RE: Qmail vs. postfix
From: Gonçalo Gomes (goncalo@microeuropa.pt)Date: 08/10/01
- Previous message: Gonçalo Gomes: "Re: tcpdump question"
- In reply to: McHugh, Sean: "RE: Qmail vs. postfix"
- Next in thread: multics@ruserved.com: "RE: Qmail vs. postfix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 9 Aug 2001 22:57:27 -0400 (EDT) From: Gonçalo Gomes <goncalo@microeuropa.pt> To: "McHugh, Sean" <SMchugh@grey.com> Subject: RE: Qmail vs. postfix Message-ID: <Pine.LNX.4.33.0108092255510.1281-100000@darkside.antilove.org>
it author of that DoS also provided a patch,
from qmail-dos.c
/* Here is the Patch for qmail -
If you are using tcpserver it should be sufficient to set the ulimit
once in the startup script. All instances of qmail-smtpd inherit the
limit without further overhead. Seems to be working fine here.
echo "Starting tcpserver for qmail-smtpd..."
ulimit -d 2048
/usr/local/bin/tcpserver -v -u 61 -g 61 0 smtp
/usr/local/bin/tcpcontrol \
/etc/tcp.smtp.cdb /var/qmail/bin/qmail-smtpd 2>&1 | \
/var/qmail/bin/splogger smtpd 3 &
*/
-- Gonçalo Gomes
http://unsecurity.org
On Wed, 8 Aug 2001, McHugh, Sean wrote:
> actually, there are a few qmail security problems (none unresolved that i
> know of though).
> Wietse Venema (author of postfix), himself, coded a dos exploit for qmail
> that fills up swap space by sending to an unlimited number of recipients.
> there is a patch.
>
>
> so it's only version 1.03 - so what, most versioning is arbitrary.
>
> qmail is definitly a good mta, but it loses some lustre compared to postfix.
>
> sean
>
> -----Original Message-----
> From: Jim [mailto:mlist@budget.co.nz]
> Sent: Thursday, July 26, 2001 7:15 PM
> To: SECURITY-BASICS@SECURITYFOCUS.COM
> Subject: Re: Qmail vs. postfix
>
>
> > > can anybody tell me what to use. I want to have secure mail
> > > agent.
> > > Qmail or postfix.
> >
> > Whatever you like. I personally use postfix, I just happen to like it
> > better than qmail. Much less painful to setup, no holes known (and none
> > seen in the code, either. I'm not a very good C coder, but good enough
> > to check code).
>
> I just have to say, the way this is written implies that qmail may have
> known holes in the code. I doubt you intended to say that, but it may be
> read that way. On the other hand, if you do know of holes in the qmail
> code, I'd love to know about it!
>
> I have never used postfix, but qmail is a fantastic product. It's been
> version 1.03 since I started using it (over two years ago) and there are no
> known security problems. You do have to go through a bit of a process to
> set it up, but that's not an issue for anyone who desires a secure mail
> server. One thing that might be important to your decision: qmail is
> definitely intended to be an internet mail server serving mail for a domain
> (or multiple domains). I believe setting it up to work otherwise can be
> difficult.
>
>
>
> -----------------------------------------------
> This message is confidential. If you are not the intended recipient you must
> not read or do anything else with this message.
> If you have received this message in error please notify us immediately by
> return email and destroy this email. Thank you.
>
>
- Previous message: Gonçalo Gomes: "Re: tcpdump question"
- In reply to: McHugh, Sean: "RE: Qmail vs. postfix"
- Next in thread: multics@ruserved.com: "RE: Qmail vs. postfix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
