On Sat, Apr 19, 2003 at 09:24:47PM -0500, David Phillips wrote: > It doesn't lose messages. A message with enough recipients to reach rlimits > is not legitimate anyway. If you think it would lose messages, perhaps you > should learn how SMTP works. (Hint: MTAs will retry sending a message if > the remote server is unavailable.) I'm well versed in the ways of SMTP, there are multiple ways it could lose a message due to rlimits. > Of course. You could also use up all available bandwidth. Denial of > service attacks are not new and are not limited to qmail. All network > services are vulnerable. What is your point? My point is that when possible, things should do their best to limit their exposure to possibly denial of service attacks. qmail (and any other mail daemon) could easily do this, yet djb chooses not to. > What is your point? qmail (not qmail with patches) works fine for at least > 95% of its users. And those 95% are a small percentage of the whole. If it were perfect, everyone would be using it. qmail without patches would not have satisfied the original posters needs. > Again, what is your point? Someone needed SMTP AUTH for their particular > situation. That someone wrote a buggy patch. How is this relevant to qmail > being secure? This whole thread started because someone needed SMTP AUTH, that functionality requires third party add-ons to qmail that are insecure. You recommended an insecure product while putting down all other mail daemons because they're "insecure". > Sendmail is not secure. It was not designed to be secure and it was not > coded with security in mind. You don't make something secure by removing > bugs. You make it secure by not writing them in the first place. So qmail never had bugs from day one, I find that hard to believe. This site has a list of RFC violations, and bugs. http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html I think they put it nicely: >>> 5.1. Security guarantee The security guarantee is a smoke ball. USD 500 are a ridiculous amount for the audit of qmail. <<< > They should be avoided if there were reasonable alternatives. If Dan had an > implementation of SSH or SSL, I would use it. So, it's okay unless djb has written something. Your reasoning is flawed, just because some piece of software has had a bug in it, it should be scrapped and completely rewritten? > > Prove my version of sendmail has bugs. > > There is no rational reason to believe that it is secure. It has had many > security related bugs in the past and has not been rewritten. What makes > you think all the bugs have been found? Because I Said So, that's what you're expecting others to go on. Just because qmail hasn't had any [serious] public bugs, should I expect that nobody will ever find one? And when they do, will djb scrap qmail and write it from scratch all over again? > See my response to Nate Carlson. He missed the point just like you did. See above, you seem to be okay with shoddy software (MSOE, for example) unless the deity djb has written something to perform that service. Perhaps you should let people know that you're a djb follower before trolling mailing lists. Perhaps you should use the unsubscribe link in the mail headers to distance yourself from such an insecure operating system (Linux) the mail server that delivered this message to you (sendmail) and the mailing list software handling the lists (mailman). The DNS servers inbetween (BIND) might taint you too. > -- > David Phillips <david at acz.org> > http://david.acz.org/ -- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203 _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list