[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Qmail vas Sendmail
On Sun, 16 Aug 1998, Stanislav Malyshev a.k.a Frodo wrote:
> > > Accidentally, qmail has it's own pop3 daemon - qmail-pop3d.
> >
> > which works with the maildir format only.
>
> Sure. What's so bad in it, if you are using qmail anyway?
Most MUAs support maildir via some sort of translation to mbox format
before and after invokation of the MUA. This is clearly not as stable as
working in mbox permanently. People who read their mail over NFS may
prefer that arrangement over mbox, but most people prefer mbox.
BTW - a poll was done recently around the qmail community and it was
found out that over 80% use mbox format.
> > Try using the non-exec stack kernel patch. If run from inetd (i.e. it's
> > being executed every session) with patch installed, qpopper is safe enough
> > for you.
>
> AFAIK, this patch breaks some things in gcc and buffer overflow exploits
> are possible even with it installed (just most published ones don't work,
> but one can write perfectly working exploit without executable stack,
> IIRC).
I use this patch on a production server with people compiling stuff all
day long and none of them reported anything breaking.
> Secondly, running program with certified remote root hole and
> hoping some patch will prevent it from being exploitable - is the deed of
> great courage, but certainly not a good security practice. If you know
> that it has holes, you don't touch it until it's OK, otherwise you are at
> the mercy of the first kid that reads Bugtraq and Phrack, and knows to
> cut-n-paste.
Again, qpopper 2.52 is not exploitable, and that patch prevented that hole
from being used (I had quite a few attempts at that hole actually). I
personally read security mailing lists, and so I get the news as much as
other people do.
The point is: people need a pop3 server. Even if there is no
non-exploitable one, people expect that service available. Whenever a hole
is discovered, I disable it for the time being until it is fixed. That's
how it's done in production machines.
Shachar Tal
-------------
Taub Computer Center, Technion, Israel Institute of Technology
KeyID 0481FEF1 fingerprint = 52 1B 97 6A F2 77 AE C6 64 B6 5A 5E 14 28 8E 7E