> On Thu, Jan 25, 2001 at 12:40:47PM -0500, Patrick Bihan-Faou wrote:
> > Well I guess that this one is definitely elligible for the
> "qmail security
> > challenge".
> > http://web.infoave.net/~dsill/qmail-challenge.html
> > If you don't count that as a bug in qmail, then I don't know what is a
> > bug...
>
> You quote it, but have you also read the document?
> Especially the "Rules" section, part 1. (and also 8.1)
>
Well failure to recognize that 0.0.0.0 is yourself is not quite DNS related
exploit. It is a bug.
<sarcasm>
I like these rules that say "yeah we are setting up a challenge, but there
is no way that you could ever win it"...
If you ask me, qmail is far from bug free... The first security issue with
this product is itself: the code is completely obfuscated (I know I know,
style is a matter of taste), there is 0 line of comments in the code (hey
isn't the fact that qmail code is "small" one of its selling points ? remove
comments and you reduced the code size...)
Read Bruce Schneier's comment on these type of contests in his latest
book...
</sarcasm>
This 0.0.0.0 problem can easily be deflected by saying "some stupid people
mis-configure DNS to cause you problem (clause 8)", but the facts are:
- other MTA handle this properly (not qmail)
- this sort of "attack" is in use and causing problems with site that
selected qmail as their MTA
So saying "it does not fit our challenge because you need to use DNS to
perform the attack" is like saying "well qmail is perfectly safe if you
don't use it in the real world"... Good PR move guys, and a cheap one too!
Well my answer to this is "don't use qmail"
Patrick.
