On Tue, 30 Jan 2001 01:03:16 -0700, "Kurt Seifried"
Why is "drop-in-replacement"==GOOD and "no drop-in-replacement"==BAD? I don't agree there. It's not that the programs are hard to install or something. On the contrary, IMHO. Sendmail, ok, cleaned up a lot in the last two years, BUT if there is a hack it's usually root, for example the kernel capabilities bug. To get users to switch to a more secure mailer you have a few realistic options:
[Notice how the conversation is drifting towards Sendmail/qmail, while it started with BIND. Nothing wrong with that ofcourse, but the situation with DNS servers is different than with mail servers. With DNS servers, the current leader has a *horrible* security track record. With mail servers, that seems to be less so. (Maybe that is because Sendmail doesn't have as large as a marketshare as BIND does, I don't know. :-) )]
Qmail. Vince (mandrake security packager goombah guy who writes their advisories and whatnot, who I drink with sometimes) tried valiantly to legally package qmail and ship it and gave up.
Yes, but the licensing (while a big problem for distributors) has nothing to do with *how the program works*. If you're a competent administrator, it's no problem to install qmail, or djbdns (or postfix, etc.). It doesn't matter if it comes with your distro or not. Want (commercial) support for djb-ware? That's available if you wish. The way a package is licensed doesn't impact its vulnerability to (security-related) problems.
if it's hard to do people will not switch to it. Hell people won't even patch software or apply vendor security updates in a lot of cases, so what are the chances of them switching from say sendmail to qmail, if it requires a lot of effort?
If those people don't even install security patches for the products they have, they certainly won't install something else - how little effort that might take. The *correct* question is: is that a problem of the software (being or not being a drop-in replacement -- or at least a simple install) or is that a problem of those people? Mind you -- the qmail install isn't difficult.
This is why compatibility (function wise, license wise, etc.) is so important.
It's important for distributors. It's not as important for a sysadmin who wants to install a secure DNS server/mail server. That sysadmin can get qmail or djbdns (or whatever he pleases) and install it.
Ohh, so if I go out of my way to fix qmail, it can do function X, whereas that is standard in Postfix for example (and then there are things postfix does that
Why does every conceivable feature has to be *standard in the distribution*? What is the great advantage in that? The way it's now with e.g. qmail, I can select the features I *need*, apply them, and be happy. The features I *don't need*, don't even come into the picture.
them it's secure". No, Qmail, as it ships from DJB, is a pain in the ass :P.
Ofcourse everyone has a right to his own opinion. Let me just add that it's a *secure* pain in the ass, for you at least then. :-) But really, if you *need* features that aren't in qmail, you can either a) make them yourself or b) not use qmail. However, just saying that qmail shouldn't be used because of its perceived lack of features is unjustified.
I've tried to move to it several times (long ago), and tested it more recently, and I've never liked the results (and I get paid to spend my time on things like this).
*You* never liked the results. There are many people who *do* like mail, and use it intensively. They like it because it's secure. It has the features they need. It doesn't matter if you're paid or not by the way, that's just using rhetorics. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-