RE: qmail or postfix?

[Kalum / Grendel <kalum lintux cx>]

On  Tue, 3 Apr 2001, Karen Ellrick commented thusly,

 
> Hmm, it looks like Dan and Wietse are having quite an argument - I hadn't
> seen that before.  I am not skilled enough at the internals of Linux to
> determine who is right... :(  I must agree that Wietse can have a somewhat
> abrupt communication style - I have corresponded with him myself.  


Well lets say that both the the guys involved have somewhat..ehmm..
"strange" personalities, Although software written by Dan Bernstein (DJB)
is simply brilliant and the guy has a proven security record, DJB tends to
be a bit of a abrasive character with plenty of aggression when it comes
to matters of security.

DJB's weakness is that he tends to do a lot of boasting, the sendmail and
postfix bashings are a good example, what he is trying to say is that
qmail is the greatest without ANY security problem, and for example he
criticises FTP protocol as insecure on a mere remote possibility that a
unwanted person can connect to the server or client by intercepting the
information passed from the PORT or PASV commands, but many of have used
ftp for years without any security risk so we should put things into
perspective and see whether it really is a practicle risk.

Also DJB can never be thought that he is wrong on certain matters, he is
like a hooligan with a single braincell for this. A good example is that
he does not allow binary distributions of qmail, that is why qmail is
never the default MTA in any linux distribution that I know of nor is it
even included, which is counterproductive and mores the pity because qmail
is a gem.  So for example if you see binary rpms of qmail, rest assured
that they are illegal

Another annoying thing that he doesnt seem to understand is wrong is that
he doesnt accept patches from anyone, so for example if I needed a extra
functionality in qmail I would have to get the sources and apply a year
old patch which under any other circumstance would have been routinely
included in the source tree long ago.

Wietse on the other hand too has a good security record (hes the guy who
wrote the tcp wrappers) although its nowhere next to DJB's impresive
record, but he seems to have bungled this design aspect of postfix, and I
guess it must have annoyed him a lot that this problem was pointed out by
 a direct rival like DJB :)

>But that
> doesn't necessarily mean he's trying to deny or hide something he knows is
> true - it's just his personality, perhaps aggrevated by false bug
> accusations he regularly gets on the Postfix mailing list from newbies who
> have their system misconfigured or something. 

DJB certainly is not a newbie and never can be classed as such ;) Anyway
DJB certainly has a point here, and I am not surprised that the postfix
author has kept quiet about this, since fixing this would involve almost a
complete redesign and rewrite of postfix.

> Anyway, I would be interested
> to see more on this issue from others - perhaps CERT, SANS, or another third
> party that can check it out thoroughly.

Please post us any links that you come across it would be much
appreciated.
 
> tight as I can, and was attracted to the simplicity of Postfix for security
> from external hackers.  People are regularly having to patch security holes
> in Sendmail, due to its sheer complexity.  

The complexity of sendmail is not per se responsible for the bugs, but its
the fact that because of the rotten basic design the number of bugs rise
almost exponentially as the level of complexity increases.

>I'll be honest - I never really
> checked out Qmail, because dealing with mail in Japanese, it was important
> to get a credible endorsement from Japanese organizations using the MTA,
> something I found for Postfix but not for Qmail (I suspect Qmail also
> handles Japanese mail just fine, but my opinion alone won't convince my
> bosses).

Indeed it should, as there is a japanese translation together with some
docs on their main site at qmail.org.
 
> I just now sent a test message to a bogus user at redhat.com just to get a
> bounce message, and from its header, it looks like Redhat is still (or
> again) using Sendmail, so I take back my statement about Redhat.

Hmm they use postfix on this list, so why on earth are they running a
decadent MTA like sendmail for redhat.com? 

Received: from listman.redhat.com (localhost.localdomain [127.0.0.1])
        by listman.redhat.com (Postfix) with ESMTP
        id 82DA62FF34; Mon,  2 Apr 2001 21:33:08 -0400 (EDT)


Best Wishes,
Grendel


-- 
.---------------------.---------------------.----{)--.
| /"__ ._ _  _  _| _ |`- grendel lintux cx -'(]__/|| |
| \__/ | (-'| |(_|(-'l_ `-===============-' [_]  .-: |
`--------------------------------------------/|\/| |-'

all your .sig  belong to us.