Re: [suse-security] CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND (fwd)
That's real useful for end users :P. Wietse (postfix guy) was smart, 100% compatible sendmail replacement, both in functionality and license. Qmail is NOT. Neither is djbdns a drop in replacement for Bind. Hence only a minor percentage of people will make the effort to use it.
Why is "drop-in-replacement"==GOOD and "no drop-in-replacement"==BAD? I don't agree there. It's not that the programs are hard to install or something. On the contrary, IMHO.
Sendmail, ok, cleaned up a lot in the last two years, BUT if there is a hack it's usually root, for example the kernel capabilities bug. To get users to switch to a more secure mailer you have a few realistic options: make it the default - Mandrake now does this with Postfix. They do not ship Qmail. Vince (mandrake security packager goombah guy who writes their advisories and whatnot, who I drink with sometimes) tried valiantly to legally package qmail and ship it and gave up. Buy him a drink sometime and ask him about it if you want to hear a painful story. if it's hard to do people will not switch to it. Hell people won't even patch software or apply vendor security updates in a lot of cases, so what are the chances of them switching from say sendmail to qmail, if it requires a lot of effort? This is why compatibility (function wise, license wise, etc.) is so important.
Again, I don't agree. There are boatloads of enhancements and modifications for qmail (and less so for djbdns, but that doesn't exist as long). If you want a specific feature that isn't in standard qmail/djbdns, there most probably is a patch that you can apply in seconds. Again, very easy.
Ohh, so if I go out of my way to fix qmail, it can do function X, whereas that is standard in Postfix for example (and then there are things postfix does that qmail can't, even with available patches, like regex filtering). That's like saying "Windows isn't insecure, if you get these security products and apply them it's secure". No, Qmail, as it ships from DJB, is a pain in the ass :P. I've tried to move to it several times (long ago), and tested it more recently, and I've never liked the results (and I get paid to spend my time on things like this). -Kurt
On Tue, 30 Jan 2001 01:03:16 -0700, "Kurt Seifried" <listuser@seifried.org> wrote:
Why is "drop-in-replacement"==GOOD and "no drop-in-replacement"==BAD? I don't agree there. It's not that the programs are hard to install or something. On the contrary, IMHO. Sendmail, ok, cleaned up a lot in the last two years, BUT if there is a hack it's usually root, for example the kernel capabilities bug. To get users to switch to a more secure mailer you have a few realistic options:
[Notice how the conversation is drifting towards Sendmail/qmail, while it started with BIND. Nothing wrong with that ofcourse, but the situation with DNS servers is different than with mail servers. With DNS servers, the current leader has a *horrible* security track record. With mail servers, that seems to be less so. (Maybe that is because Sendmail doesn't have as large as a marketshare as BIND does, I don't know. :-) )]
Qmail. Vince (mandrake security packager goombah guy who writes their advisories and whatnot, who I drink with sometimes) tried valiantly to legally package qmail and ship it and gave up.
Yes, but the licensing (while a big problem for distributors) has nothing to do with *how the program works*. If you're a competent administrator, it's no problem to install qmail, or djbdns (or postfix, etc.). It doesn't matter if it comes with your distro or not. Want (commercial) support for djb-ware? That's available if you wish. The way a package is licensed doesn't impact its vulnerability to (security-related) problems.
if it's hard to do people will not switch to it. Hell people won't even patch software or apply vendor security updates in a lot of cases, so what are the chances of them switching from say sendmail to qmail, if it requires a lot of effort?
If those people don't even install security patches for the products they have, they certainly won't install something else - how little effort that might take. The *correct* question is: is that a problem of the software (being or not being a drop-in replacement -- or at least a simple install) or is that a problem of those people? Mind you -- the qmail install isn't difficult.
This is why compatibility (function wise, license wise, etc.) is so important.
It's important for distributors. It's not as important for a sysadmin who wants to install a secure DNS server/mail server. That sysadmin can get qmail or djbdns (or whatever he pleases) and install it.
Ohh, so if I go out of my way to fix qmail, it can do function X, whereas that is standard in Postfix for example (and then there are things postfix does that
Why does every conceivable feature has to be *standard in the distribution*? What is the great advantage in that? The way it's now with e.g. qmail, I can select the features I *need*, apply them, and be happy. The features I *don't need*, don't even come into the picture.
them it's secure". No, Qmail, as it ships from DJB, is a pain in the ass :P.
Ofcourse everyone has a right to his own opinion. Let me just add that it's a *secure* pain in the ass, for you at least then. :-) But really, if you *need* features that aren't in qmail, you can either a) make them yourself or b) not use qmail. However, just saying that qmail shouldn't be used because of its perceived lack of features is unjustified.
I've tried to move to it several times (long ago), and tested it more recently, and I've never liked the results (and I get paid to spend my time on things like this).
*You* never liked the results. There are many people who *do* like mail, and use it intensively. They like it because it's secure. It has the features they need. It doesn't matter if you're paid or not by the way, that's just using rhetorics. end -- Jurjen Oskam * carnivore! * http://www.stupendous.org/ for PGP key assassinate nuclear iraq clinton kill bomb USA eta ira cia fbi nsa kill president wall street ruin economy disrupt phonenetwork atomic bomb sarin nerve gas bin laden military -*- DVD Decryption at www.stupendous.org -*-
On 30 Jan 2001, at 1:03, Kurt Seifried wrote:
them it's secure". No, Qmail, as it ships from DJB, is a pain in the ass :P. I've tried to move to it several times (long ago), and tested it more recently, and I've never liked the results (and I get paid to spend my time on things like this).
Hi, I have to do with a couple of servers, each with a couple of thousand mail users. Using qmail I have not found any security problem. Serving about 30-50 domains with Djbdns is no problem. I found no real advantages compared to bind but that I had to update bind about 3 to 4 times the last 6 months to keep somewhat secure. I like the advantages of bind series 9 (threads, somewhat of virtual load balancing). Some of these features are not available for all OSs I use, specialy the lack of threads on some BSDs require to use bind 9 with --disable-threads. Design decisions of the ext2 filesystem prohibit the use of Linux on systems that need some level of integrity. Some time ago a couple of lawyers I would call friends put together a 200 page document about the BSD vs. GPL vs. DJB licences, probably I could dig it out. DJBs licence is optimal for security compareable to the licence sun put solaris under. mike
participants (3)
-
Jurjen Oskam -
Kurt Seifried -
Thomas Michael Wanka