design.html revision 168515
133965Sjdp<HTML> 2218822Sdim<HEAD> 3218822Sdim<TITLE>Architecture</TITLE> 433965Sjdp</HEAD> 533965Sjdp<BODY> 633965Sjdp<!-- 733965Sjdp$Id: design.html,v 1.12 2006/08/08 20:55:57 ca Exp $ 833965Sjdp--> 960484Sobrien 1033965Sjdp<H1>Architecture</H1> 1133965Sjdp 1233965Sjdp<H2>Contents</H2> 1333965Sjdp 1433965Sjdp<UL> 1533965Sjdp <LI>Design Goals 1633965Sjdp <LI>Implementing Filtering Policies 1733965Sjdp <LI>MTA - Filter Communication 1833965Sjdp</UL> 19218822Sdim 20218822Sdim<H2>Goals</H2> 2133965Sjdp 2277298SobrienThe Sendmail Content Management API (Milter) provides an interface for 2377298Sobrienthird-party software to validate and modify messages as they pass 2433965Sjdpthrough the mail transport system. Filters can process messages' 2577298Sobrienconnection (IP) information, envelope protocol elements, message 2633965Sjdpheaders, and/or message body contents, and modify a message's 27218822Sdimrecipients, headers, and body. The MTA configuration file specifies 2833965Sjdpwhich filters are to be applied, and in what order, allowing an 2933965Sjdpadministrator to combine multiple independently-developed filters. 3033965Sjdp 3133965Sjdp<P> 3233965SjdpWe expect to see both vendor-supplied, configurable mail filtering 3333965Sjdpapplications and a multiplicity of script-like filters designed by and 34107492Sobrienfor MTA administrators. A certain degree of coding sophistication and 3533965Sjdpdomain knowledge on the part of the filter provider is assumed. This 3633965Sjdpallows filters to exercise fine-grained control at the SMTP level. 3733965SjdpHowever, as will be seen in the example, many filtering applications 3833965Sjdpcan be written with relatively little protocol knowledge. 39104834Sobrien 40104834Sobrien<P> 4133965SjdpGiven these expectations, the API is designed to achieve the following 4233965Sjdpgoals: 4333965Sjdp 4433965Sjdp<OL> 4577298Sobrien <LI>Safety/security. 4633965Sjdp Filter processes should not need to run as root 47218822Sdim (of course, they can if required, but that is a local issue); 48218822Sdim this will simplify coding 49218822Sdim and limit the impact of security flaws in the filter program. 50218822Sdim<P> 51218822Sdim <LI>Reliability. 5233965Sjdp Coding failures in a Milter process that cause that process 53218822Sdim to hang or core-dump 54218822Sdim should not stop mail delivery. 5533965Sjdp Faced with such a failure, 5633965Sjdp sendmail should use a default mechanism, 57130561Sobrien either behaving as if the filter were not present 5833965Sjdp or as if a required resource were unavailable. 5977298Sobrien The latter failure mode will generally have sendmail return 6033965Sjdp a 4xx SMTP code (although in later phases of the SMTP protocol 6177298Sobrien it may cause the mail to be queued for later processing). 6277298Sobrien<P> 6377298Sobrien <LI>Simplicity. 6477298Sobrien The API should make implementation of a new filter 6577298Sobrien no more difficult than absolutely necessary. 6677298Sobrien Subgoals include: 6777298Sobrien <UL> 6877298Sobrien <LI>Encourage good thread practice 6933965Sjdp by defining thread-clean interfaces including local data hooks. 7033965Sjdp <LI>Provide all interfaces required 71130561Sobrien while avoiding unnecessary pedanticism. 7233965Sjdp </UL> 7333965Sjdp<P> 7433965Sjdp <LI>Performance. 7533965Sjdp Simple filters should not seriously impact overall MTA performance. 76130561Sobrien</OL> 77130561Sobrien 78130561Sobrien<H2>Implementing Filtering Policies</H2> 79130561Sobrien 80130561SobrienMilter is designed to allow a server administrator to combine 81130561Sobrienthird-party filters to implement a desired mail filtering policy. For 8233965Sjdpexample, if a site wished to scan incoming mail for viruses on several 8377298Sobrienplatforms, eliminate unsolicited commercial email, and append a mandated 8477298Sobrienfooter to selected incoming messages, the administrator could configure 8533965Sjdpthe MTA to filter messages first through a server based anti-virus 8633965Sjdpengine, then via a large-scale spam-catching service, and finally 87130561Sobrienappend the desired footer if the message still met requisite criteria. 8833965SjdpAny of these filters could be added or changed independently. 8933965Sjdp 9033965Sjdp<P> 9133965SjdpThus the site administrator, not the filter writer, controls the 9233965Sjdpoverall mail filtering environment. In particular, he/she must decide 9333965Sjdpwhich filters are run, in what order they are run, and how they 9433965Sjdpcommunicate with the MTA. These parameters, as well as the 95130561Sobrienactions to be taken if a filter becomes unavailable, are selectable 9633965Sjdpduring MTA configuration. <A href="installation.html">Further 9777298Sobriendetails</A> are available later in this document. 9833965Sjdp 9933965Sjdp<H2>MTA - Filter communication</H2> 10077298Sobrien 10177298SobrienFilters run as separate processes, outside of the sendmail address 10233965Sjdpspace. The benefits of this are threefold: 10333965Sjdp 104130561Sobrien<OL> 10533965Sjdp <LI>The filter need not run with "root" permissions, thereby 10677298Sobrien avoiding a large family of potential security problems.</LI> 10733965Sjdp 10833965Sjdp <LI>Failures in a particular filter will not affect the MTA or 10933965Sjdp other filters.</LI> 110130561Sobrien 11133965Sjdp <LI>The filter can potentially have higher performance because of 11233965Sjdp the parallelism inherent in multiple processes.</LI> 11333965Sjdp</OL> 11433965Sjdp 11533965Sjdp<P> 11633965SjdpEach filter may communicate with multiple MTAs at the same time over 11733965Sjdplocal or remote connections, using multiple threads of execution. 118130561Sobrien<A HREF="#figure-1">Figure 1</A> illustrates a possible network of 11933965Sjdpcommunication channels between a site's filters, its MTAs, and other 12077298SobrienMTAs on the network: 12177298Sobrien</P> 12233965Sjdp<DIV align="center"> 12377298Sobrien<A name="figure-1"><IMG src="figure1.jpg" ALT=""></A><BR> 12433965Sjdp<B>Figure 1: A set of MTA's interacting with a set of filters.</B> 125130561Sobrien</DIV> 12677298Sobrien<P> 127130561SobrienThe Milter library (libmilter) implements the communication protocol. 12877298SobrienIt accepts connections from various MTAs, passes the relevant data to 12977298Sobrienthe filter through callbacks, then makes appropriate responses based 13077298Sobrienon return codes. A filter may also send data to the MTA as a result 13133965Sjdpof library calls. <A href="#figure-2">Figure 2</A> shows a single 132130561Sobrienfilter process processing messages from two MTAs: 13377298Sobrien</P> 13477298Sobrien<DIV align="center"> 13577298Sobrien<IMG src="figure2.jpg" ALT=""><BR> 136130561Sobrien<B>Figure 2: A filter handling simultaneous requests from two MTA's.</B> 13777298Sobrien</DIV> 13833965Sjdp<HR size="1"> 13977298Sobrien<FONT size="-1"> 14077298SobrienCopyright (c) 2000, 2003 Sendmail, Inc. and its suppliers. 141130561SobrienAll rights reserved. 14277298Sobrien<BR> 14377298SobrienBy using this file, you agree to the terms and conditions set 14477298Sobrienforth in the LICENSE. 14577298Sobrien</FONT> 14677298Sobrien</BODY> 14777298Sobrien</HTML> 14877298Sobrien