From kragen@dnaco.net Sat Jul 11 05:40:31 1998 Date: Sat, 11 Jul 1998 05:40:30 -0400 (EDT) From: Kragen To: djb@pobox.com Subject: Re: Mailing list help (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 449 Status: O X-Status: I thought I ought to forward this to you, simply because I do not want to criticize you without your knowledge. If any of the statements below are incorrect and warrant correction, I will correct them. ---------- Forwarded message ---------- Date: Sat, 11 Jul 1998 03:46:11 -0400 (EDT) From: Kragen To: "Bradley M. Kuhn" Cc: clug-user@clug.org Subject: Re: Mailing list help Resent-Date: Sat, 11 Jul 1998 03:59:19 -0400 Resent-From: clug-user@clug.org On Fri, 10 Jul 1998, Bradley M. Kuhn wrote: > Realize that qmail is held out as such because the author of qmail appears > to be mentally disturbed. If you think my posts are kind of flaky, this guy > is *way* out there. If anyone on any of comp.*.mail.* (i.e., any mail > newsgroup) posts something about what MTA to use, or about sendmail being > secure, he goes nuts, posting that sendmail bugs will effectively destroy > the entire Internet and that qmail is the only thing that can save the day. 1. djb is a bit of a jerk. He's got an extremely rigid turn of mind. 2. djb is a well-respected member of the academic cryptology community. He's credited as a contributor to Applied Cryptography, and has done some innovative original work in the field. He just finished his doctorate from Berkeley, and he teaches (math, especially cryptology) at UIUC. As such, his idea of "secure" is a lot closer to the military's idea of "secure" than sendmail's idea of "secure". It is not difficult to understand that, coming from his background, people claiming that sendmail is secure sounds a lot like people claiming that their private variation of the Vigenere cipher is secure. 3. djb has made some significant contributions to the community. He's currently involved in a case against the government, challenging export restrictions on free-speech grounds. He was one of the first (and still one of the only) people to run a nameserver for Monolith. He writes and maintains qmail. > Fact is, there are other MTA's out there besides qmail and sendmail that > don't get security too bad either. In the two-year-or-so history of qmail's source being available to everyone on the net, there have been a total of zero (0) publicly announced security holes discovered in it. There is currently a $1000 prize for the first person to find one. There are no other MTAs out there that even approximate this. I believe this is due to djb's background in developing algorithms that really provide security. > qmail is also only useful for a "standard" mail installation. All those > features in sendmail may be annoying, but I have been at sites where qmail > just *would not have worked*. I looked into it when I was at Westinghouse, > but it was missing some key features I needed from sendmail. > > Granted, my environment was brain-dead, mail wise, because I had a bunch of > backwards compatibility email addressees which isn't worth discussing here, > but the point is, qmail can only handle relatively simple installations. This is like saying, "emacs can handle only relatively simple documents because it can't do multiple fonts, kerning, pagination, and proportional spacing.". qmail doesn't have a lot built in, but it has good hooks for interfacing with other programs. > > and that "they" say that sendmail is singly responsible for keeping CERT > > employed.Or are sendmail's security issues over-rated? > > Yes, they are. The statement you made was true about 4 years ago. A *lot* > can happen in 4 years. sendmail's design is still the same as it was 4 years ago. As long as its design involves tens of thousands of lines of code running as root, doing complex processing on text data received over the network, it will never be secure. A thousand security audits would fail to make it secure. > The statement "you should run qmail instead of sendmail because qmail is more > secure" is very similar to saying "you should run OpenBSD and not GNU/Linux > because OpenBSD is more secure." > > Sure, OpenBSD and qmail were secure *first*. But the sendmail code and the > Linux code both have received a security audit. There hasn't been a > security patch for sendmail in about a year, and that one was for HPUX only > anyway. Before that, I think it had been a year and a half. I think this is an inaccurate view of the problem. sendmail was designed by a BSD programmer in an academic environment, where all users of the network could be trusted not to wreak havoc. Consequently, its design was done with no view to security. Literally thousands of security holes were found and exploited in it, nearly all of which resulted in remote root compromises. qmail was designed by an accomplished academic cryptologist in the environment of the modern Internet, where every host is scanned several times a day for open WinGate ports. Its design was done with security as the primary consideration. The code that runs as root is less than ten lines long (I haven't looked at it in a long time; I think it's about half that) and very simple, so that it can be easily verified. It is built on top of a replacement for the standard C library designed to be much less prone to security bugs. (Nevertheless, the size of this replacement and qmail combined is much smaller than the size of sendmail alone.) To date, no security holes have been found and exploited in qmail. It is almost certain that, if a security hole is ever found, it will not result in a remote root compromise, or even a local root compromise. These differences are much larger than the differences between OpenBSD and Linux. > Finally, it's just simply the case that Eric Allman and the sendmail team > are reasonable people. The qmail author (I am sorry but I forget his name) > has some sort of vendetta against sendmail. That worries me. If someone > has an agenda to destroy another free software product, I question using > their software. "another free software product" is misleading. qmail is not free software; you are not allowed to distribute modified versions. djb seems to cultivate grudges. There's the anti-sendmail grudge, the anti-Wietse-Venema grudge, and the anti-prior-restraint-of-free-speech grudge which seem to be major factors in his life. His name is Daniel J. Bernstein. > I certainly respect a decision of a sysadmin who chooses qmail over > sendmail. If a sysadmin is going to take the time to look over both for > security and functionality and chooses qmail, that seems reasonable to me. > However, choosing qmail simply because one "heard sendmail was bad" is not a > reasonable way to make an engineering decision. I like qmail because of (a) its security (b) its functionality. Kragen ------------------------------------------------------------------------- CLUG User Mailing List (see http://www.clug.org/ml for subscription info) Cincinnati Linux Users Group (a SIG of the Cincinnati PC Users Group) Opinions expressed in this mailing list are those of the individual authors and are not representative of CLUG or CPCUG.