[TCLUG] Requiring authentication on SMTP relaying

Sat Apr 19 20:10:36 CDT 2003

On Sat, Apr 19, 2003 at 07:00:41PM -0500, David Phillips wrote:

> That's not a bug.  qmail-smtpd is designed to run with rlimits.  That's why
> they exist in the first place.  See this page for more details:
> 
> http://cr.yp.to/qmail/venema.html
> 

This is what djb always says when someone finds a bug, "that's not a bug!".

So the repeated mantra of qmail is good, qmail is godly, qmail does no wrong,
qmail does not lose my messages would be violated when it can't allocate
enough resources to deliver the message due to rlimits, wonderful.

All I have to do to shut down your SMTP server is push it to its resource
limits, and keep it there.

> How is that even remotely relevant?  That is a third party patch to qmail.
> That patch has a security hole, not qmail.

I can write a nice little perl script to accept connections on port 25, and
call it a mail daemon. Unfortunately you would be required to use other modules
to get anything done in the real world.

But hey, it's 100% secure and bug free.

> With that logic, I could write buggy patches to any software and you would
> claim the software itself was insecure.

If it's required to make the software usable in the needed configuration, yes.

> No, but software that has security holes is insecure.

Can you point out any current bugs or security holes in sendmail? No?
Then it must be 100% secure, just like qmail.

> > Are you not encouraging people to run "insecure software"?
> 
> My choice of email client has nothing to do with discussing MTAs.  But
> apparently you lack the ability to understand that.  I find it amusing that
> you can't find fault with what I am saying, so you have to find other,
> non-related things to attack me with.

I was responding to your 'we should not encourage insecure software' 
comment. I'm attempting to push you into proving your claim that qmail
is 100% secure is correct. Unfortunately you *can not prove* that 
software is 100% secure and bug free, you can only prove that it has bugs, 
and fix them.

The fault is in the "fact" that qmail is secure. openssl was secure,
openbsd was secure, etc. are they now all insecure software that should
be avoided at all costs?

> > qmail has vulnerabilities, they haven't been (publicly) found yet.
> 
> Prove it.  (Oh, you can't.  What a surprise.)

Prove my version of sendmail has bugs. Oh! You can't? What a surprise.

You also seem to have snipped out my linux kernel comment, would you care
to reply, or silently ignore it because it ruins your argument?

> --
> David Phillips <david at acz.org>
> http://david.acz.org/

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list