S'ok, it's no quibble - it's worth discussing the docs a little since it's
what the docs allegedly fail to do, that some of the arguments hinge on.
I disagree with the idea that a reasonable read of the docs would lead you to
install Qmail under inetd. I believe that a reasonable read of the docs would
lead you to install it under tcpserver.
Right after the instruction to run 'make setup check', the INSTALL file says
'Read INSTALL.ctl and FAQ'. Heading 5 in FAQ (which is visible on the first
page unless you're running a very small window) says 'Setting up servers'. If
you jump to heading 5 by doing say '/ Setting' in vi you get taken straight to
a section which begins by saying:
'5.1. How do I run qmail-smtpd under tcpserver? inetd is barfing at high
loads, cutting off service for ten-minute stretches. I'd also like
better connection logging.
Answer: First, install the tcpserver program, part of the ucspi-tcp
package (http://pobox.com/~djb/ucspi-tcp.html). Second, remove the smtp
line from /etc/inetd.conf, and put the line
tcpserver -u 7770 -g 2108 0 smtp /var/qmail/bin/qmail-smtpd &
into your system startup files.'
This is before you come to the part of the INSTALL file that instructs how to
run it from inetd - which, incidentally, is only shown under the heading 'To
upgrade from sendmail to qmail:'
So to sum up, I really don't agree that anyone who thinks the INSTALL file is
telling them to use inetd has done a reasonable read. They've actually only
done a skim - and that's only the people actually upgrading from sendmail.
People installing fresh have no reason whatsoever to even make the mistake of
using inetd even if they skimmed.
That's all well and good though, until your comment about tcpserver not
preventing this DOS. If this is true then I have to withdraw.
I run qmail under tcpserver on variety of slackware 7.1 installs and and a
couple of slackware 4.0 installs, and none of these are affected by this DOS.
There may be some limit in place on slackware 4.0/7.1 that I don't know
about - but I haven't put any in myself. I've also seen other services spiral
up the loadavg at an alarming rate under certain conditions until the box
practically grinds to a halt, so this limit must be very selective if it
exists :)
jason
----- Original Message -----
From: "Ian Lance Taylor" <[EMAIL PROTECTED]>
To: "Jason Brooke" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, March 02, 2001 6:01 PM
Subject: Re: qmail 2.0 exploit
> I would say that that is a mere quibble, except that it isn't even
> that. It isn't tcpserver which prevents qmail-smtpd from growing
> without bound; it is softlimit. softlimit isn't mentioned in the
> INSTALL file or the FAQ which is distributed with qmail 1.03. The
> daemontools are mentioned, but not in the context of resource limits.
>
> Obviously there isn't anything wrong with qmail. And obviously these
> bug reports are highly misleading in implying that there is a bug
> which needs to be fixed in qmail. But I do think that the bug reports
> have a point: if you install qmail-1.03 according to a reasonable
> reading of the instructions which come with the tar file, your system
> may be vulnerable to a theoretical denial of service attack. The fact
> that other people tell you to install qmail in a different way is
> interesting, but does not change the fact that qmail-1.03 comes with
> installation instructions which at least some people will naturally
> follow. I certainly did in my first qmail installation.
>
> Dan could fix this by releasing qmail-1.03.1 with different
> installation instructions. Of course, if he did, some people would
> take that to be an admission that there actually is a security hole in
> qmail-1.03.
>
> Ian
>
