Qmail At 10 Years — Reflections On Security 304
os2man writes "Qmail is one of the most widely used MTAs on the Net and has a solid reputation for its level of security. In 'Some thoughts on security after ten years of qmail 1.0' (PDF), Daniel J. Bernstein, reviews the history and security-relevant architecture of qmail; articulates partitioning standards that qmail fails to meet; analyzes the engineering that has allowed qmail to survive this failure; and draws various conclusions regarding the future of secure programming. A good read for anyone involved in secure development."
license (Score:5, Informative)
Re: It works really well? was: license (Score:3, Informative)
Re:license (Score:5, Informative)
I'd heard that it was really good too. Then I noticed that if I wanted IPv6 support I'd have to patch and compile it myself. Thanks for playing, but there are more modern secure MTA's available.
"The bad thing is that the license is NOT FOSS."
Yep, and that's probably why qmail ends up lacking in some areas. Perhaps it could be called a security feature, but I prefer spending time learning applications that dont depend on some single person for having any future at all.
Re: (Score:3, Informative)
There is only *one* reasonable advantage of Qmail, that the security engineering is one of the best I have seen (there is still room for improvement, for example a missing rcpthosts file should not turn a SMTP server into an open relay-- it is better to fail to safe conditions and reject everything).
The major disadvantages are:
1) I don't see any attempts by DJB to modernize the software. I would therefore suggest that the project has been orphane
Re:license (Score:5, Interesting)
Yes, some of his refusal to compromise mean that qmail is still secure, but in terms of usability, it's a bitch unless you're willing to work with patches & diffs to add the functions you need.
Re: (Score:3, Interesting)
If the program is not functional, it doesn't matter how secure it is.
That said, qmail is actually still pretty useful. However, pride cometh before a fall. The author's arrogance is going to let him down one day.
Re:license (Score:5, Interesting)
In wonder how much of the worlds spam traffic is a result of qmail sending bounces from a different socket connection and process, instead of sending the response back through the connection which the message arrived in.
But yeah it is very secure. Back when I first ran servers on the internet I bought a book on configuring sendmail. The ultimate conclusion in the book was to run qmail.
Re:license (Score:5, Interesting)
I agree that sendmail was horrid to configure. The m4 wrappers have made it better, and Postfix provides an easy to configure tool that actually allows you to rebundle it with the configurations you want. Dan Bernstein's precious ideas of no documentation, his own peculiar and poorly explained licensing, no publication of forks of his code, and mixing the binaries in with the mail spool itself for various reasons are so nasty that many of us working with open source won't touch his utilities.
Re:license (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:3, Insightful)
What you've described as an open relay really isn't: it's a "Joe Job", a forgery pretending to be from somewhere else, exactly what SPF was designed to block. Now, *throttling* suc
Re: (Score:2)
What you've described as an open relay really isn't: it's a "Joe Job", a forgery pretending to be from somewhere else, exactly what SPF was designed to block. Now, *throttling* such connections seems completely reasonable, but as someone who's run SMTP servers, I submit to you that discarding the messages silently is not.
How many SMTP servers could you have possibly run if you didn't know that it's possible for the server to refuse the email in the first place and let the SENDING mail server handle the
Re:license (Score:5, Informative)
His licensing isn't poorly explained. But then again, you can't run 'man' so no wonder you couldn't Google for "djb licensing" and find http://cr.yp.to/distributors.html [cr.yp.to]
Your third allegation was true until the publication of this PDF which you obviously didn't read since it included a dedication of qmail to the public domain.
The binaries aren't "mixed in with the mail spool". Binaries are in
1 for 4. 25%. That's a failing grade in every school I know of.
Re:license (Score:4, Insightful)
It is incredibly confusing when some stupid mail-provider along the way decides to snuff one copy. This means the mail doesn't appear where it should in my email-program. Each mail the the different mailing list creates a separate thread of responses WITHIN that mailing-list. That is TWO not ONE, but TWO different discussion threads, which should be represented with two entries in you email program.
Re: (Score:2)
Seriously if the user has subscribed to multiple mailing lists and the same mail is send to more than one of them he SHOULD get more than one copy.
Group alias != mailing list. If those multiple copies are the result of different Message-IDs, then you should get multiple copies. However, if your CEO sends out an internal announcement and copies five distribution groups that you're a member of then you'll get only one message since that's the equivalent of doing a "RCPT TO: <you@yourdomain.com>" five times.
Re: (Score:2)
If they're the exact same message just relayed to you twice, then it doesn't make sense to deliver two copies; you should get one -- and the problem you're describing regarding filing is a MUA one, not an MTA issue. (IMO, a good MUA would let you have the same message in two views/folders, and show it in multiple threaded discussions if it's referred to there.)
But anyway, aside from that, I agree that qmail sucks and I hate it for many reasons besides its handling
Sorry to say... (Score:2)
This MTA behaviour is, like it or not, the correct behaviour at the MTA level. Postfix (my secure MTA choice for the past 9 years, and [IMO] a far superior one to Qmail) behaves identically regarding duplicates, as does every other MTA I've looked at. I wouldn't be surprised if this was written up in an RFC on SMTP as the correc
Re: (Score:3, Interesting)
The good thing is that is easy to work with and works really good.
Last time I had to reconstruct a particular email's flow through various MTAs including Qmail ended at the Qmail MTA since it the log files it uses offer little to system administrators to do proper troubleshooting.
That alone is one major reason to never ever consider it for production use.
Re:license (Score:5, Interesting)
Qmail going public domain? (Score:5, Interesting)
Actually, that might be changing in the immediate future. Check out the slides to go with this talk [cr.yp.to], in particular, page 10 where there's a timeline including:
Re:Qmail going public domain? (Score:5, Informative)
Re:Qmail going public domain? (Score:4, Interesting)
Hard codes port numbers.
Uses non-descript variables.
Forces interpretations one way without allowing changing.
Hard codes directory structures.
Has to write a monitoring program to monitor his daemons and restart on failures instead of just spending more time making sure his daemons are solid to begin with. Here's a note: If you need a different tool to restart your process when it fails, perhaps you should consider looking into why the process failed in the first place?
Re: (Score:3, Insightful)
Re: (Score:2)
It is an awful package to work with. If you want to do anything (like, say, IPv6 support) beyond the very, very basic things that were coded in qmail many years ago, you have to apply dubious thrid-party patches. Patches that are not coordinated, patches that conflict with each other, patches that introduce nasty bugs.
qmail configuration files are cryptic (though, to be fair, not nearly as bad as Sendmail's config files). You have t
Good article (Score:5, Informative)
The concepts Bernstein discusses regarding increasing security are very interesting, if not exactly obvious. Fix bugs immediately. Reduce LOCs to reduce the probability of bugs. And execute as much code as possible in untrusted mode. His discussion of running untrusted code in "prisons" is interesting, and I wonder what, if any, accomodation for this type of programming Windows has.
It was really nice to see software engineering presented here for once. Thanks kdawson... kdawson? No way!
Re: (Score:2)
Windows Vista introduced Protected Mode [msdn.com] for IE, which presumably does this sort of thing. I assume this sort of sandboxing can be applied to other processes too, but I've not looked into it.
I too agree. (Score:2)
While some of the things are "Duh!!" people don't think of it. Many of the metrics programmer skill is based on LOC and bugs per LOC. This type of metric is counterproductive. Articles on the subject correctly reward low bug count more than LOC. But none of this takes into account the efficiency of the code, therefore encourages slow code with no bugs, and lots of lines. He is right, I think some developers (in
Re:Good article (Score:5, Informative)
(It's really unfortunate that you have to be root to chroot() to start with.)
Re: (Score:2)
Re: (Score:2)
I'd untick it in a flash.
Re: (Score:2)
It's also really stupid in this day and age that you need to be root to bind to <1024. There's just NO need for that any more that I can see. Can we get a compile time kernel option? <*> Require root to bind to ports below 1024.
I'd untick it in a flash.
PS. Postfix is much more friendly.
Re: (Score:2)
You trust all your software to not try to bind to port 25 and steal your mail? Or to port 80 and deface your web site? If you trust all your software, why not just run everything as root in the first place?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If you chroot to
Re: (Score:3, Informative)
From man 2 chroot:
The
directory itself. Thus,
subtree rooted at the root directory.
How root gets out of a chroot is:
Re: (Score:2)
Re: (Score:2)
Comment removed (Score:3, Informative)
Re: (Score:2)
I'd use Qmail, except that the licence means that in order for Qmail to scale, it has to be patched about fifteen squillion times over ... all thanks to the restrictive licence.
Seeing that netqmail is distributed legally as a qmail distribution plus patches with a script which applies the patches, I wonder if I could get away with releasing a patched qmail as a repository in a DSCM tool like mercurial [selenic.com] since that just maintains the base version plus optional patches.
Re: (Score:2, Informative)
I used it in an ISP environment but at a certain point it becomes impossible to manage. The qmail queue is like a tub of nitroglycerine - fine, but if you touch it, it explodes.
Qmails strength its its simplicity. It then achieves security because it is a simple program. For small mail installations it is fine, high performance, small footprint, etc. Each component part is easy to debug.
It becomes unwieldily when you need to do things which aren't simple, queue ma
Re: (Score:2, Funny)
I've encountered problems with users sending to multiple recipients in the same domain from a Yahoo! account, where Qmail sends the email not just once, but N times (where N is the number of users), resulting in N^2 emails being processed by the recieving server.
I conclude from this behaviour that Qmail is fundamentally broken, and am a firm believer in Postfix (all hail the mighty Big Blue!).
:P
Re: (Score:3, Informative)
At my previous job we used to run qmail for our mailhosting boxes. I can tell you that we were really happy with qmail back then, with the right patches it can be a really flexible mailserver, and once you're used to how it works you'll be in SMTP bliss. However, when you need functionality that isn't provided by qmail, you're doing one (or some) of the following:
Re: (Score:2)
RTFA: section 1.2 lists big users (source: qmail.org).
rediffmail (Score:2)
Security by not evolving (Score:5, Insightful)
I rather start with an up to date MTA, rather then fight with something like qmail ever (EVER) again.
Just the fact that you have a fixed layout, fixed start tools that need to be there to actually start it, etc etc makes it so horrible, that I wouldn't touch it ever again with a 100 yard pole.
Re: (Score:2)
After taking a peek a qmail once, I ran the hell away from it. I've used courier-mta in the past and these days I use postfix and couldn't be happier.
Re: (Score:2)
One other thing was that DJB's quirks (even if he may be right about a lot of the things he believes in) mean you have to adopt his style of doing things to get things to work. It's the same with djbdns.
The paper is still a worthwhile read though, if you're a serious software engineer you should, like him, be looking back o
The patches make it still worthwhile (Score:3, Informative)
With postfix or sendmail, you've got to write all the provisioning-tools yourself, but qmail+vpopmail+qmailadmin delivers something out-of-the-box.
http://www.shupp.org/ [shupp.org]
http://mail-toaster.org/ [mail-toaster.org]
Re:The patches make it still worthwhile (Score:4, Informative)
Not even close to true. Postfix Admin [sourceforge.net] does everything vpopmail does and more. I used to run qmail+qmail for years several years before I switched over and I can tell you Postfix Admin does a better job.
Re: (Score:2)
I only see a web-interface.
qmail and reiserfs (Score:2)
In the PDF at the end of section four he talks about making compromises in the design of the configuration files and the inadvisability of working around file system problems. I can't quote it because my PDF reader is doing strange things with selection but it occurred to be that DJB has some approaches to software in common with Hans Reiser, and that maybe DJB is the right person to drive reiserfs development in the future.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, I am. When I select text in the right column of text the entire left column gets selected.
Re: (Score:2)
Re: (Score:2, Funny)
One of the most widely used ??? (Score:4, Informative)
Sendmail, Postfix, Exchange... sure, they're up there in the high levels.
Anyhow, would love to see a site/page showing the breakdown of mail servers around the net.
Re: (Score:2, Informative)
http://www.securityspace.com/s_survey/data/man.200710/mxsurvey.html [securityspace.com]
And, at 0.17%, I'd say it wasn't as widely used as the poster wants us to think.
Re: (Score:2, Informative)
Server provided banner - 1,521,596 - 85.95%
Server banner identifies software in use - 921,048 - 52.03%
Qmail does not provide banner that allows to identify software. 0.17% is for Qmail toaster.
Re: (Score:2, Informative)
to identify which Mail server it is.
Qmail does NOT identify itself and as a result it cannot be counted using this method
Also note that for only 52% of the queried MTA they were able to determine the
software used.
Re: (Score:2)
Secure programming by DJB (Score:5, Insightful)
Implement only a subset of protocols, ignore the parts that you don't like, or might be insecure or are too boring to implement. Bonus points if you ignore actual features depended on by the users. Double bonus, if you manage to make it non interoperable by nazi-strict implementation of protocol, ignoring the rule
Then refuse to implement needed features, pointing to third parties and their patches, and offer a prize for successful hack of your software. And ignore the insecurity of the patches. They're third party, after all.
Robert
PS I was so glad when some mature alternatives to sendmail and qmail apeared...
Re: (Score:3, Interesting)
Not at all. DJB just carefully picks where to be ueberstrict, just to make fun of the others[1], and where to completely ignore useful function, just because he had a dream that it's bad[2].
Robert
[1] like rejecting SMTP transactions which use LF for line termination (RFC states it must be CR/LF), but most smtp servers of the time accepted either, while some "challenged" servers sent mail with LF only;
[2] qmail will never deliver mail to secondary MX; or tertiary et
I just love qmail (Score:5, Interesting)
1. How do you start / stop your MTA?
2. How do you configure software? Config files or adding and removing files from a magic directory?
3. How do you kick the mail queue? Buggered if I can remember.
Having a few years of experience looking after various 'nixes is nothing to being thrown at djb's stuff without warning. Add to this the attitude from the fanboys I've met [2] and I hate anything touched by djb. The other fun thing I can remember from some doc was djb's suggested solution to one problem was to change fork().
[1] mailq ran, but obviously freaked out.
[2] The worst examples of the stereotype, however, I've seen stuff posted online from some very nice people. My sample size was small but annoying.
Re: (Score:2, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Well, I hate it when someone starts daemontools from inittab.
I usually create a normal startupscript. The BSDs I use don't have inittab anyway.
The directory is called "service", in FreeBSD-land usually ln'ed to
FreeBSD also has a plugin-mechanism for mail-related commands. If setup correctly, "mailq" calls qmail-qstat.
Obviously, your guy forgot to d
Re: (Score:2, Informative)
http://cr.yp.to/daemontools/svc.html [cr.yp.to]
svc -d
svc -u
svc -t
> 2. How do you configure software? Config files or adding and removing files from a magic directory?
http://www.qmail.org/qmail-manual-html/man5/qmail-control.html [qmail.org]
> 3. How do you kick the mail queue? Buggered if I can remember.
send ALR
Re: (Score:2)
That said, most qmail installations don't need restarting for any reason for many moons, so unless you were fiddling with it, or it was improperly configured in the first place (both not a fault of daemontools or qmail itself), then it probably isn't even relevant.
security is paramount (Score:5, Insightful)
Too much software is written as if security concerns are on equal footing with features and performance. That should never be true. If your program deals with untrusted input and has access to sensitive information, then security must be the primary concern during the entire development process. Security is not something that you can "patch in" after the architecture is settled.
There can be no trade-offs when it comes to core internet services. If one mail server is 10x faster than another but also contains a remote execution exploit, it is not 10x better -- it is useless.
You can debate DJB's personal approach to security, but you cannot fault his priorities.
Re: (Score:2)
While his emphasis on security is commendable, the various problems with qmail (as others have pointed out) make it less or not at all usable. If the secure software isn't used, nobody wins. To put it differently, he places usability at such a low level that the security bonus of his software is outweighed. In the end, it does make his priorities appear questionable.
qmail is not suitable for use (Score:2, Insightful)
Qmail -- whatever its security merits, and it does have some -- is not suitable for use on the public Internet because it fails to comply with not only de jure standards (RFCs) but de facto standards (best practices). The author has refused to correct these defects -- which is certainly his prerogative as an author, but has as a byproduct serious operational impact on not only users of the package, but other mail server operators who communicate with those run by users of the package.
It's my professional
Of course it's secure (Score:2)
Look at how much extra stuff and TIME it takes to get a small qmail bas
Re: (Score:2)
Let's forget for a moment that Qmail (or sendmail/postfix) takes a long time to setup.
And let's remember that in the big-dog multi domain server world, a Windows server fails.
It takes me a about a day (with testing and hardware verification) to get a traditional MTA up and running for multi domain use- complete with on the fly virus scanning and spam filtering (at zero sof
Re: (Score:2)
Er no! It certainly doesn't. Millions of companies use Windows mail servers with no problems or complaints. It's only linux fanboys that think that Windows keeps crashing. Usually that's because they don't actually use it themselves and don't really have a clue if it crashes often or not. Personally, I've never seen a blue screen of death in my entire life. I've never had to reboot a server because it's just crashe
Re: (Score:2)
And your nit picky spelling issues aside.
1. I happen to admin 6 Windows Server 2003 boxes.
And....
2. I have gone a year where the *nix KERNEL didn't need an upgrade against the machine's application. Assuming the KERNEL update wasn't needed- no reboot. There's no reason to patch for local security issues on a mail server that only allows hardware terminal access (Aside from SMTP). Especially where uptime issues are considered. Additionally, I actually READ the pa
Re: (Score:2)
Well that's just silly. All you need is one remote exploit that gives a user access to a non-privileged shell, and you're boned. Local exploits are only local as long as there are no remote exploits...
Re: (Score:2)
---Er no! It certainly doesn't. Millions of companies use Windows mail servers with no problems or complaints. It's only linux fanboys that think that Windows keeps crashing. Usually that's because they don't actually use it themselves and don't really have a clue if it crashes often or not. Personally, I've never seen a blue screen of death in my entire life. I've never had to reboot a server because it's just cra
Postfix makes for a good read (Score:4, Interesting)
You would be wanting the Postfix source code, then. I've learned a tremendous amount about how secure, well designed software can be constructed. Wietse is a very smart guy, and his code is some of the tightest code I've seen. Go through it, and you'll be a better software developer for it.
I've never looked at the qmail code. It could be just as good, I don't know.
Extreme jail? (Score:2)
> sandbox" that doesn't let the program do anything other
> than read the JPEG le from standard input, write the
> bitmap to standard output, and allocate a limited amount of
> memory. Existing UNIX tools make this sandbox tolerably
> easy for root to create:
>
Hm... even if not allowing the program to reuse the filesystem and other programs in the system is tolerable, it doesn't s
Re: (Score:2)
It really gets "nasty" for the hackers.
Oblig.? (Score:2, Funny)
Huh (Score:2)
Everyone is posting "djb sucks" and such? What a bunch of useless pricks we can be.
DJB - thanks for qmail. It's odd but pretty cool and has never fucked up my system. And I found the paper pretty interesting.
Cheers.
Re:File system layout standards (Score:5, Funny)
Count yourself lucky that it doesn't all go under /djb
Re: (Score:2)
That would be too obvious and useful.
Re: (Score:2)
Caller: my house is on fire!
DJB: your sprinkler system is configured wrong *click*
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re: (Score:2)
Way to take a single line out of context. You should point out that the chroot is one step out of five or six or so.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
And one heck of a decent guy [slashdot.org], too. Unless he's destroying your career for no real reason.