Artur Södler Software-Qualität
Mail Server as Project Example
Step 1: Actual Analysis
Have you ever been annoyed by spam mails?
Sure! Right, let us sort out automatically everything that smells fishy. That makes life easy.
Fiddlesticks! Most certainly, by the time your wife's email has been sorted out (she wanted to tell you to pick up the children from the playschool), you will get into hot water. Now you are running out of excuses: You need an expensive, superior spam solution. "Security experts" now push you with their solutions using buzzwords like "trust" and "experience", just like financial service providers do with securities.
We must rethink, challenge established practice: If we are sorting an email out, why do we acknowledge it in the first place? If your mail server did reject your wife's email, your wife would have known immediately, and would have settled the matter with a virtual rolling pin. At least, the children were picked up in time.
The only annoying fact is, that all common mail servers first of all acknowledge any dropped email. Now you are responsible, now you have to search the spam folder regularly.
What if the mail server breaks down?
Of course you already have put yourself this question. Worst case, the mail repository can be emptied accompanied by a small stinking wisp of smoke from the electronics. A replacement PC and the nightly backup will quickly bring the system up and running again, but your wife's email is lost.
We must rethink, challenge established practice: Why does the mail server acknowledge an email, if it is not yet backed up on a tape and put into the safe?
Step 2: Research and Creativity
How can we not accept emails?
The SMTP protocoll for email transfer specifies, that each dropped email is to be answered with a three-digit number. Numbers in the range 200-299 mean "OK", 300-399 mean "OK up to now, but please continue", 400-499 are temporary errors, and 500-599 are final errors.
The greylisting method is exploiting this: each dropped email is answered with a 4xx temporary error. Spam robots usually give up immediately, serious mail servers retry. The second dropping then is accepted.
Unfortunately, this method delays email arrival. The time span up to the retry may be some minutes.
Let us try to get to the bottom of it: What if the email is received at the first attempt? Though we answer as if there was a temporary error, we use the meantime to check for spam, to backup and for whatsoever further action — and if we decide after all to accept the email, then we answer with "200 ok" next time. If not, we answer with "500 eail rejected".
That sounds reasonable: What gets sorted out to the spam folder, will be rejected. Now you are rid of the responsibility to search the spam folder regularly.
Step 3: Planning
What do we need?
We need two databases at two physically different sites (for backup), two mail servers at two physically different sites (to ensure 24/7 availability), and a lot of software all around.
An email is stored in server A and has been rejected with a "temporary error". When the sender retries dropping the email to server B (remebmer, A had a "temporary error"), the best case scenario is, that server B already knows the email, and already knows whether to accept or to reject the email. But if the sender is faster, even server B must save this email and reurn a "temporary error".
We need a data model that does not grant authority over a number range (or authority over the identity of two emails) to a single server. Both servers must be equally privileged in order to function stand-alone properly, and the identity of two emails must be evident by no more than their content.
The SMTP server is an independent software, because it has to operate properly even if backup, cpam check and POP3/IMAP servers fail. It has to be available day and night and has highest quality standards next to the database.
Backup, spam check and POP3/IMAP server may be temporarily inactive. Particularly nomerous format errors of spam emails challenge the software in a way only few software developers can handle. It is good to be able to debug the spam check in the debugger while emails can still be accepted.
Emails are split up into core parts, which reveal uniqueness, and fringe parts, which complete the email or its dropping. Tha database incorporates tables of rows, each having a free text field of unlimited length:
|• body||the email content|
|• capture||all SMTP data of a dropping|
|• config||configuration of the mail server and the mailboxes|
|• header||an email header except all "received:" lines|
|an unique email|
|• mailbox||a receiver mailbox|
|• msgid||the (optional) message ID of the email|
|• pop3||a POP3 or SMTP mail account|
|• rdns||reverse DNS lookup and other information about the sender IP address|
|• receive||an email in a mailbox|
|• received||the "received:" lines of a header|
|• text||various texts like user names, passwords, time controls, wireless phone numbers|
|• throw-in||all data of a dropping and protocoll of the response|
As a minimum requirement, the database is capable of executing transactions of the following type:
|• find-or-insert||find this content (and return the old row number)|
— or —
insert this content (and return the new row number)
|• find||find this content (and return the row)|
— or —
fail to find and return an error code
|• set, increment||find this content, change it (and return the row number)|
— or —
fail to find and return an error code
In addition, it has a time stamp mechanism to locate changed data records.
Step 4: Documentation
The documentation is created in the same directories that later keep the source codes during software development. While documentating the project, more detailed questions pop up, for instance:
|•||Which database meets the requirements best?|
|•||How can race conditions be avoided, if two databases know different states of a mailbox?|
|•||Which parts can run on which platforms?|
|•||How can processes be debugged, if the program flow depends on third party data streams?|
|•||How can processes be supervised?|
|•||Which safety precautions are necessary to prevent unauthorized database access (server, mailboxes)?|
|•||How can mailboxes be configured by their owners?|
|•||How can spam mails be sorted out and searched?|
During the documentation phase, there are essential changes to the projekt:
|•||The database can be accessed over the internet.|
Thereby processes can temporarily be run and debugged at the developer's workstation.
|•||The database connections get a proprietary encryption.|
|•||The time stamp mechanism of the database remains hidden.|
In return, the database synchronizes the contents actively into a backup.
|•||From the backup of the remote host the own data is being augmented continuously. Mails found to be identically in both databases are marked as "backed up".|
|•||Table columns are disentangled: status columns have to be independent from each other.|
|•||Status property values are arranged in a way that the rule "higher values are dominant, lower values are recessive" applies to all synchronizations.|
|•||Instead of a user interface for configuration, the decision is made to configure the system through emails.|
|•||The mail check process is equipped with command line parameters to manipulate the status of individual emails.|
|•||An additional database utility is planned to list the last emails' status and to export emails.|
|•||At the end, an SMS notification function bowls down the principle of equivalent servers. To prevent the servers from simultaneously sending two SMS, server B gets a delay of one minute, before it sends an SMS. In the meantime, it should have been noticed from server A, that the SMS has already been sent.|
|•||The POP3 server failover is not automatized: The mail IDs of both servers are different, so the mail client might see undeleted emails double after a failover.|
Step 5: Implementation and Test
All programs are designed to run under both Linux and Windows without change, both as 32-bit- as as 64-bit-code. As command line programs, all parts of the software can be registered either as a Windows service or as a Linux daemon.
The software is made compatible not by compiling different versions using macros (as usually done with Microsoft tools: #define TCHAR: char or wchar_t) but instead existing libraries are used and expanded that adapt identical software to different operating systems. Windows unicode functions with their UTF-16 encoding are adapted to the UTF-8 standard of the application.
For the SMTP server we started with excessive protocols to have a maximum of information on causes of potential crashes. These helped to improve a denial-of-service defence strategy, and to avoid connection loss on a certain malformatted email.
We temporarily redirected the TCP connection to the old mail server and wrote a protocol. We used the recorded data as test data.
Step 6: Contentedness of the customer
This time we are our own customers. Nevertheless we are very satisfied with the result:
|•||spam mails are rejected. Thus, we don't have to search them. Not later than 1 hour later (without retry 24 hours) there is an accumulated information about the spam mails dropped in the meantime.|
|•||Other mail servers already had an SMS notification service, yet unfiltered, even for spam mails, even in the middle of the night. Now we can distinguish by hotline customers und by time of day.|
|•||One version of Outlook does not understand the format of another version of Outlook. By changing the POP3/IMAP server software we can filter the responsible header line, we no longer have to ask to resend mails in another format.|
|•||Our former spam filter provider filtered mails of our customers. To make sure no customer's email got lost, we were forced to disable the spam filter. Now we filter by ourselves, we don't find every single spam, but no single appreciated mail is treated as spam by mistake.|
|•||Transmit a duplicate of all emails to the smartphone? No problem, we can adjust the mail server.|
|•||At times there were at an average 300 spam mails a day, in some cases nearly 2,000 spam mails a day. So what?|
|•||The servers are rent at a montly rate of 10.- €, an additional backup is unnecessary. Both servers are used for other — likewise redundant — services, too.|
If you would like to test the mail server, why don't you just send us a mail?