectures
©2003–2004 David Byers
Summary
7