Qmail At 10 Years — Reflections On Security 304
os2man writes "Qmail is one of the most widely used MTAs on the Net and has a solid reputation for its level of security. In 'Some thoughts on security after ten years of qmail 1.0' (PDF), Daniel J. Bernstein, reviews the history and security-relevant architecture of qmail; articulates partitioning standards that qmail fails to meet; analyzes the engineering that has allowed qmail to survive this failure; and draws various conclusions regarding the future of secure programming. A good read for anyone involved in secure development."
license (Score:5, Informative)
Good article (Score:5, Informative)
The concepts Bernstein discusses regarding increasing security are very interesting, if not exactly obvious. Fix bugs immediately. Reduce LOCs to reduce the probability of bugs. And execute as much code as possible in untrusted mode. His discussion of running untrusted code in "prisons" is interesting, and I wonder what, if any, accomodation for this type of programming Windows has.
It was really nice to see software engineering presented here for once. Thanks kdawson... kdawson? No way!
Re: It works really well? was: license (Score:3, Informative)
Re:license (Score:5, Informative)
I'd heard that it was really good too. Then I noticed that if I wanted IPv6 support I'd have to patch and compile it myself. Thanks for playing, but there are more modern secure MTA's available.
"The bad thing is that the license is NOT FOSS."
Yep, and that's probably why qmail ends up lacking in some areas. Perhaps it could be called a security feature, but I prefer spending time learning applications that dont depend on some single person for having any future at all.
Comment removed (Score:3, Informative)
Re:pdf? (Score:1, Informative)
http://preview.tinyurl.com/33lvkr [tinyurl.com]
The patches make it still worthwhile (Score:3, Informative)
With postfix or sendmail, you've got to write all the provisioning-tools yourself, but qmail+vpopmail+qmailadmin delivers something out-of-the-box.
http://www.shupp.org/ [shupp.org]
http://mail-toaster.org/ [mail-toaster.org]
Re:Good article (Score:5, Informative)
(It's really unfortunate that you have to be root to chroot() to start with.)
Re:Qmail and the patchset of doom (Score:2, Informative)
I used it in an ISP environment but at a certain point it becomes impossible to manage. The qmail queue is like a tub of nitroglycerine - fine, but if you touch it, it explodes.
Qmails strength its its simplicity. It then achieves security because it is a simple program. For small mail installations it is fine, high performance, small footprint, etc. Each component part is easy to debug.
It becomes unwieldily when you need to do things which aren't simple, queue management, scaling to a godzillion users, policy based mail routing, multiple actions on a mail before its delivered, db lookups, intelligent filtering, etc. These things are either unavailable or a third party (after the fact) bolt-on.
If it's license wasn't so badly the suck, then it probably would be as current and featureful as any other MTA in wide use today. As a result of its silly license, the barrier to maintain and extend it is too high for most people and it's stuck in 1997.
-- incubus
One of the most widely used ??? (Score:4, Informative)
Sendmail, Postfix, Exchange... sure, they're up there in the high levels.
Anyhow, would love to see a site/page showing the breakdown of mail servers around the net.
Re:Is a sandbox a security solution? (Score:3, Informative)
Re:One of the most widely used ??? (Score:2, Informative)
http://www.securityspace.com/s_survey/data/man.200710/mxsurvey.html [securityspace.com]
And, at 0.17%, I'd say it wasn't as widely used as the poster wants us to think.
Re:Qmail and the patchset of doom (Score:3, Informative)
At my previous job we used to run qmail for our mailhosting boxes. I can tell you that we were really happy with qmail back then, with the right patches it can be a really flexible mailserver, and once you're used to how it works you'll be in SMTP bliss. However, when you need functionality that isn't provided by qmail, you're doing one (or some) of the following:
I can't really bring myself to bashing qmail over these things because it's served me well and I've hardly had any "unexpected" things happen to me, which is something I can't really say of other MTAs I've tried and I've never had any security problems (altough you might want to read this page [uni-dortmund.de]). There's a lot of information available on qmail [qmail.org], and you can check out this guide [lifewithqmail.org] (although this may now be quite dated). An indispensible tool is qmHandle [sourceforge.net] for inspecting and manipulating the qmail queue in case something did go wrong.
Finally, I have to admit that when I left that company my own mailhosting services are currently being run by postfix, simply because I don't have the time to build my own qmail packages whenever I need some feature. If you look at the postfix design, any qmail user will see similarities and the fact that you're not patching and rebuilding it whenever you need feature X sort of grows on you.
I know that if I were to start hosting a large mailserver, I'd have a hard time deciding between the two and I'd do a lot of testing before I made a choice.
Re:Good article (Score:3, Informative)
From man 2 chroot:
The
directory itself. Thus,
subtree rooted at the root directory.
How root gets out of a chroot is:
Of course DJB was suggesting that you drop root privs immediately after the chroot, so this is moot.
Re:One of the most widely used ??? (Score:2, Informative)
Server provided banner - 1,521,596 - 85.95%
Server banner identifies software in use - 921,048 - 52.03%
Qmail does not provide banner that allows to identify software. 0.17% is for Qmail toaster.
Re:I just love qmail (Score:2, Informative)
http://cr.yp.to/daemontools/svc.html [cr.yp.to]
svc -d
svc -u
svc -t
> 2. How do you configure software? Config files or adding and removing files from a magic directory?
http://www.qmail.org/qmail-manual-html/man5/qmail-control.html [qmail.org]
> 3. How do you kick the mail queue? Buggered if I can remember.
send ALRM to qmail-send process.
kill -s ALRM `pidof qmail-send`
Re:One of the most widely used ??? (Score:2, Informative)
to identify which Mail server it is.
Qmail does NOT identify itself and as a result it cannot be counted using this method
Also note that for only 52% of the queried MTA they were able to determine the
software used.
Re:license (Score:3, Informative)
Unpatched Qmail is a form of an open relay. A couple years after running it for the first time someone started bouncing email off it and eventually it got so bad that I had thousands of emails in my queue at any given moment. This has been the case for every customer I've run into that is using Qmail.
People need to stop referring to Qmail as "secure." It just isn't.
Re:The patches make it still worthwhile (Score:4, Informative)
Not even close to true. Postfix Admin [sourceforge.net] does everything vpopmail does and more. I used to run qmail+qmail for years several years before I switched over and I can tell you Postfix Admin does a better job.
Re:license (Score:5, Informative)
His licensing isn't poorly explained. But then again, you can't run 'man' so no wonder you couldn't Google for "djb licensing" and find http://cr.yp.to/distributors.html [cr.yp.to]
Your third allegation was true until the publication of this PDF which you obviously didn't read since it included a dedication of qmail to the public domain.
The binaries aren't "mixed in with the mail spool". Binaries are in
1 for 4. 25%. That's a failing grade in every school I know of.
Re:Qmail going public domain? (Score:5, Informative)
Re:Which is worth more... (Score:3, Informative)
Re:File system layout standards (Score:3, Informative)
Re:DJB is a cool guy! (Score:3, Informative)
And one heck of a decent guy [slashdot.org], too. Unless he's destroying your career for no real reason.
Re:license (Score:3, Informative)
There is only *one* reasonable advantage of Qmail, that the security engineering is one of the best I have seen (there is still room for improvement, for example a missing rcpthosts file should not turn a SMTP server into an open relay-- it is better to fail to safe conditions and reject everything).
The major disadvantages are:
1) I don't see any attempts by DJB to modernize the software. I would therefore suggest that the project has been orphaned.
2) Since it is not open source, nobody can pick it up, modernize it, and release a version with compliance of newer standards (i.e the ones which have come out in the last 10 years, meaning you are stuck with pop-before-smtp and the like
3) While the security engineering is good, the overall software engineering leaves a lot to be desired. In particular a lot of really braindead algorithms are used.
The article is an interesting one to read though.