$Id: design.txt,v 1.2 2003/02/08 10:50:24 ak Exp $
akpop3d - a secure and small POP3 daemon
========================================

Design goals
============
The primary design goal was small code. Many programmers write bloated
code, thus making the programs big and slow. I tried to keep the code as
short as possible. Less lines of code also implies less bugs in the
code[FvL 01].

Another design goal was RFC 1939 compliance. It must be RFC 1939
compliant, else I can't call it a POP3 server.


Security
========
First of all, the POP3 protocol is an insecure protocol by design.
Passwords are transmitted unencrypted, so people sniffing on one
computer on the route between your computer and the POP3 server is able
to filter out the passwords easily. So akpop3d handles two very
important main security features especially, namely password security
(e.g. by providing POP3-over-SSL facilities) and security with input
handling (e.g. read functions that can't overflow the buffer) and
privilege management.

The server behaves in the following way:


                      started as root
                            |
                            |<-----------+
                    +----------------+   |
                    | new connection |---+
                    | (fork)         |
                    +----------------+
                            |
                    +----------------+
                    | read user/pass |
                    +----------------+
                            |
                    +----------------+
                    | authenticate   |
                    +----------------+
                            |
                    +-----------------+
                    | set uid of user |
                    | set gid of group|
                    | "mail"          |
                    +-----------------+
                            |
                    +--------------------+
                    | handle transaction |
                    | state              |
                    +--------------------+
                            |
                    +--------------+
                    | exit process |
                    +--------------+

That means, only the part prior to authenticating the user is
_theoretically_ vulnerable to root exploits. The routines to read
username and password are designed to prevent buffer overflows.


Secure Creation Of Files
========================
Temporary files are all created via tmpfile(3). This is more secure than
mktemp(3) or tmpnam(3) since creating a temporary file with it is atomic.
This drastically decreases the possibility of symlink attacks and other
race conditions.


POP3-Over-SSL Support
=====================
akpop3d provides functionality for secure POP3 sessions over SSL. SSL
connections are always encrypted, so it should be used when POP3
functionality is demanded via untrustworthy networks (e.g. the evil
internet). Furthermore, functionality for proof of authenticity is
provided via a certificate mechanism.


Parsing Emails
==============
To quote Dan Bernstein: "Don't parse"[DJB 97]. The only way mbox files
are parsed is by separating them and transferring them into temporary
files, and then separating headers from message body. The latter is
needed for the TOP command. So, even if the mbox is totally invalid,
akpop3d either aborts the session (when no "From " header can be found
at the very beginning) or sees the whole mbox file as one mail, but it
never crashes.

Literature
==========
FvL 01. http://www.fefe.de/dietlibc/talk.pdf
DJB 97. "the qmail security guarantee" http://cr.yp.to/qmail/guarantee.html
