[TCLUG] Requiring authentication on SMTP relaying

Sat Apr 19 21:24:47 CDT 2003

Matthew S. Hallacy writes:
> qmail does not lose my messages would be violated when it
> can't allocate enough resources to deliver the message due to
> rlimits, wonderful.

It doesn't lose messages.  A message with enough recipients to reach rlimits
is not legitimate anyway.  If you think it would lose messages, perhaps you
should learn how SMTP works.  (Hint: MTAs will retry sending a message if
the remote server is unavailable.)

> All I have to do to shut down your SMTP server is push it to its
> resource limits, and keep it there.

Of course.  You could also use up all available bandwidth.  Denial of
service attacks are not new and are not limited to qmail.  All network
services are vulnerable.  What is your point?

> I can write a nice little perl script to accept connections on port
> 25, and call it a mail daemon. Unfortunately you would be required to
> use other modules to get anything done in the real world.

What is your point?  qmail (not qmail with patches) works fine for at least
95% of its users.

> If it's required to make the software usable in the needed
> configuration, yes.

Again, what is your point?  Someone needed SMTP AUTH for their particular
situation.  That someone wrote a buggy patch.  How is this relevant to qmail
being secure?

> Can you point out any current bugs or security holes in sendmail? No?
> Then it must be 100% secure, just like qmail.

Sendmail is not secure.  It was not designed to be secure and it was not
coded with security in mind.  You don't make something secure by removing
bugs.  You make it secure by not writing them in the first place.

> are they now all insecure software that
> should be avoided at all costs?

They should be avoided if there were reasonable alternatives.  If Dan had an
implementation of SSH or SSL, I would use it.

> Prove my version of sendmail has bugs.

There is no rational reason to believe that it is secure.  It has had many
security related bugs in the past and has not been rewritten.  What makes
you think all the bugs have been found?

> You also seem to have snipped out my linux kernel comment, would you
> care
> to reply, or silently ignore it because it ruins your argument?

See my response to Nate Carlson.  He missed the point just like you did.

--
David Phillips <david at acz.org>
http://david.acz.org/

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list