totheend-user.SimilarlyinIMAP4mode,perditionacceptstheLOGINcommandandp - PDF document

367 views
Uploaded On 2015-09-22

totheend-user.SimilarlyinIMAP4mode,perditionacceptstheLOGINcommandandp - PPT Presentation

Figure2PlainTextSSLandTLSModesPerditioncanindependentlyacceptplaintextSSLandTLS7connectionsfromendusersandmakeplaintextSSLorTLSconnectionstorealserversInthiswayperditioncanbeusedtobridgebe ID: 136658

Figure2:Plain-Text SSLandTLSModesPerditioncanindependentlyacceptplain-text SSLandTLS[7]connectionsfromend-usersandmakeplain-text SSLorTLSconnectionstoreal-servers.Inthiswayperditioncanbeusedtobridgebe

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/136658" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "totheend-user.SimilarlyinIMAP4mode,perdi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

totheend-user.SimilarlyinIMAP4mode,perditionacceptstheLOGINcommandandpassestheusernameandpasswordsuppliedontothereal-serverspeciedinthepopmap.Whenperditionispipinginformationbetweentheend-userandreal-serveritdoesnotinterpretthedata,itmerelyreadsbytesfromtheend-userandsendsthentothereal-serverandviceversa.ThismeansthatperditiononlyunderstandsthePOP3andIMAP4commandsthatareusedintheauthenticationphase.Itdoesnotinterpretthecommunicationbetweentheend-userandthereal-server.ThisgreatlyreducestheamountofthePOP3andIMAP4protocolthatperditionneedstounderstand,reducingthecomplexityofthecode.Plain-Text,SSLandTLS Figure2:Plain-Text,SSLandTLSModesPerditioncanindependentlyacceptplain-text,SSLandTLS[7]connectionsfromend-usersandmakeplain-text,SSLorTLSconnectionstoreal-servers.Inthiswayperditioncanbeusedtobridgebetweenplain-text,SSLandTLSservices.Forexample,supposeasystemisrunningaPOPdaemonthatdoesnotsupportSSL,buttheenduserisdownloadingmailfromanSSLenabledclient.Byrunningperdition,listeningforSSLconnections,onthesameoranotherbox,andconnectingtotheplain-textonlydaemonanSSLPOPservicecanbeprovidedtoend-users.PopmapThedatabasethatperditionusestodeterminewhichserveranend-user'sconnectionshouldbeforwardedtoiscalledthepopmap.Thelookupfunctionsforthepopmapareprovidedbyaamap-librarywhosesymbolsareloadedatrun-time.Bycreatingdierentmap-librariesitispossibleforperditiontolookupuserinformationusinganydatabasesource.Thecurrentrevisionprovidesmap-librariestoresolvelookupsusingLDAP,ODBC,MySQL,PostgreSQL,GDBM,BerkeleyDB,POSIXRegularExpressionandNIS. InputThekeyforapopmaplookupistheusernameprovidedbytheend-user.Theusernamesuppliedbytheuserisreferredtoasthelongusername.Theportionofthelongusernamebeforetherun-timecongurabledomaindelimiter,anat-symbol('@')bydefault,isreferredtoastheshortusername.Theportionofthelongusernameafterthedomaindelimiterisreferredtoasthedomain.Thus,ifthedomaindelimiterisomitted,theshortusernameisthesameasthelongusernameandthereisnodomain. LongUsername ShortUsername Domain mary@verge.net.au mary vergenet.net bob bob - Figure3:UsernameComponentsQueryKeyPerditionisabletobuildupaquerykeyusingthecomponentsprovidedinthelongusernamebytheend-userandthesourceanddestinationIPaddressoftheconnection.Thequerykeyisbuiltupbyusingaformat-stringwhichcontainsacombinationofstring-literalsandescapesequences. EscapeSequence Entity nU longusername nu shortusername nD domaindelimiter nd domain ni sourceIPaddress nI destinationIPaddress np sourceport nP destinationport nn Literaln Figure4:QueryKeyEscapeSequencesMultiplekeysmaybeprovided.Acomma(',')isusedtodelimitkeys.Eachkeyisqueriedinorder,andtherstvalidresultretrievedisused.Forexample,searchfortheshortusername,domaindelimiteranddestinationIPaddressinthedatabase.Ifthisfailssearchfortheshortusername,domaindelimiterandthestring"default".\u\D\I,\u\DdefaultThus,perditionisabletosearchthedatabaseinavery exiblemanner.This exibilityallowsperditiontobedeployedforawiderangeofapplications.Asdiscussedintheapplicationssection. insomesituationsitisdesirabletoallowend-usersoutsideofthelocalnetworktorelayemailthroughaserver.Forexample,anemployeewhoisontheroadusingdial-upconnections.ProbablythebestsolutiontothisproblemistohaveclientsauthenticatethemselveswhensendingmailusingSMTPAUTH[5].Ifthisisnotpossible,POP/IMAPbeforeSMTPmaybeused.POP/IMAPbeforeSMTPworksbyrecordingtheIPaddressofend-usersthatareauthenti-catedforPOPorIMAPaccess.TheseIPaddressesareaddedtoalistofIPaddressesthatareallowedtorelaymail.TypicallyIPaddressesonthislistarevalidforawindowoftimeandareremovedfromthelistoncethiswindowexpires.PerditionlogsconnectionsinthreephasestoallowittoworkinconjunctionwithPOP/IMAPbeforeSMTPsoftwarewhichmonitorslogsandmaintainsalistofIPaddressesthatmayberelayed.Whenauserconnects:Connect:source ip address�[inetd pid=pid&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;]Whenauserisauthenticated:Auth:source ip address�user="username&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;"server="servername"&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;port="port&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;"status=failedjokWhenauserdisconnects:Close:source ip address�user="username&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;"received=bytes&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;sent=bytes&#x]TJ/;༙ ;.9;U T; 9.;ą ;� Td;&#x[000;GiventhatIMAPconnectionsmaylastforaverylongtime,manymailreaderskeepanIMAPconnectionopenuntiltheuserquitsthemailreader.Thustheconnectionmaybeopenformuchlongerthantheuser'sIPaddresswilllastinthePOP/IMAPbeforeSMTPrelaylist.Forthisreasonperditioncanbeconguredtoperiodicallyreissuethe"Auth"log.PerditionalsoprovidesaPOP/IMAPbeforeSMTPdaemon,perdition-pbs.Thisworksbymonitoringthesystemlogsforthe"Auth"line.ItaddstheIPaddressestoaBerkeleydatabase.Periodicallyentriesareexpiredfromthisdatabase.Perdition-PBScanbeusedinconjunctionwithsendmailbyaddingaruletosendmail.cfthatisabletousethisdatabaseasalistofhoststorelaymailfrom.Itcanalsobeusedinconjunctionwithqmailbyusingawrapperforqmail-smtpwhichsetstheRELAYCLIENTenvironmentvariableifaconnectionisreceivedfromanIPaddressinthedatabase.ItisthoughtthatbyusingTDBrepl[8],asimpledatabasereplicationsystembuiltontopofTDB[2],insteadofBerkeleyDBfortheback-enddatabaseitispossibletouseperdition-pbsinadistributedenvironment.ApplicationsTheoriginaldesignandimplementationofperditionwasintendedtoallowamailservicetogrowbeyondasinglemachine.However,itsoonbecameapparentthatitcouldbeusedto User-SuppliedDomainNameUsersmaysupplyadomainnamewhenconnectingtotheperdition-director.Thisisdonebyfollowingtheirusernamewithadomaindelimiterandthedomainname.Perditioncanusethisdomaintodistinguishbetweentwoend-usersfromdierentdomainswiththesameusernameandcanmaptheusernamesuchthatontheunderlyingreal-servertheusershavedierentusernames.Forexample,bob@foo.combecomesbob1andbob@bar.combecomesbob2.Perditionthenopensupaconnectiontothereal-server,whichcouldbethesamehostastheperdition-directorandaccessesthemappeduseraccount.Thissystemworksparticularlywellinanenvironmentwhereend-usersalreadyhavetheirmail-clientsconguredtoincludethedomainnameaspartoftheirloginname.Perdition-DirectorwithMultipleIPAddressesAnotherapproachtoidentifyingend-usersbasedontheirdomainistoconguretheperdition-directorwithmultipleIPaddresses.Thus,inDNSadierentIPaddresscanbeusedforeachdomain.TheIPaddressthatanend-userconnectstocanbeusedaspartofthequerykeyforthedatabaselookup.Thusisbob@foo.comconnectstopop3.foo.com,thenthedatabaselookupcouldbebob@10.0.0.1.Similarlythelookupforbob@bar.comcouldbebob@10.0.0.2.Again,thiscanbeusedtomapthetwoBob'stoauniqueusernameandconnecttothecorrespondingreal-server. Figure7:Perdition-DirectorwithMultipleIPAddressesThisapproachisparticularlyusefulinanenvironmentwhereend-usershavenotalreadysetuptheirmail-clientstosupplytheirdomainaspartoftheirlogininformation.End-userscontinuetoaccesstheiremailusingthesamePOPorIMAPserverasbefore.Perditionisabletodirecttheirrequesttothecorrectmailboxbasedoninformationabouttheconnectionitself.ThedisadvantageofthisapproachisthatitrequireseachdomaintohaveaseparateIPaddressforitsPOPandIMAPservers.Essentially,havingtheusersupplyadomainnameisequivalenttoanHTTPname-basedvirtualhost[3].WhileconguringperditionwithmultipleIPaddressesisequivalenttoanIP-basedvirtual-host.Bothtechniquesmaybeusedsimultaneouslyonthesameperdition-directorfordierentdomains. MigrationSometimeswhennewmailinfrastructureisdeployeditisusefultomigrateend-usersgraduallyfromtheexistingsystemtothenewsystem.Usingperditionthiscanbedonewithoutend-usersneedingtochangetheirsettings. Figure8:UsingPerditiontoMigrateaMailServiceSupposethatanorganisationhasaPOPserver,pop3.foo.comandwanttograduallymoveend-usersovertoanewserver.ThiscanbedonebyhavingperditionsetupwiththeIPaddressofpop3.foo.comandthenewandoldserverssetupasrealservers.Thepopmapontheperditiondirectorcanbeusedtodeterminewhichend-usershavetheirconnectionsforwardedtotheoldserverandwhichend-usershavetheirconnectionsforwardedtothenewserver.Oncealltheend-usershavebeenmigratedtothenewserver,theperditiondirectorcanberemoved.FirewallPerditioncanbeusedaspartofarewalltoproxyoutgoingPOPandIMAPrequests.End-users'connectionscanbeforwardedtoanexternalreal-serveraccordingtoapopmap.Alter-natively,perditioncanbeconguredtousethedomainsuppliedbytheend-user'smail-clientastherealservertoconnectto.Forexample,ifanend-userconnectstotheperditiondirectorandlogs-inasbob@pop3.foo.com,thenperditionwillconnecttheusertopop3.foo.com.Perditioncanalsobeconguredtoauthenticatetheuser,thuslimitingaccess.Thisis,however,extremelylimitedasthesameusernameandpasswordisusedtoauthenticatewithbothperditionandtherealserver.Itisimportanttonote,thatoncetheuserisauthenticatedwiththereal-server,perditiondoesnotinterpretthePOPorIMAPcommandssentbytheend-user'smail-clientortheresponsessentbythereal-server.Thus,itcannotbeusedtoprotectreal-serversfrommaliciousend-usersorviceversa. AvailabilityPerditionisimplementedinC.ItisavailableunderthetermsoftheGNUGeneralPublicLicencefromhttp://www.vergenet.net/linux/perdition/.ItisalsodistributedaspartofDebianGNU/Linux.TheprimarydevelopmentplatformforperditionisLinux,althoughitisknowntoworkwellonotherUnixesincludingSunSolarisandFreeBSD.Contributionsandbugreportsarealwaysmorethanwelcome.ConclusionPerditionprovidesa exiblewaytoproxyPOPandIMAPconnectionsfromend-userstooneormorereal-servers.Pipex,anISPintheUnitedKingdom,WorldComEurope,BelgacomSkynet,thelargestISPinBelgium,OhioStateUniversity,SoVerNet,andISPinVermont,USA,Fastmail.FM,andNetCologe,andISPinColonge,GermanyareusingPerditionasafront-endtomultiplereal-servers.GPS-TechnikinSwitzerlandandOspreyNetworkTechnologiesinKansas,USAareusingperditiontotranslateaccountnamesforend-userswhenintegratingmailservicestogether.Thesesystemsusearangeofdatabase-backends,includingLDAP,MySQLandBerkelyDB.Thesizeofthesedeploymentsrangefrom2,500toinexcessof250,000accountswithupto8real-servers.References[1]M.Crispin.Rfc1730:Internetmessageaccessprotocol{version4,December1994.http://www.ietf.org/rfc/rfc1730.txt.[2]AndrewTridgeletal.Tdb{trivialdatabase.http://sourceforge.net/projects/tdb/.[3]TheApacheSoftwareFoundation.Apachevirtualhostdocumentation.http://httpd.apache.org/docs/vhosts/.[4]SimonHorman.Highcapacityemail,November1999.http://vergenet.net/linux/mail farm/.[5]J.Myers.Rfc2554:Smtpserviceextensionforauthentication,March1999.http://www.ietf.org/rfc/rfc2554.txt.[6]J.MyersandM.Rose.Rfc1939:Postoceprotocol{version3,May1996.http://www.ietf.org/rfc/rfc1939.txt.[7]C.Newman.Rfc2595:Usingtlswithimap,pop3andacap,June1999.http://www.ietf.org/rfc/rfc2559.txt.[8]LiamWiddowson.Tdbrepl{thetrivialdatabasereplicationsystem.http://tdbrepl.inodes.org/.SpecialthankstoKsh,Raster,Alex,Jake,JohnFerlitoandNerdyAmandaLin.