madt.e-technik.uni-dortmund.de

• Next message: Lutz Jaenicke: "PLEASE NO FLAMEWAR (was: qmail, from bugtraq)"
• Previous message: Marek Habersack: "Re: qmail, from bugtraq"
• In reply to: D. J. Bernstein: "Re: qmail, from bugtraq"
• Next in thread: Leif Nixon: "Re: qmail, from bugtraq"
• Reply: Matthias Andree: "Re: qmail, from bugtraq"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* D. J. Bernstein (djbcr.yp.to) [000204 13:48]:
> The crucial fact that you're failing to mention is that attackers can
> chew up all the memory on such systems BEFORE qmail is installed. It's
> rather idiotic to blame qmail for a problem that existed before qmail
> was installed.

Sure. But I recall that your installation document that came with qmail
1.03 did not mention that I was to use system resource limits. I just
checked a (disabled and changed for Postfix installation) again:

Check with cd /var/qmail/doc ; grep -C -i limit *
(with -C == "show context" in case your grep lacks it)

No trace of ulimit or relatives.
 
> Of course, as a fraudulent marketing stunt, you carefully wrote _your_
> attack programs so that they would only work after qmail was installed.
> But security is defined by what _can_ be done, not by what _you_ did.

You seem to be a responsible person in respect to your software and
what it does or not does to other people's systems. I appreciate your
guarantee.

But what I expect from a responsible person is that they also consider
the compatibility from their software with their environment, and
that's what Wietse is criticizing, and I agree.

Rather than have your qmail users trapped with a system going awry
because the exploitable system happens to be trapped by somebody
abusing qmail, you should advise your qmail users to use the system's
resource limiting features.

Is adding a phrase to INSTALL about how to limit system resources in
/var/qmail/rc or the like too big a demand so you cannot fulfill it?

Please focus on what your users' demands are and NOT on your rage
versus a Software that is also aiming for security.

Eventually, both packages (qmail and Postfix) strive for security,
performance, among other goals, both packages are free to use. Now,
what's your point in calling Dr. Venema marketing stunt? What would be
his reason to?

Please refrain from calling other people names. I find that annoying,
it's not helpful either.

Your input on potential security problems with other software is
certainly welcome, your insults are not.

• Next message: Lutz Jaenicke: "PLEASE NO FLAMEWAR (was: qmail, from bugtraq)"
• Previous message: Marek Habersack: "Re: qmail, from bugtraq"
• In reply to: D. J. Bernstein: "Re: qmail, from bugtraq"
• Next in thread: Leif Nixon: "Re: qmail, from bugtraq"
• Reply: Matthias Andree: "Re: qmail, from bugtraq"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]