[Dovecot] v3.0 architecture
Timo Sirainen
tss at iki.fi
Wed May 27 11:17:42 EEST 2009
I just had a thought. It's probably going to be too big of a change
for v2.0, so something to think about for v3.0:
Supporting multiple UIDs is difficult. Currently expire-tool and
v2.0's LMTP server are implemented in a way that it's always running
as root and only temporarily dropping privileges. So any security hole
in there gives the attacker root privileges. Not very nice. With a
single UID it's possible (or will be) to just use that one UID for the
process without running as root.
User sharing mailboxes to another user with different UID is even more
difficult. Currently the only practical way to implement this is to
assign read-write permissions to some group and have all mail files
owned by that group. Not very nice.
Sharing mailboxes between users located in different servers is
impossible if the disk isn't somehow shared.
All of these can be solved the same way:
1. imap, pop3, lmtp, etc. processes will be running without any
privileges, very much like imap/pop3-login nowadays. Nobody-chrooted
to empty directory.
2. Create storage processes that are started as needed. They can be
configured in different security/performance settings: One storage
process per user, one storage process per UID, setuid-root style
shared storage process for multiple UIDs.
3. Mail processes talk to storage processes via some protocol. They
can talk via UNIX socket or TCP/IP. If an existing connection can't
handle the target UID, a new connection is made that either reuses an
existing storage proces or creates a new one.
4. IMAP can finally implement truly simultaneously running queries
(where it makes sense) by creating more storage processes if existing
ones are busy handling longer-running commands. This also allows using
the same storage process for multiple simultaneous IMAP connections
and mail deliveries (and etc). The storage processes can also hang
around and keep mailboxes open after all connections have closed it
(dynamically figured out when it makes sense) to handle webmail
clients that create lots of short-living connections or POP3 clients
who poll for new mail every minute.
The big problem is what the protocol should be. Use some existing RPC
protocol? It should be something extensible so that a plugin in imap
process can talk to a plugin in storage process, without the base
processes knowing anything about the details (e.g. imap-quota plugin
asking quota usage from storage's quota plugin). In any case the
client side API should be asynchronous. That can make it annoyingly
difficult to use though. Wonder if I could switch to erlang or
something for the imap/pop3 processes :)
More information about the dovecot
mailing list