[TCLUG] Requiring authentication on SMTP relaying

Sat Apr 19 18:11:32 CDT 2003

On Sat, Apr 19, 2003 at 04:59:50PM -0500, David Phillips wrote:
> Matthew S. Hallacy writes:
> > You realize that most of these are not security related, and only a
> > few are remove root exploits. Considering it's from 1993 and forward..
> 
> Perhaps I counted incorrectly?  A hole means an attacker can gain access to
> a non-root account or group.  A root hole means an attacker can gain access
> to root:
> 
> Local holes: 5
> Local root holes: 3
> Remote holes: 2
> Remote root holes: 2
> 

Under certain configurations, since 1993 to whenever that page was last
updated. 

> That's a blatant lie.  qmail has never had any security holes.  Of course,
> if you weren't just making things up, you'd know that.

http://www.securityfocus.com/bid/2237/exploit/

the smtp auth "module" (admittedly, not distributed with qmail): 
  http://www.securityfocus.com/bid/1809/solution/

> It wasn't like that when Dan wrote qmail.  Though, apparently, the
> "redesign" hasn't stopped root security holes.

Software that aspires to support the real world is forced to implement
new features. This is why various package maintainers backport bugfixes.

> 
> > your only real point is that sendmail has had more *bugs* than qmail.
> 
> Yes, that is my point.  Sendmail has more bugs and is not secure.  We should
> not encourage people to run insecure software.

Just because software has had bugs, doesn't make it insecure. The linux kernel
has had many exploits (just lately, another ptrace bug, which still has no
'official' patches), this list is here for the sole purpose of promoting, and
helping people with linux. 

And I'm sorry, but:

X-Priority: 3                                                                                                                       
X-MSMail-Priority: Normal                                                                                                           
X-Mailer: Microsoft Outlook Express 6.00.2800.1106                                                                                  
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106          

Are you not encouraging people to run "insecure software"? 

> 
> > I would expect this for a daemon that has been around for a hell
> > of a lot longer than qmail, and is used by a lot more people.
> 
> That statement is not logical.  I would expect an older program to have
> fewer bugs, not more.  The number of users does not affect the number of
> bugs.  It may affect the number of users finding bugs, but that is not
> relevant to the number of bugs in the program.

I expect _any_ program that has been around for such a long time, is widely used,
and is expected to support "new things" to not only have bugs, but for people to
find them. qmail has vulnerabilities, they haven't been (publicly) found yet. 

There is no perfect software.

> --
> David Phillips <david at acz.org>
> http://david.acz.org/

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list