design.html revision 168516
11901Swollman<HTML> 21901Swollman<HEAD> 31901Swollman<TITLE>Architecture</TITLE> 41901Swollman</HEAD> 51901Swollman<BODY> 61901Swollman<!-- 71901Swollman$Id: design.html,v 1.12 2006/08/08 20:55:57 ca Exp $ 88870Srgrimes--> 91901Swollman 101901Swollman<H1>Architecture</H1> 111901Swollman 128870Srgrimes<H2>Contents</H2> 131901Swollman 141901Swollman<UL> 151901Swollman <LI>Design Goals 161901Swollman <LI>Implementing Filtering Policies 171901Swollman <LI>MTA - Filter Communication 181901Swollman</UL> 191901Swollman 208870Srgrimes<H2>Goals</H2> 211901Swollman 221901SwollmanThe Sendmail Content Management API (Milter) provides an interface for 231901Swollmanthird-party software to validate and modify messages as they pass 248870Srgrimesthrough the mail transport system. Filters can process messages' 251901Swollmanconnection (IP) information, envelope protocol elements, message 261901Swollmanheaders, and/or message body contents, and modify a message's 271901Swollmanrecipients, headers, and body. The MTA configuration file specifies 281901Swollmanwhich filters are to be applied, and in what order, allowing an 291901Swollmanadministrator to combine multiple independently-developed filters. 301901Swollman 311901Swollman<P> 321901SwollmanWe expect to see both vendor-supplied, configurable mail filtering 338870Srgrimesapplications and a multiplicity of script-like filters designed by and 341901Swollmanfor MTA administrators. A certain degree of coding sophistication and 351901Swollmandomain knowledge on the part of the filter provider is assumed. This 361901Swollmanallows filters to exercise fine-grained control at the SMTP level. 371901SwollmanHowever, as will be seen in the example, many filtering applications 381901Swollmancan be written with relatively little protocol knowledge. 391901Swollman 401901Swollman<P> 411901SwollmanGiven these expectations, the API is designed to achieve the following 421901Swollmangoals: 431901Swollman 441901Swollman<OL> 451901Swollman <LI>Safety/security. 461901Swollman Filter processes should not need to run as root 471901Swollman (of course, they can if required, but that is a local issue); 481901Swollman this will simplify coding 491901Swollman and limit the impact of security flaws in the filter program. 501901Swollman<P> 511901Swollman <LI>Reliability. 521901Swollman Coding failures in a Milter process that cause that process 531901Swollman to hang or core-dump 541901Swollman should not stop mail delivery. 551901Swollman Faced with such a failure, 561901Swollman sendmail should use a default mechanism, 571901Swollman either behaving as if the filter were not present 581901Swollman or as if a required resource were unavailable. 591901Swollman The latter failure mode will generally have sendmail return 601901Swollman a 4xx SMTP code (although in later phases of the SMTP protocol 611901Swollman it may cause the mail to be queued for later processing). 621901Swollman<P> 631901Swollman <LI>Simplicity. 641901Swollman The API should make implementation of a new filter 651901Swollman no more difficult than absolutely necessary. 661901Swollman Subgoals include: 671901Swollman <UL> 681901Swollman <LI>Encourage good thread practice 691901Swollman by defining thread-clean interfaces including local data hooks. 701901Swollman <LI>Provide all interfaces required 711901Swollman while avoiding unnecessary pedanticism. 721901Swollman </UL> 731901Swollman<P> 741901Swollman <LI>Performance. 751901Swollman Simple filters should not seriously impact overall MTA performance. 761901Swollman</OL> 771901Swollman 781901Swollman<H2>Implementing Filtering Policies</H2> 791901Swollman 801901SwollmanMilter is designed to allow a server administrator to combine 811901Swollmanthird-party filters to implement a desired mail filtering policy. For 821901Swollmanexample, if a site wished to scan incoming mail for viruses on several 831901Swollmanplatforms, eliminate unsolicited commercial email, and append a mandated 841901Swollmanfooter to selected incoming messages, the administrator could configure 851901Swollmanthe MTA to filter messages first through a server based anti-virus 861901Swollmanengine, then via a large-scale spam-catching service, and finally 871901Swollmanappend the desired footer if the message still met requisite criteria. 881901SwollmanAny of these filters could be added or changed independently. 891901Swollman 901901Swollman<P> 911901SwollmanThus the site administrator, not the filter writer, controls the 921901Swollmanoverall mail filtering environment. In particular, he/she must decide 931901Swollmanwhich filters are run, in what order they are run, and how they 941901Swollmancommunicate with the MTA. These parameters, as well as the 951901Swollmanactions to be taken if a filter becomes unavailable, are selectable 961901Swollmanduring MTA configuration. <A href="installation.html">Further 971901Swollmandetails</A> are available later in this document. 981901Swollman 991901Swollman<H2>MTA - Filter communication</H2> 1001901Swollman 1011901SwollmanFilters run as separate processes, outside of the sendmail address 1021901Swollmanspace. The benefits of this are threefold: 1031901Swollman 1041901Swollman<OL> 1051901Swollman <LI>The filter need not run with "root" permissions, thereby 1068870Srgrimes avoiding a large family of potential security problems.</LI> 1071901Swollman 1081901Swollman <LI>Failures in a particular filter will not affect the MTA or 1091901Swollman other filters.</LI> 1101901Swollman 1111901Swollman <LI>The filter can potentially have higher performance because of 1121901Swollman the parallelism inherent in multiple processes.</LI> 1131901Swollman</OL> 1141901Swollman 1151901Swollman<P> 1161901SwollmanEach filter may communicate with multiple MTAs at the same time over 1171901Swollmanlocal or remote connections, using multiple threads of execution. 1181901Swollman<A HREF="#figure-1">Figure 1</A> illustrates a possible network of 1191901Swollmancommunication channels between a site's filters, its MTAs, and other 1201901SwollmanMTAs on the network: 1211901Swollman</P> 1221901Swollman<DIV align="center"> 1231901Swollman<A name="figure-1"><IMG src="figure1.jpg" ALT=""></A><BR> 1241901Swollman<B>Figure 1: A set of MTA's interacting with a set of filters.</B> 1251901Swollman</DIV> 1268870Srgrimes<P> 1271901SwollmanThe Milter library (libmilter) implements the communication protocol. 1281901SwollmanIt accepts connections from various MTAs, passes the relevant data to 1291901Swollmanthe filter through callbacks, then makes appropriate responses based 1301901Swollmanon return codes. A filter may also send data to the MTA as a result 1311901Swollmanof library calls. <A href="#figure-2">Figure 2</A> shows a single 1321901Swollmanfilter process processing messages from two MTAs: 1331901Swollman</P> 1341901Swollman<DIV align="center"> 1351901Swollman<IMG src="figure2.jpg" ALT=""><BR> 1361901Swollman<B>Figure 2: A filter handling simultaneous requests from two MTA's.</B> 1371901Swollman</DIV> 1381901Swollman<HR size="1"> 1391901Swollman<FONT size="-1"> 1401901SwollmanCopyright (c) 2000, 2003 Sendmail, Inc. and its suppliers. 1411901SwollmanAll rights reserved. 1421901Swollman<BR> 1431901SwollmanBy using this file, you agree to the terms and conditions set 1441901Swollmanforth in the LICENSE. 1451901Swollman</FONT> 1461901Swollman</BODY> 1471901Swollman</HTML> 1481901Swollman