[luau] sendmail patch

Keith krjw at optonline.net
Mon Sep 22 09:27:00 PDT 2003


* kmayer at bitwrangler.com <kmayer at bitwrangler.com> [22/09/2003 1320EDT]:
> Keith <krjw at optonline.net> wrote:
> 
> > ... [ qmail ] ...
> > If more folks were as commonsensical a programmer as DJB the Internet
> > would be a much safer place.
> 
> Hmmm. For those doing DoD work you know that the *best* way to secure a
> network is simply to unplug it (isolation) from the rest of the
> world. That is kind of what Dan did with qmail. He just went his own way
> with everything and doesn't care about playing nice with others. In

djb is quite a fascist, indeed, but I don't curse him or his software
for it.  Instead I applaud his efforts.  OK, so he doesn't trust anyone.
He doesn't trust stdio routines.  His own programs don't trust one
another.  The Internet at large is simply not trustworthy to any degree;
one -- or at least one's programs -- have to be paranoid and they have
to play hardball or they are going to be broken by a 14 yr old script
kiddie.

The software goes to greater lengths than djb would care to admit to
maintain sendmail compatability, with exceptions noted in TFM.  If it's
sendmail compatible, it's pretty much everything compatible.  Right?
;-)

> 1997, I had trouble with qmail not accepting mail because it treated the
> left-hand side of the address as case-sensitive; that's what the RFCs
> *say* but practical experience says that human beings don't care about
> the difference between USER at foo.bar.com, User at foo.bar.com, and
> user at foo.bar.com. I believe the rule should be "accept liberally, send
> strictly" but that's my opinion. Dan disagreed. That's why we use the
> source. 

This case issue was fixed prior to 0.75 beta in 1996.

    19960419 change: in qmail-lspawn.c, lowercased name before
    getpwnam().  really getpwnam() should do this, but oh well.

and:
http://www.lifewithqmail.org/lwq.html#uppercase-usernames

> Don't get me wrong, qmail has its strengths, but it isn't a magic
> bullet. I had a friend who was head of the Internet e-mail team at

I don't believe there is *any* such magic bullet, so long as human
factors are involved.  We're error prone, yes -- some much more than
others, but none of us error-free.

> AOL. I asked him about qmail and his opinion was *not*, to say the
> least, positive. Apparently qmail doesn't scale to the very, very big
> (e.g. AOL). That isn't an important factor for most people, but you
> made a point that qmail is "fast" and back in 2000, which was the last
> time I was working with it closely, it didn't handle large volumes of
> mail well.

My comments about speed were in reference to Bernstein's benchmarks,
not my own.  If AOL had a problem I wouldn't question it but rather
expect it.

Regardless, my original response to the sendmail patch thread was in a
security context on this Linux mailing list.  Linux is about all sorts
of choices & hopefully those choices will be educated.  I'm merely
trying to spread knowledge when the opportunity arises and in that
particular instance the message was "qmail is secure & sendmail isn't".

> It's more of a personality thing (DJB's, qmail's and mine) than code
> quality issues for me. Having worked with sendmail, qmail and postfix, I
> prefer the latter. I haven't seen a CERT advisory on postfix; Wietse
> Venema wrote postfix with speed, compatibility and security in mind and
> I think he succeeded.

I, like many, have had problems with sendmail.
   I did my homework & switched to qmail.
   No problems with qmail since (but I don't have a user base the size of
   AOL).
      If I had problems with qmail, I'd do more homework, and probably
      move to postfix, too.

It's all about the homework...

Cheers,
krjw.

-- 
Keith R. John Warno                  [k r j w  at  optonline dot net]



More information about the LUAU mailing list