design.html revision 256281
1234353Sdim<HTML> 2204642Srdivacky<HEAD> 3204642Srdivacky<TITLE>Architecture</TITLE> 4204642Srdivacky</HEAD> 5204642Srdivacky<BODY> 6204642Srdivacky<!-- 7204642Srdivacky$Id: design.html,v 1.12 2006/08/08 20:55:57 ca Exp $ 8204642Srdivacky--> 9204642Srdivacky 10204642Srdivacky<H1>Architecture</H1> 11204642Srdivacky 12204642Srdivacky<H2>Contents</H2> 13204642Srdivacky 14204642Srdivacky<UL> 15204642Srdivacky <LI>Design Goals 16204642Srdivacky <LI>Implementing Filtering Policies 17218893Sdim <LI>MTA - Filter Communication 18204642Srdivacky</UL> 19249423Sdim 20204642Srdivacky<H2>Goals</H2> 21204642Srdivacky 22204642SrdivackyThe Sendmail Content Management API (Milter) provides an interface for 23204642Srdivackythird-party software to validate and modify messages as they pass 24204642Srdivackythrough the mail transport system. Filters can process messages' 25204642Srdivackyconnection (IP) information, envelope protocol elements, message 26204642Srdivackyheaders, and/or message body contents, and modify a message's 27234353Sdimrecipients, headers, and body. The MTA configuration file specifies 28204642Srdivackywhich filters are to be applied, and in what order, allowing an 29218893Sdimadministrator to combine multiple independently-developed filters. 30204642Srdivacky 31204642Srdivacky<P> 32204642SrdivackyWe expect to see both vendor-supplied, configurable mail filtering 33218893Sdimapplications and a multiplicity of script-like filters designed by and 34204642Srdivackyfor MTA administrators. A certain degree of coding sophistication and 35204642Srdivackydomain knowledge on the part of the filter provider is assumed. This 36204642Srdivackyallows filters to exercise fine-grained control at the SMTP level. 37204642SrdivackyHowever, as will be seen in the example, many filtering applications 38204642Srdivackycan be written with relatively little protocol knowledge. 39204642Srdivacky 40204642Srdivacky<P> 41204642SrdivackyGiven these expectations, the API is designed to achieve the following 42204642Srdivackygoals: 43204642Srdivacky 44204642Srdivacky<OL> 45204642Srdivacky <LI>Safety/security. 46204642Srdivacky Filter processes should not need to run as root 47218893Sdim (of course, they can if required, but that is a local issue); 48218893Sdim this will simplify coding 49218893Sdim and limit the impact of security flaws in the filter program. 50204642Srdivacky<P> 51204642Srdivacky <LI>Reliability. 52204642Srdivacky Coding failures in a Milter process that cause that process 53204642Srdivacky to hang or core-dump 54218893Sdim should not stop mail delivery. 55218893Sdim Faced with such a failure, 56204642Srdivacky sendmail should use a default mechanism, 57204642Srdivacky either behaving as if the filter were not present 58204642Srdivacky or as if a required resource were unavailable. 59218893Sdim The latter failure mode will generally have sendmail return 60218893Sdim a 4xx SMTP code (although in later phases of the SMTP protocol 61204642Srdivacky it may cause the mail to be queued for later processing). 62218893Sdim<P> 63204642Srdivacky <LI>Simplicity. 64204642Srdivacky The API should make implementation of a new filter 65204642Srdivacky no more difficult than absolutely necessary. 66218893Sdim Subgoals include: 67218893Sdim <UL> 68218893Sdim <LI>Encourage good thread practice 69218893Sdim by defining thread-clean interfaces including local data hooks. 70218893Sdim <LI>Provide all interfaces required 71204642Srdivacky while avoiding unnecessary pedanticism. 72204642Srdivacky </UL> 73204642Srdivacky<P> 74204642Srdivacky <LI>Performance. 75204642Srdivacky Simple filters should not seriously impact overall MTA performance. 76204642Srdivacky</OL> 77204642Srdivacky 78204642Srdivacky<H2>Implementing Filtering Policies</H2> 79204642Srdivacky 80204642SrdivackyMilter is designed to allow a server administrator to combine 81207618Srdivackythird-party filters to implement a desired mail filtering policy. For 82207618Srdivackyexample, if a site wished to scan incoming mail for viruses on several 83207618Srdivackyplatforms, eliminate unsolicited commercial email, and append a mandated 84218893Sdimfooter to selected incoming messages, the administrator could configure 85218893Sdimthe MTA to filter messages first through a server based anti-virus 86218893Sdimengine, then via a large-scale spam-catching service, and finally 87218893Sdimappend the desired footer if the message still met requisite criteria. 88204642SrdivackyAny of these filters could be added or changed independently. 89218893Sdim 90218893Sdim<P> 91218893SdimThus the site administrator, not the filter writer, controls the 92218893Sdimoverall mail filtering environment. In particular, he/she must decide 93204642Srdivackywhich filters are run, in what order they are run, and how they 94204642Srdivackycommunicate with the MTA. These parameters, as well as the 95204642Srdivackyactions to be taken if a filter becomes unavailable, are selectable 96204642Srdivackyduring MTA configuration. <A href="installation.html">Further 97204642Srdivackydetails</A> are available later in this document. 98204642Srdivacky 99204642Srdivacky<H2>MTA - Filter communication</H2> 100204642Srdivacky 101204642SrdivackyFilters run as separate processes, outside of the sendmail address 102204642Srdivackyspace. The benefits of this are threefold: 103204642Srdivacky 104204642Srdivacky<OL> 105204642Srdivacky <LI>The filter need not run with "root" permissions, thereby 106204642Srdivacky avoiding a large family of potential security problems.</LI> 107204642Srdivacky 108218893Sdim <LI>Failures in a particular filter will not affect the MTA or 109204642Srdivacky other filters.</LI> 110218893Sdim 111218893Sdim <LI>The filter can potentially have higher performance because of 112218893Sdim the parallelism inherent in multiple processes.</LI> 113218893Sdim</OL> 114218893Sdim 115218893Sdim<P> 116218893SdimEach filter may communicate with multiple MTAs at the same time over 117218893Sdimlocal or remote connections, using multiple threads of execution. 118218893Sdim<A HREF="#figure-1">Figure 1</A> illustrates a possible network of 119218893Sdimcommunication channels between a site's filters, its MTAs, and other 120218893SdimMTAs on the network: 121218893Sdim</P> 122218893Sdim<DIV align="center"> 123218893Sdim<A name="figure-1"><IMG src="figure1.jpg" ALT=""></A><BR> 124218893Sdim<B>Figure 1: A set of MTA's interacting with a set of filters.</B> 125218893Sdim</DIV> 126218893Sdim<P> 127218893SdimThe Milter library (libmilter) implements the communication protocol. 128218893SdimIt accepts connections from various MTAs, passes the relevant data to 129218893Sdimthe filter through callbacks, then makes appropriate responses based 130218893Sdimon return codes. A filter may also send data to the MTA as a result 131218893Sdimof library calls. <A href="#figure-2">Figure 2</A> shows a single 132218893Sdimfilter process processing messages from two MTAs: 133218893Sdim</P> 134218893Sdim<DIV align="center"> 135204642Srdivacky<IMG src="figure2.jpg" ALT=""><BR> 136204642Srdivacky<B>Figure 2: A filter handling simultaneous requests from two MTA's.</B> 137204642Srdivacky</DIV> 138204642Srdivacky<HR size="1"> 139218893Sdim<FONT size="-1"> 140204642SrdivackyCopyright (c) 2000, 2003 Sendmail, Inc. and its suppliers. 141204642SrdivackyAll rights reserved. 142204642Srdivacky<BR> 143204642SrdivackyBy using this file, you agree to the terms and conditions set 144204642Srdivackyforth in the LICENSE. 145204642Srdivacky</FONT> 146204642Srdivacky</BODY> 147218893Sdim</HTML> 148218893Sdim