Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
Boris writes: > If you will find 100 bugs in sendmail they are fixed then after > reporting them. The games is over, the problem is solved. The admin > updates, and thats all. Actually, the admin doesn't update. Or rather, some do, and some don't. -- -russ nelson <[EMAIL PROTECTED]> http://russnelson.com Crynwr sells support for free software | PGPok | Microsoft rivets everything. 521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws. Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | You own a screwdriver.
Re[2]: Oops,I guess Sendmail wasn't secure after all...
On Sat, 2 Jun 2001, Boris wrote: > There should be one file to download and the makefile should do nearly > everything neccessary. I should not spend days to understand the > different modules as a newbie, it takes too much time. I would argue that you /should/ take the time. Qmail's power lies in its amazing flexibility and configurability, but the downside is that it's easy to get things not quite the way you wanted it. As a wise man once said (or words to that effect), "If you can't find the time to do it right, how will you find the time to do it over?" IMO, this applies to qmail in spades (and most of DJB's software in general). If you're in a hurry, the mail-related stuff bundled with your favorite distro (hopefully at least postfix-quality) is probably a better choice. That'll at least get you up and running till you can find the time to Understand And Do The Right Thing, or until a security compromise or broken setup forces you to make time. 8-) -- Adrian Ho [EMAIL PROTECTED]
Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
* Boris <[EMAIL PROTECTED]> [010602 16:28]: > LM> If you bought (OK, got for free) a car, and it exploded, leaving you > LM> burned, then you waited a week to get a new car mailed to you, then you > The car is not exploding, someone comes and looks at your car. He is > searching and searching and searching until he finds a silly bug like > "the fuel meter showes something wrong, this could be a security risk" > but in fact the men is driving the car years without a problem. Some > month he updates the car (new version) and thats all. Not quite. More like "someone inspects your free car and finds a button that can make it explode. Maybe he pushes the button, maybe not. Maybe he pushes the button on someone else's car". Are you willing to take that risk? I can imagine two situations where that would be the case: either you do something that is so unimportant for the rest of the world that noone bothers destroying your work, or you do something that is so good for everyone that noone will want to destroy your work, not even out of envy. Come on, not even the UN are _that_ good :-) -Johan -- Johan Almqvist http://www.almqvist.net/johan/qmail/ PGP signature
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: LM> If you bought (OK, got for free) a car, and it exploded, leaving you LM> burned, then you waited a week to get a new car mailed to you, then you The car is not exploding, someone comes and looks at your car. He is searching and searching and searching until he finds a silly bug like "the fuel meter showes something wrong, this could be a security risk" but in fact the men is driving the car years without a problem. Some month he updates the car (new version) and thats all. -- Boris
Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...
> Why no one makes a package with "all you need" to download and > install, here is a suggestion: > > - qmail > - the tcpserver > - something good for pop before smtp > - vpopmail > - good tools for blocking spam, blocking mails from open relays, and > so on > - and other additions from other people i do not know > > There should be one file to download and the makefile should do nearly > everything neccessary. I should not spend days to understand the > different modules as a newbie, it takes too much time. the author of qmail has specific rules for how qmail packages can be distributed. see http://cr.yp.to/qmail/dist.html basically, you can distribute so called "var-qmail" packages, but anything else seems to require the Dan Bernstein's approval.
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello List, Saturday, June 02, 2001, 7:24:56 AM, you wrote: >> I like sendmail, its slow - yes, but it is powerful and this silly >> bugs are fixed fast. Its just some C-Code, everyone knows this. LM> Yeah, it is only a few hundred thousand lines of code, and you should have LM> looked through it for bugs or exploits before you compiled it, right? It Well, this is a strange argument, sorry. There is no product without any errors, maybe a "hello world" program. If you write it in c++, its a design problem if you use a try..catch.. within the main clause or not, for example. There are a lot of security bugs everywhere in a lot of programs, the most of them are non-critical to critical, and some fanatic people are screaming about some really silly problems. Software engineering is a living process. Bugs are normal, the are reported and then fixed. Thats all, there are some more important things in live as "i am the master i have found a (silly) bug". The peoples are screaming if they found a bug, they are the masters, but its just a bug, and after the bug is fixed, the problem is over. If you will find 100 bugs in sendmail they are fixed then after reporting them. The games is over, the problem is solved. The admin updates, and thats all. The day continues. Bugs are +just bugs+ and the are fixed after reporting them. -- Boris
Re[2]: Oops,I guess Sendmail wasn't secure after all...
Hello Russell, Saturday, June 02, 2001, 5:38:43 AM, you wrote: RN> Boris writes: RN> > I really canĀ“t hear the "qmail is the most secure bla bla" anymore, RN> > really. RN> Why? It's true. Yes it is true, and qmail is great, but it would be better to make a better documentation for qmail, and to offer "bundles" with a single makefile. My english is not very good, sorry. I mean qmail has better arguments as security only. Why no one makes a package with "all you need" to download and install, here is a suggestion: - qmail - the tcpserver - something good for pop before smtp - vpopmail - good tools for blocking spam, blocking mails from open relays, and so on - and other additions from other people i do not know There should be one file to download and the makefile should do nearly everything neccessary. I should not spend days to understand the different modules as a newbie, it takes too much time. RN> > At the moment I am evaluating qmail, and there RN> > are some things I am missing from sendmail. RN> Like what? See above, a better installation, better documentation. I have written in my linux/unixbook a chapter about the installation and configuratio of qmail in a production environment, covering all neccessary topics (german language) but its too much for the stressed administrator. Strange argument, I know. I am a user only in this case. Putting a lot of snippets togeter for one package is not a bad idea and would give a boost to qmail (i think). -- Boris