Re: How to replace sendmail with postfix?

From: jpd (read_the_sig_at_do.not.spam.it.invalid)
Date: 09/29/05 

Date: 28 Sep 2005 22:43:07 GMT

Begin <KLWdnSI_J-dURqfeRVn-gg@speakeasy.net>
On 2005-09-28, Michael Sierchio <kudzu-usenet95@tenebras.com> wrote:
> jpd wrote:
>
>> [1] I didn't know how quickly to get rid of it. It has serious drawbacks
>> in all sorts of ways, making it unsuitable for serious MTA use in
>> todays internet.
>
> This is in reference to qmail?

I think that was pretty clear from the original, yes. I did and still
do and am not about to cease to support my own opinion in this matter.

> I challenge you to support that assertion --
> I've found it to be a high-performance and secure alternative to sendwhale,
> which has a history of security vulnerabilities as long as your arm.

Of course you have to challenge me. It never ceases to amaze how much
the author polarizes the masses. I happen to very much dislike his (view
of the) universe, and apparently you feel different about it.

I did encounter the beast on one of the many legacy machines at my
last job and we (the then vp of development and I) put that particular
machine on top of the list of things to phase out, for indeed it was
ugly and dangerous. Not just because of qmail, but it was a large part
of it. This, and IMAO luckily, was the last of my personal experiences
with it. I intend to keep it that way. Incidentally, we moved the entire
shop over from a variety of MTAs to exactly two machines running exim.

However, the controversy does not end here. You, as qmail afficionado,
must know qmail itself has not been updated for years and is being kept
alive with 3rd party patches under a variety of names.

Not being riddled with security holes is of course a plus, altough, and
I've noted this not long ago in this group, sendmail is a little bit older,
and was originally written for a friendlier internet. It, however, has been
maintained and its security problems at least, fixed. This in contrast to
qmail, as noted above. At least not by its original author.

BTW, I do find qmails security an interesting point, since [JdBP-qp]
indicates qmail does contain a ``coding error'' that ``will end up
corrupting its own memory, with arbitrary consequences.'' This is more
commonly known as a buffer overflow, and the stuff from which many an
exploit is made. Admittedly this is in the qmail-local process, but I do
find it interesting that the attention to security problem prevention
didn't extend to these details. And, as americans say, the details is
where the devil is.

But since I haven't actually found out the hard way just how much I
don't like qmail, and I have no intention of fixing that, I'll refer
you to, for example, [nanae-qm], which has another couple of pointers.
Altough not all things mentioned there are directly qmail's fault, I
trust I don't have to elaborate the between-the-lines message for you
here. I remember reading about a couple of others but can't remember and
also can't be bothered to try and re-find them. If and when I find them
again and this subject resurfaces I'll be sure to tell you about it. :-)

[JdBP-qp] http://homepages.tesco.net/~J.deBoynePollard/FGA/qmail-problems.html
[nanae-qm] Message-ID: <11jegpm3n78hr02@news.supernews.com> and on, or see
    http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/b97156a92cd9080/07d3eba331c28b81
  [sorry for the long url] 

-- 
  j p d (at) d s b (dot) t u d e l f t (dot) n l .

Relevant Pages

  • Re: [SLE] MTA Selection
    ... > security is an absolute requirement. ... qmail works right out of the box.. ... a lot smaller than Sendmail or Postfix. ... "It uses two large monolithic configuration files, ...
    (SuSE)
  • Re: Setting up mail server(s) ?
    ... I would say if security is your biggest concern, qmail is likely the best choice as an MTA. ... it does have significant drawbacks in terms of ... I'd like to know how your company handle stuff related to mail, like which MTA, spamfilter and so on. ...
    (Security-Basics)
  • Re: [SLE] MTA Selection
    ... security is an absolute requirement. ... > secure, yes, but all the patches you need to use it in the 21st ... qmail works right out of the box.. ... a lot smaller than Sendmail or Postfix. ...
    (SuSE)
  • Re: linux box compromised: advice needed
    ... > stapling new features onto it, ... > security review and control. ... And that's why SMTP-Auth and STARTTLS for qmail are third-party patches ...
    (comp.os.linux.security)
  • Re: FreeBSD more secure than Linux
    ... > When the grand qmail challenge was put out, ... > of a class that could lead to a security breach) would be accepted. ... > of standard that will cause serious failure on at least one known system ...
    (comp.security.unix)