Running a SMTP email server (e.g., exim) in Gramine

[gabriel2029]

Hello everyone,



I wanted to run the SMTP email server exim (https://www.exim.org/) inside Gramine. However, there seem to be some problems:

• At first, exim is very precise about the current user that is running the binary (root user, non-root user), which seems to interfere with the concept of Gramine exposing root as the default user to the enclave; yes, you can specify the UID and GID, but I haven't found a working configuration (yet). Especially, exim is often calling itself via exim, but with another user to send an email (depending on which permissions are needed).
• Secondly, exim uses some system calls (e.g., getrlimit, setrlimit, or getgroups) which seem to fail consistently.



Here are some error messages that occurred:


• getrlimit(RLIMIT_NOFILE) failed: Bad address
• exim: getgroups() failed: Bad address
• failed to write to main log: length=65 result=-1 errno=9 (Bad file descriptor)
• Gramine also logs the following warning, but I cannot identify if this is a larger problem: [P1:T1:exim] warning: "struct msghdr" ancillary data is not supported

How could I fix those problems, at best in a very generic way by, e.g., adjusting the Gramine manifest, and not by changing a lot of the actual code?



Apart from that, if that is not likely to make exim make work easily within Gramine: does anyone has experience in which SMTP server might be easily adapted to be run in Gramine and has the support of TLS as well as password authentication?



Best regards,

Gabriel

(Disclaimer: I already posted this question into the Google forum (https://groups.google.com/g/gramine-users/c/2UUgGqZ054U), but reposted it here as it was recommended there for me.)

[boryspoplawski]

I've never used exim, but I guess the best starting point would be to use virtual users, not system ones. Seems there's is so-called real_local transport in default config, which you probably can't use in Gramine.

[gabriel2029]

At first, @boryspoplawski, thanks for your answer!

However, I could not follow your thoughts completely. What do you mean by virtual and system users, especially in the context of Gramine? Besides, what is the real_local protocol in your understanding and why can't it be used within Gramine?

Maybe I give it another try, what I think the problem of running exim in Gramine is and how it is affected especially with the user configuration:

• Exim usually needs two users, the root user and another defined in the configuration file.
• Normally we start exim via ./exim -bd with root permissions, and then exim automatically takes care of starting a daemon. Also, for the sending of a mail exim calls itself via the exec system call.
• However, you can also start exim directly without root permissions from user space with some modifications in the configuration (especially adjusting paths from global ones like /var/spool/exim/ to local ones like ~/exim/spool/) via ./exim -bdf. That is the approach I wanted to use here.

So, to make exim run as fluently as possible, we must somehow reproduce the user environment of a normal Linux installation inside Gramine. Normally, Gramine uses the root user. If we apply this, exim gets into a bunch of trouble, which we can partly accommodate by uncommenting some lines of code, but this is not very elegant and did not lead to a fully working environment yet. One interesting problem originates, that the root user does not write every output to the log files; instead, exim starts a new process with the second non-root user to accomplish this (more details here: https://github.com/Exim/exim/blob/master/src/src/log.c#L393). Especially, we aren’t allowed to configure the exim user as root, otherwise, the compilation fails.

We can also reconfigure the UID and GID to the currently active user. However, this didn't seem to work out properly when taking the UID and GID of the host system (practically speaking, printing those values when running exim directly and copying them into the Gramine manifest). Exim then claims that it doesn’t know this user on startup, more exactly: 2022-10-27 21:34:02 Failed to get user name for uid 25567

So the question is if there is a way to simulate the two users (root and the exim user) within Gramine. (And if that’s not possible: I’m also open to other SMTP mail server suggestions that support TLS and password authentification. ;))

[boryspoplawski]

What do you mean by virtual and system users, especially in the context of Gramine?

It's not in the context of Gramine, but exim, which I assume uses system users when delivering/sending emails, i.e. uses setresuid and similar syscalls to change the user. What you should do is not use this mechanism, but instead use some kind of "virtual users" emulated purely in exim (I'm sure it must support such feature). That would require configuring exim properly (and extensively, most likely). If you are not seasoned mail server configuring person i would recommend against it, it's no fun.

Besides, what is the real_local protocol in your understanding and why can't it be used within Gramine?

I'm not familiar with exim, so I might have gotten the name wrong, but from what I could see it was an exim router to handle local users, which you should not do in Gramine.

[gabriel2029]

Ok, thanks, I'll investigate this further.

[dimakuv]

Exim then claims that it doesn’t know this user on startup, more exactly: 2022-10-27 21:34:02 Failed to get user name for uid 25567

@gabriel2029 I would definitely follow the approach of non-root users. This particular message probably stems from the fact that you didn't specify some user-related files in the Gramine manifest, like /etc/passwd (which contains mappings from usernames to their UID/GID). The easiest way to check if it is indeed a root cause of this message is to enable Gramine logging via loader.log_level = "all", and observe what files Gramine tries to open and fails (with e.g, -2 = -ENOENT -- file doesn't exist).

If you'll find out that e.g. /etc/passwd is not found, then you need to do two things:

1. Add this file to fs.mounts, so that Gramine starts "seeing" this file. This is required for gramine-direct.
2. Add this file as sgx.trusted_files, so that Gramine uses it securely (by calculating its hash). This is in addition to the first step and is required for gramine-sgx.

Ideally, you probably don't want to pass-through your computer's /etc/passwd into Gramine. So you can create your own dummy file, and then expose it to Gramine as /etc/passwd. An example can be find in our Python example:

• gramine/CI-Examples/python/python.manifest.template

  Line 22 in ef46981

  { path = "/etc/hosts", uri = "file:helper-files/hosts" },

• gramine/CI-Examples/python/python.manifest.template

  Line 49 in ef46981

  "file:helper-files/",

• https://github.com/gramineproject/gramine/tree/master/CI-Examples/python/helper-files

[boryspoplawski]

I think it makes sense to implement (a subset of) getifaddrs system call.

There is no getifadrs syscall. netlink sockets are used to obtain interfaces information.

[gabriel2029]

First, huge thanks to all of you, I now managed to successfully send an email.

For the library problem I temporarily added some mounts in the manifest:

fs.mounts = [
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
  { path = "/usr{{ arch_libdir }}", uri = "file:/usr{{ arch_libdir }}" },
  # TODO: Only hacky workaround (for problematic library management in exim), find better solutions
  { path = "/usr/local/lib/libcrypt.so.1", uri = "file:/lib/x86_64-linux-gnu/libcrypt.so.1" },
  { path = "/usr/local/lib/libresolv.so.2", uri = "file:{{ gramine.runtimedir() }}/libresolv.so.2" },
  { path = "/usr/local/lib/libm.so.6", uri = "file:/lib/x86_64-linux-gnu/libm.so.6" },
  { path = "/usr/local/lib/libdb-5.3.so", uri = "file:/lib/x86_64-linux-gnu/libdb-5.3.so" },
  { path = "/usr/local/lib/libssl.so.1.1", uri = "file:/lib/x86_64-linux-gnu/libssl.so.1.1" },
  { path = "/usr/local/lib/libcrypto.so.1.1", uri = "file:/lib/x86_64-linux-gnu/libcrypto.so.1.1" },
  { path = "/usr/local/lib/libpcre2-8.so.0", uri = "file:/lib/x86_64-linux-gnu/libpcre2-8.so.0" },
  { path = "/usr/local/lib/libc.so.6", uri = "file:{{ gramine.runtimedir() }}/libc.so.6" },
  { path = "/usr/local/lib/libpthread.so.0", uri = "file:{{ gramine.runtimedir() }}/libpthread.so.0" },
  { path = "/usr/local/lib/libdl.so.2", uri = "file:{{ gramine.runtimedir() }}/libdl.so.2" },
  # End of hacky workaround
  { path = "/etc", uri = "file:/etc" },
[...]

Since this is a very dirty solution, I look at how to configure exim to set a different LD_LIBRARY_PATH or even ask the exim forum about that.

However, the email ended up in the spam folder. I think this is because the FQDN of the mail server is wrong inside Gramine, more exactly the hello message is (the localhost should be substituted with the actual hostname):

220 localhost ESMTP Exim 4.96-72-de5dac844-XX Mon, 31 Oct 2022 18:03:23 +0100

Do you have a rough idea why the hostname is localhost here? This has nothing to do with the getifaddrs function because the FQDN is there determined correctly even without these functions.

[boryspoplawski]

Gramine did not forward hostname from host at all until recently. You can try the newest master (you need to build it manually) and checkout the new manifest option sys.enable_extra_runtime_domain_names_conf

[gabriel2029]

Only as an update: In Exim, there is the option to configure which environment variables to keep via a configuration flag keep_environment. With this, I was able to resolve the problem with the LD_LIBRARY_PATH on the exec system call.

For the hostname, I'll test the new Gramine version soon.

[gabriel2029]

// Update: Gramine 1.3 fixed the problem with the hostname.

[woju]

Would you like to try Postfix instead? Postfix is split between many daemons and it will easy to run only some of them in gramine. local could be run outside. https://www.postfix.org/master.5.html

(I've never tried it though).

[gabriel2029]

Thanks, I'll have a look at postfix.

[gabriel2029]

Hi, apart from simply sending emails, I also wanted to receive E-Mails with Exim.

The rough concept is working, however, I encountered some issues:

• Exim uses the link system call for somehow realizing locks for files (https://github.com/Exim/exim/blob/master/src/src/transports/appendfile.c). However, this system call is not implemented. You can circumvent this problem by skipping locking temporarily (e.g., modifying the code). I am aware that a Gramine enclave normally should not interact too much with the file system, but isn't there also the idea to use it in the concept of encrypted files (next bullet point)?
• I also wanted to experiment with encrypted files. However, it is only important for me that they persist during the runtime of Gramine and can be "thrown away" after program termination. Is there a possibility in Gramine to realize volatile private space or should I simply stick to encrypted files? (Furthermore, how secure are encrypted files?)
• In the current setup, I use the Unix mailbox storage format, e.g., one file per user. However, it seems, that Exim overrides the file to the extent that the old letters are still present - the program overwrites the beginning and lefts the rest unchanged (so far my guess). Could it be that some flags for appending to files in the corresponding system calls aren't implemented in Gramine (cmp. https://github.com/Exim/exim/blob/master/src/src/transports/appendfile.c)?

Best regards,
Gabriel

[dimakuv]

Ok, this sounds great! Are the files in the tmpfs directory also still available for the child after a fork system call? And then: do the two processes share the same files or are they copied?

Unfortunately, multi-processing is complicated currently with tmpfs. You better not rely on the current Gramine behavior, but it's like this:

gramine/libos/src/fs/tmpfs/fs.c

Lines 8 to 10 in 72f6524

	* This file contains code for implementation of 'tmpfs' filesystem. The tmpfs files are *not*
	* cloned during fork/clone (except for files currently open) and cannot be synchronized between
	* processes.

.

So only if you have a tmpfs file already opened, then it will be copied to the child. After this, the parent and the child will have their own copies of this file (no synchronization!).

But this is currently an implementation detail. Ideally, we'll implement copying of even not-currently-opened files (but you can imagine that then we pollute enclave space with possibly-never-used-later files). And really ideally, we'll implement the synchronization of contents of tmpfs files, but this is close to "will never happen".

What I mean with the corrupted files: if I send two emails, one long (1 this is a long test, ...) and then a short (--- this is only a short test ---, ...) to Exim ...

To me, it's still unclear what Exim does internally: does Exim spawn a new process for each new email? If yes, then you have a multi-process environment that manipulates the same file, which is a mine field in Gramine... Unless the application (Exim) does very specific locking on this file so that all processes wait for each other and don't overwrite each other.

[gabriel2029]

To tempfs: My main goal is to store secret files (e.g., certificates) that are written once in the root process and then accessed by child processes. So, the child processes never write on these files. I have to investigate if the files that are needed are directly opened in Exim and if they can be accessed by the program.

To me, it's still unclear what Exim does internally: does Exim spawn a new process for each new email? If yes, then you have a multi-process environment that manipulates the same file, which is a mine field in Gramine... Unless the application (Exim) does very specific locking on this file so that all processes wait for each other and don't overwrite each other.

To my understanding, Exim uses the fork and then the exec system call to send the mail. I uncommented the code for the locking as Exim uses the link system call which is currently not implemented.
However, this problem also occurs if you send a mail -> restart the Exim Gramine server -> send another mail. Maybe I must have a greater look at the Exim source code and find out the problems.

[dimakuv]

To tempfs: My main goal is to store secret files (e.g., certificates) that are written once in the root process and then accessed by child processes. So, the child processes never write on these files. I have to investigate if the files that are needed are directly opened in Exim and if they can be accessed by the program.

I see. This is a good use-case. So the "copy-file-contents-to-child" would work fine in your case (i.e., you don't need any synchronization between parent and children). This could be definitely implemented in Gramine. I think it will be even not too hard to do it. However, we didn't allocate any resources on tasks like this. Maybe you'd be willing to submit a PR for Gramine? :)

However, this problem also occurs if you send a mail -> restart the Exim Gramine server -> send another mail. Maybe I must have a greater look at the Exim source code and find out the problems.

Something is wrong. This is surprising to me. Maybe you could create a small reproducer for this problem (even e.g. in Python, for easier prototyping)?

[boryspoplawski]

To tempfs: My main goal is to store secret files (e.g., certificates) that are written once in the root process and then accessed by child processes. So, the child processes never write on these files. I have to investigate if the files that are needed are directly opened in Exim and if they can be accessed by the program.

I see. This is a good use-case. So the "copy-file-contents-to-child" would work fine in your case (i.e., you don't need any synchronization between parent and children). This could be definitely implemented in Gramine. I think it will be even not too hard to do it. However, we didn't allocate any resources on tasks like this. Maybe you'd be willing to submit a PR for Gramine? :)

Why not simply use encrypted files?

[gabriel2029]

Why not simply use encrypted files?

I also thought about this, but in my opinion, tempfs is a little bit cleaner since the file doesn't have to be persistent (in the way I want to use this). However, when there are problems with tempfs, I'll probably stick with encrypted files as a first solution.

[gabriel2029]

Hi everyone,
I am back, but with Dovecot as an IMAP server.

At first, I had no major problems letting it run inside Gramine by following the Rootless Dovecot Wiki (cmp. https://wiki.dovecot.org/HowTo/Rootless). However, it seems to me that Unix sockets are not shared between multiple processes. To be exact I see in the log (here as an example with the Unix socket file /usr/local/var/run/dovecot/config, but there are also a lot of other files):

[P1:T1:dovecot] trace: ---- bind(42, {family=UNIX,path=/usr/local/var/run/dovecot/config}, 110) = 0x0
[P1:T1:dovecot] trace: ---- listen(42, 100000) = 0x0
[...]
[P1:T1:dovecot] trace: ---- fcntl(42, F_GETFL, 0) = 0x2
[P1:T1:dovecot] trace: ---- fcntl(42, F_SETFL, 0x802) = 0x0
[P1:T1:dovecot] trace: ---- fcntl(42, F_GETFD, 0) = 0x0
[P1:T1:dovecot] trace: ---- fcntl(42, F_SETFD, 0x1) = 0x0

Later, in other child processes:

[P2:T2:anvil] trace: ---- stat("/usr/local/var/run/dovecot/config", 0x1ce5a38c0) = -2
[...]
[P4:T4:imap-login] trace: ---- stat("/usr/local/var/run/dovecot/config", 0x1a116e7d0) = -2
[...]
[P5:T5:stats] trace: ---- stat("/usr/local/var/run/dovecot/config", 0x198e28840) = -2
[...]
[P4:T4:imap-login] trace: ---- stat("/usr/local/var/run/dovecot/config", 0x1a116e560) = -2

So my impression is that the Unix socket is opened successfully, but cannot be accessed by the child process. For the mounting of the path, I tried different options (e.g., normal file systems, tmpfs). I am aware, that Gramine should not communicate via Unix sockets to the outer world (cmp. #556), but in principle, Unix sockets should be possible in Gramine. Do I oversee something here?

If Unix sockets are indeed not feasible in the way I want to use them, what are possible workarounds, e.g., configurations I could search in Dovecot or using another IMAP server?

Apart from that, some system calls are unimplemented, however, they (currently) don't seem to do a large problem: rseq, prctl, capget, capset, symlink, link. I share them mainly with you as an information.

Best regards,
Gabriel

[boryspoplawski]

@gabriel2029 that would definitely be a good idea, to check whether this is the only issue

[gabriel2029]

Hello, after I while I had again a look at the project and I adapted a small test program to test the Unix sockets. However, this didn't work inside Gramine and the connection resulted in: server: accept: Bad address and error: Failed to initialize secure pipe: -6. (Direct execution on Linux works fine). The current Gramine version is 1.3.

Since I have currently no idea, where this error might originate, I share a larger fraction of the code and manifest file with you:

Code

/* Code cloned and adapted from: https://users.cs.cf.ac.uk/Dave.Marshall/C/node28.html */

void client(void);

int main(void) {
    char c;
    FILE *fp;
    int fromlen;
    register int i, s, ns, len;
    struct sockaddr_un saun, fsaun;

    if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
        perror("server: socket");
        exit(1);
    }

    saun.sun_family = AF_UNIX;
    strcpy(saun.sun_path, ADDRESS);

    unlink(ADDRESS);
    len = sizeof(saun.sun_family) + strlen(saun.sun_path);

    if (bind(s, (struct sockaddr *) &saun, len) < 0) {
        perror("server: bind");
        exit(1);
    }

    if (listen(s, 5) < 0) {
        perror("server: listen");
        exit(1);
    }

    int ret = fork();
    if (ret < 0) {
        perror("fork");
        exit(1);
    } else if (ret == 0) {
        close(s);
        client();
        exit(0);
    }

    if ((ns = accept(s, (struct sockaddr *) &fsaun, (socklen_t*) &fromlen)) < 0) {
        perror("server: accept");
        exit(1);
    }

    fp = fdopen(ns, "r");
    // [...]
    exit(0);
}

void client() {
    char c;
    FILE *fp;
    register int i, s, len;
    struct sockaddr_un saun;

    if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) < 0) {
        perror("client: socket");
        exit(1);
    }

    saun.sun_family = AF_UNIX;
    strcpy(saun.sun_path, ADDRESS);

    len = sizeof(saun.sun_family) + strlen(saun.sun_path);

    if (connect(s, (struct sockaddr *) &saun, len) < 0) {
        perror("client: connect");
        exit(1);
    }

    fp = fdopen(s, "r");
    // [...]
    exit(0);
}

Manifest file

loader.preload = "file:{{ gramine.libos }}" 

loader.entrypoint = "file:{{ gramine.libos }}"
libos.entrypoint = "unix-socket"
loader.env.RA_TLS_CLIENT_INSIDE_SGX = "1"
loader.pal_internal_mem_size = "512M"
loader.log_level = "debug"

# arguments.txt file is created by start script
loader.argv_src_file = "file:arguments.txt"

loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr{{ arch_libdir }}"

# Define user for unix-socket test program
loader.uid = 25567
loader.gid = 1201

fs.mounts = [
  { path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
  { path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
  { path = "/usr{{ arch_libdir }}", uri = "file:/usr{{ arch_libdir }}" },
  { path = "/etc", uri = "file:/etc" },
]

sgx.enclave_size = "8192M"
sys.stack.size = "1M"
sgx.remote_attestation = "epid"
sgx.debug = true

sgx.ra_client_spid = "{{ ra_client_spid }}"
sgx.ra_client_linkable = {{ 'true' if ra_client_linkable == '1' else 'false' }}


sgx.trusted_files = [
  "file:{{ gramine.libos }}",
  "file:unix-socket",
  "file:arguments.txt",
  "file:/lib/x86_64-linux-gnu/",
  "file:{{ gramine.runtimedir() }}/",
]

sgx.allowed_files = [
]

[boryspoplawski]

Your program is buggy and does not initialize int fromlen; The fact that it works without Gramine is mere accident

[gabriel2029]

Hey Borys, the missing initialization from fromlen was the problem, thank you! I did this test because the Unix socket in Dovecot is still not seeming to work and the stat system call I mentioned earlier is only used as a fallback. In detail, the connection to Unix sockets is done with a function net_connect_unix (see https://github.com/dovecot/core/blob/e46aff805b6eb582e8051506cf822aa10da8c20d/src/lib/net.c#L305), and as a fallback, the stat system call is used (e.g. in the function master_service_open_config, see https://github.com/dovecot/core/blob/3cb91e1c071666aa8dc3f4a1a07f41829bad0bbf/src/lib-master/master-service-settings.c#L297).

Therefore I wanted to confirm that the Unix sockets are indeed working (which they are). The problem must therefore be lying somewhere else ...

[gabriel2029]

// Update: I've now figured one problem out with the sockets: Dovecot created the socket for one service at /usr/local/var/run/dovecot/anvil and changed its working directory to /usr/local/var/run/dovecot/. After that, it tried to connect to the socket anvil (with a relative path). Normally, this would work because of the changed position, however, Gramine doesn't seem to be able to handle the mixing of relative and absolute paths. Setting up an absolute path for both sides solved the problem.

[gabriel2029]

Hi, the problems with the Unix sockets have to seem resolved now when changing to absolute paths. However, as I currently noticed, Dovecot shares file descriptors between processes via sendmsg with the SCM_RIGHTS option (cmp. https://github.com/dovecot/core/blob/main/src/lib/fdpass.c). Since sharing file descriptors between processes seems mandatory in Dovecot, if there is another way to accomplish this?

[dimakuv]

Unfortunately, Gramine doesn't implement this functionality yet... I tried to implement SCM_RIGHTS supports like 2 years ago, but Gramine was utterly unready for such a change (it worked, but it was one giant hack).

Hopefully this year (2023) we'll have the time/resources to implement SCM_RIGHTS, since there are already several workloads that require this feature.

@gabriel2029 Do you know what exact FDs your Dovecot workload sends between processes? Are these socket FDs?

[gabriel2029]

@gabriel2029 Do you know what exact FDs your Dovecot workload sends between processes? Are these socket FDs?

I think that these are socket FDs: there are multiple processes in Dovecot responsible for different tasks, e.g., one for the IMAP login and one other for the other communication. After login has finished, one process sends the file descriptors for communication to another process. As code example see here: https://github.com/dovecot/core/blob/main/src/imap-urlauth/imap-urlauth-client.c#L162 (definition of the client in https://github.com/dovecot/core/blob/main/src/imap-urlauth/imap-urlauth-client.h#L16)

I tried to implement SCM_RIGHTS supports like 2 years ago, but Gramine was utterly unready for such a change (it worked, but it was one giant hack).

Only for interest: do you still have some code fragments for this implementation (maybe I try to implement it myself as a workaround)?

[dimakuv]

@gabriel2029 Here you go: gramineproject/graphene#1511

Be aware, Gramine code was changed like 99% from those times...

[gabriel2029]

@dimakuv Thanks for your answer. But I think the shared FDs are TCP sockets, as the following test code

i_info("fd_send: handle: %d, file descriptor number: %d", handle, send_fd);

struct stat statbuf;
fstat(send_fd, &statbuf);
if (S_ISSOCK(statbuf.st_mode)) {
    struct sockaddr_in sin;
    socklen_t len = sizeof(sin);
    // TODO: try to get rid of warning regarding strict-aliasing rules
    if (getsockname(send_fd, (struct sockaddr *) &sin, &len) == -1) {
        i_error("getsockname failed: %m");
        return -1;
    }
    i_info("fd_send: address: %s, port number: %d\n", inet_ntoa(sin.sin_addr), ntohs(sin.sin_port));
} else {
    // Not a socket
    i_info("fd_send: not a socket");
}

outputs me:

Info: fd_send: handle: 19, file descriptor number: 18
Info: fd_send: address: 0.0.0.0, port number: 10143

10143 is my alternative non-root IMAP connection port. I guess realizing sharing TCP sockets would be more tricky.

[dimakuv]

@gabriel2029 Yep, not that simple. In general, we would anyway require proper SCM_RIGHTS support in Gramine, for all FD types (not some particular type like I experimented with in my old PR).