Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Russell Nelson]

Boris writes:
 > If you will find 100 bugs in sendmail they are fixed then after
 > reporting them. The games is over, the problem is solved. The admin
 > updates, and thats all.

Actually, the admin doesn't update.  Or rather, some do, and some
don't.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | Microsoft rivets everything.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws.
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX  | You own a screwdriver.

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Adrian Ho]

On Sat, 2 Jun 2001, Boris wrote:

> There should be one file to download and the makefile should do nearly
> everything neccessary. I should not spend days to understand the
> different modules as a newbie, it takes too much time.

I would argue that you /should/ take the time.  Qmail's power lies in its
amazing flexibility and configurability, but the downside is that it's
easy to get things not quite the way you wanted it.

As a wise man once said (or words to that effect), "If you can't find the
time to do it right, how will you find the time to do it over?"  IMO, this
applies to qmail in spades (and most of DJB's software in general).

If you're in a hurry, the mail-related stuff bundled with your favorite
distro (hopefully at least postfix-quality) is probably a better choice.
That'll at least get you up and running till you can find the time to
Understand And Do The Right Thing, or until a security compromise or
broken setup forces you to make time.  8-)

-- 
Adrian Ho   [EMAIL PROTECTED]

Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Johan Almqvist]

* Boris <[EMAIL PROTECTED]> [010602 16:28]:
> LM> If you bought (OK, got for free) a car, and it exploded, leaving you
> LM> burned, then you waited a week to get a new car mailed to you, then you
> The car is not exploding, someone comes and looks at your car. He is
> searching and searching and searching until he finds a silly bug like
> "the fuel meter showes something wrong, this could be a security risk"
> but in fact the men is driving the car years without a problem. Some
> month he updates the car (new version) and thats all.

Not quite. More like "someone inspects your free car and finds a button
that can make it explode. Maybe he pushes the button, maybe not. Maybe he
pushes the button on someone else's car". Are you willing to take that
risk? I can imagine two situations where that would be the case: either
you do something that is so unimportant for the rest of the world that
noone bothers destroying your work, or you do something that is so good
for everyone that noone will want to destroy your work, not even out of
envy. Come on, not even the UN are _that_ good :-)

-Johan
-- 
Johan Almqvist
http://www.almqvist.net/johan/qmail/

 PGP signature

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:


LM> If you bought (OK, got for free) a car, and it exploded, leaving you
LM> burned, then you waited a week to get a new car mailed to you, then you

The car is not exploding, someone comes and looks at your car. He is
searching and searching and searching until he finds a silly bug like
"the fuel meter showes something wrong, this could be a security risk"
but in fact the men is driving the car years without a problem. Some
month he updates the car (new version) and thats all.


--
Boris

Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Daniel Kelley]

> Why no one makes a package with "all you need" to download and
> install, here is a suggestion:
> 
> - qmail
> - the tcpserver
> - something good for pop before smtp
> - vpopmail
> - good tools for blocking spam, blocking mails from open relays, and
> so on
> - and other additions from other people i do not know
> 
> There should be one file to download and the makefile should do nearly
> everything neccessary. I should not spend days to understand the
> different modules as a newbie, it takes too much time.

the author of qmail has specific rules for how qmail packages can be
distributed. 

see http://cr.yp.to/qmail/dist.html

basically, you can distribute so called "var-qmail" packages, but anything
else seems to require the Dan Bernstein's approval.

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:

>> I like sendmail, its slow - yes, but it is powerful and this silly
>> bugs are fixed fast. Its just some C-Code, everyone knows this.

LM> Yeah, it is only a few hundred thousand lines of code, and you should have
LM> looked through it for bugs or exploits before you compiled it, right?  It

Well, this is a strange argument, sorry.

There is no product without any errors, maybe a "hello world" program.
If you write it in c++, its a design problem if you use a try..catch..
within the main clause or not, for example.

There are a lot of security bugs everywhere in a lot of programs, the most of them are
non-critical to critical, and some fanatic people are screaming about some really
silly problems.

Software engineering is a living process. Bugs are normal, the are
reported and then fixed. Thats all, there are some more important
things in live as  "i am the master i have found a (silly) bug".

The peoples are screaming if they found a bug, they are the masters,
but its just a bug, and after the bug is fixed, the problem is over.

If you will find 100 bugs in sendmail they are fixed then after
reporting them. The games is over, the problem is solved. The admin
updates, and thats all. The day continues.

Bugs are +just bugs+ and the are fixed after reporting them.


--
Boris

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Russell,

Saturday, June 02, 2001, 5:38:43 AM, you wrote:

RN> Boris writes:
RN>  > I really can´t hear the "qmail is the most secure bla bla" anymore,
RN>  > really.

RN> Why?  It's true.

Yes it is true, and qmail is great, but it would be better to make a
better documentation for qmail, and to offer "bundles" with a single
makefile.

My english is not very good, sorry.

I mean qmail has better arguments as security only.

Why no one makes a package with "all you need" to download and
install, here is a suggestion:

- qmail
- the tcpserver
- something good for pop before smtp
- vpopmail
- good tools for blocking spam, blocking mails from open relays, and
so on
- and other additions from other people i do not know

There should be one file to download and the makefile should do nearly
everything neccessary. I should not spend days to understand the
different modules as a newbie, it takes too much time.

RN>  > At the moment I am evaluating qmail, and there
RN>  > are some things I am missing from sendmail.

RN> Like what?

See above, a better installation, better documentation. I have written
in my linux/unixbook a chapter about the installation and
configuratio of qmail in a production environment, covering all
neccessary topics (german language) but its too much for the stressed administrator.

Strange argument, I know. I am a user only in this case.

Putting a lot of snippets togeter for one package is not a bad idea
and would give a boost to qmail (i think).


--
Boris