
The qmail security guarantee - rishabhd
https://cr.yp.to/qmail/guarantee.html
======
SwellJoe
For anyone considering QMail today, don't.

When QMail was initially conceived, Sendmail was king, and Sendmail was awful
(from a security perspective). Today there are multiple very good alternatives
to Sendmail (I've used Postfix for many years with no complaints), and QMail
has seen very sparse development. While Postfix has a moderately less stellar
security record, it's still pretty darned good, and still under active
maintenance.

Many modern mail security features are either hacked onto QMail via patches
from third parties (none of whom are as famous for their security chops as
djb) or completely non-existent in QMail. The number of people running it
today is extremely small, so you're going to find relatively few resources
about it when you run into problems (and what resources you find will be very,
very, very old, in most cases).

If you're wanting a similarly limited SMTP server that is under active
maintenance, opensmtpd from the OpenBSD folks might be an option (though I've
never used it). It, at least, has people looking at it regularly and supports
basic features lacking in QMail, like encryption, without patches.

QMail has a tiny but rabid following (kinda like djb himself) who settled into
their beliefs about the MTA landscape in 1998 and have ignored everything
that's happened since. (Funny, or maybe just odd, story: When we removed
qmail-ldap, an unmaintained patched version of QMail that adds LDAP
authentication, from Virtualmin, I literally had someone bringing up companies
that have been out of business for more than a decade as proof that it was
still in active use and we should keep maintaining support for it, even though
no one has asked a question about it in our forums in eight years. It was the
most bizarre technical conversation I've had in a while. I was like, "But,
umm...they have no website and every mention I can find of that company is
from 2006. What makes you think they're still using qmail-ldap or would care
that we're removing support for it?" Then again, they also wanted to rant for
a couple dozen paragraphs about gay people oppressing them in our issue
tracker and for an hour or so in our IRC channel, so he may not have been
entirely connected to our reality.)

~~~
lathiat
I'm surprise how long qmail lasted but it definitely has issues (some of them
with patches, the patches definitely have much more flimsy security and
realistically you can't run it without many feature patches these days)

I actually wrote a replacement for vpopmail called 'rmail' that stored the
virtual user databases in cdb. I never liked requiring a central DB like MySQL
for your mail receipt to work in real time in an otherwise relatively
decentralised server protocol (despite literally working at MySQL for 9 years)
and liked the idea of a file better. Powered 1000+ users for many many years.
Now replaced with postfix for about 5 years :)

Still, it definitely has a surprisingly solid place in my historic heart.

~~~
SwellJoe
Postfix has always (or, at least, as long as I can remember) used something
very similar to that idea for all of its various user, alias, virtual, etc.
tables. It's mostly transparent to the user, but when you run postmap, you're
creating a key/value database (for those who don't know, cdb was djb's
efficient key/value database implementation way back when) of the things in
the map file.

It can even use cdb as a backend, but realistically for the kinds of map
tables one works with in a mail server, any of them are Good Enough(tm)
because the entire data set will always fit in memory (even if you have an
absurdly large mail server with 100,000 mail users on a single system, it'll
still fit in RAM).

We used to get a _lot_ of people wanting MySQL support in our mail stack,
which I actively have always discouraged. It's (orders of magnitude) slower,
harder to maintain, and provides no benefit for the vast majority of
deployments. For whatever reason (maybe just that fewer people want to host
their own mail beyond sending mail from apps and notifications from the system
itself), we get a lot fewer requests for it lately. Maybe I finally convinced
everyone it was a bad idea.

~~~
jlgaddis
I'm responsible for several mail servers and all are them are running postfix
with the user data stored in SQL (including my own personal mail server). The
primary reason is to simplify administration (management of user accounts and
such, using various scripts and webapps).

~~~
SwellJoe
There is an argument to be made for some sort of central backend store when
you have multiple mail servers for the same domain(s) and users. SQL isn't
terrible in that context (I would likely prefer LDAP for that, but SQL works,
too).

Most of our users have one server, and lots of tutorials and stuff are about
one mail server. It just makes no sense to add that huge amount of extra
complexity for that simple use case.

------
linsomniac
I started using qmail in 1996-ish, and was a pretty big fan for a while.

I wouldn't use it at this point though, it really has languished and is, IMHO,
totally unusable without a lot of dicking around to get the right set of
patches and the like.

He kind of lost me when AOL increased their MX record to be larger than UDP
could handle in a single packet. He stood firm that AOL was doing it wrong,
meanwhile my users didn't care about what the RFCs said, they just wanted to
e-mail their grandma like all their friends could.

The qmail community collected a lot of people with similar personalities and I
got tired of it.

These days, I'm pretty happy with Postfix, and it has things a modern e-mail
servers needs, supported in the core rather than requiring a ton of patches
that haven't been eyeballed by the author.

------
featherverse
According to this:
[https://en.wikipedia.org/wiki/Comparison_of_mail_servers](https://en.wikipedia.org/wiki/Comparison_of_mail_servers)

qmail doesn't support SMTP over TLS or SSL. How is that "secure"?

~~~
geocar
Well, if you sent an email to `|program` it didn't execute program.
Seriously[1]

[1]:
[https://www.tenable.com/plugins/index.php?view=single&id=102...](https://www.tenable.com/plugins/index.php?view=single&id=10261)

Indeed, many sysadmins of the time lauded qmail's lack of supporting "standard
features" in the name of "security" which sadly was still a new concept on the
Internet.

Something to consider: SMTP over TLS offers some privacy and confidentiality
between two mail servers that have established a trust relationship, but it
offers no protection against an upstream network (who can simply fake some DNS
records and get a letsencrypt certificate) or a state actor (who simply
threatens the CA). I think referring to "SMTP over TLS" as "secure" is
dangerous because it leads us to equate "more code" as providing security.

~~~
ktRolster
Truly, the only way to have security is to encrypt the message with the
receiver's public key.

~~~
featherverse
I find it discouraging that it's almost 2018 and this function of E-mail has
not been made standard in all clients yet.

I understand the concerns about trust, but why not make trust the extra step
for now, and make encryption the standard. And in time we can standardize
trust as well. (I know it's pretty standard already but I'm thinking about
'the average user')

"Well I can't trust the source so why bother with encryption" is what we have
presently, and that's just ridiculous.

~~~
geocar
"What's your email address" is about 90-120 bits of information -- a long way
from the 2000-5000 bits that are in a public key. I figure if we solve this
problem then we can make encrypting email the norm.

------
linsomniac
"It's too bad DJB is so abrasive, because he has some good ideas and nobody
will listen to him because of it." This came from someone fairly famous, but I
didn't ask to quote him so I won't. His name is on a definitive book in his
field.

Personality is important.

~~~
feelin_googley
More important than aesthetics, competence and the code itself?

What if the user does not care "who" the author is, other than to identify
what he has written?

For example, I have no idea "who" Arthur Whitney is, but I will not hesitate
to spend time learning any software he writes. His work speaks for itself.

Same for djb.

In the context of how I choose software, personality is irrelevant.

I am unlikely to ever interact with these authors.

If people in forums and committees put these authors down or criticize their
work then that tells me something about the people in forums and committees.

I am not sure I understand what bothers them about the few people who have
rare ability to "push the envelope" in software and share their work over the
internet, but I am aware that it bothers some people.

~~~
tom_mellior
> More important than aesthetics, competence and the code itself?

Yes, if that personality results in "sexual harassment, bullying, blackmail,
and physical harm" ([https://medium.com/@hdevalence/when-hell-kept-on-payroll-
som...](https://medium.com/@hdevalence/when-hell-kept-on-payroll-somewhere-is-
where-you-are-f419d3022d0)), then that personality is more important then
"aesthetics".

Previous HN discussion:
[https://news.ycombinator.com/item?id=13891513](https://news.ycombinator.com/item?id=13891513)
I wonder if this has gone anywhere in the courts.

~~~
feelin_googley
Many people use software everyday without being aware of the identity of its
author(s) and certainly not the personal life of its author(s). Because I
prefer open source software, I may know who are the authors of the software I
use, but I have no need to know the personal lives of these authors.

At this time there is another item on the HN front page about a Linux
distribution called "Void Linux". Several of the comments indicate it uses
"runit". Runit is a copy of software called "daemontools", written by djb. I
use daemontools. I would like to keep using it.

Do I need to cease using it because people in blogs and forums are discussing
personal matters involving the author? Is it acceptable to use Void Linux?

To list all the popular software/websites that may include/use code/software
from this author would be an exhausting exercise. It would probably include
many well-known entries, such as major email providers, DuckDuckGo, OpenDNS
and WhatsApp.

I can easily avoid those popular choices, but I still need to use daemontools,
tinydns, clockadd, and other programs by this author. IMHO they have no equal.

For clarification, by "aesthetics" I mean software aesthetics. Namely, a
preference for small program size, terse syntax, low resource requirements,
and numerous other "aesthetic" qualities. These qualities are evident from the
code itself and _I need not know anything about the life of the author_.

It may be better that I do not know. Consider an avid reader who grows to love
the work of a particular author. Then one day she decides to meet the author.
Unfortunately she is severely let down when she learns the author's
personality is not what she expected. Does this reduce the quality of his art
that she previously enjoyed? One can apply this idea to any form of art. The
art itself vs the life of the artist. To me, software is a form of art.

~~~
tom_mellior
> Is it acceptable to use Void Linux?

Yes, and it's disingenious to suggest that I suggested otherwise.

> These qualities are evident from the code itself

But you don't read the code of every single package on your system. Similarly,
you probably don't have to research the personal background of every single
developer.

> IMHO they have no equal.

Well, there you go then. That's a good reason to use them. I said personality
can be more important than aesthetics, I did not say personality is more
important than any other criterion you might think of.

> It may be better that I do not know.

It may, although now you _do_ know. Actively seeking out information to act on
is different from acting on information that was communicated to you. But
again, if you feel that I am saying you are a bad person for using tinydns,
you feel wrong.

~~~
feelin_googley
It is "disingeuous" to suggest I use binary packages or that I use third party
software whose source that I have not edited or read.

As it happens, I am constantly reading the sources of the software I use:
kernel, userland and third party. And I do pay attention to attributed
authorship on that software.

But I am not evaulating any software based on "personalities" of its authors,
as alleged by random people, often anonymous, in internet mailing lists,
forums, blogs, etc.

I am going to continue to use the "best software available", as determined by
me, for better or worse. I think I am not alone in that approach and I think
it is reasonable. I will not be distracted by petty criticisms of what I know
to be good software or "dirty laundry" about the authors on the internet that
I may encounter in the process.

~~~
tom_mellior
> or that I use third party software whose source that I have not edited or
> read

I'm calling bullshit on the statement that you have read every single line of
code for the software running on your system.

> I am going to continue to use the "best software available", as determined
> by me

Good for you.

~~~
feelin_googley
I'm calling bullshit on injecting an absurd dichotomy between choosing
software based on the author's personality versus "reading every single line
of code of the software running on your system". It is possible to choose
software based on qualities inherent in the software and not know or care
about the personality or personal matters of the author. And it is possible to
do this without "reading every single line of code of the software running on
your system".

Those qualities of the software and its design, what I call "software
aesthetics" might include, among other things, the size of the program, its
resource requirements, dependencies, configuration, and even, yes, the source
code itself. Nowhere did I suggest that I read "every line" of every source
code file comprising the operating system I use.

Where possible I do selectively read and sometimes edit some of these files.
With respect to third party software, I often do read every file. I prefer
software that is small enough where I can do this. But what does the idea of
reading "every line of code" in an (operating) system have to do with my
original comment? Nothing.

In any event, since you have shifted the discussion to (operating) systems, I
can confirm I did not choose the (operating) system I use based on the
"personality" of its authors. I chose it because of the "software aesthetics"
reflected in the software itself. As I see it, this might include an
appreciation for the command line and small program size, manual configuration
by the user and having all options _off_ by default, documentation,
portability and "clean code", among other things. People making comments in
email or on the www on whether they like or dislike the authors of this
software did not affect my decision to use it.

The point of my original comment was simple: someone may choose software based
on the software itself, not the author's personality, whatever that may be. I
thought this is worth considering in response to the parent comment that
"Personality is important". But others may disagree.

I would like to end this exchange now. I appreciate your input.

------
feelin_googley
[http://cr.yp.to/qmail/qmailsec-20071101.pdf](http://cr.yp.to/qmail/qmailsec-20071101.pdf)

~~~
jlgaddis
FYI: _" Some thoughts on security after ten years of qmail 1.0"_ (by DJB, of
course).

Abstract:

The qmail software package is a widely used Internet-mail transfer agent that
has been covered by a security guarantee since 1997. In this paper, the qmail
author reviews the his- tory and security-relevant architecture of qmail;
articulates partitioning standards that qmail fails to meet; analyzes the
engineering that has allowed qmail to survive this failure; and draws various
conclusions regarding the future of secure programming.

------
eriksjolund
The qmail security guarantee was challenging. I made it a try and actually I
found a bug

[http://adivo.se/qmail/qmail-1.03.qmail_local_c.patch](http://adivo.se/qmail/qmail-1.03.qmail_local_c.patch)

but it was no security bug. Unfortunately I can't find any mailing list
archive of qmail where the bug was discussed.

~~~
JdeBP
You've been on [http://jdebp.eu./FGA/qmail-
problems.html](http://jdebp.eu./FGA/qmail-problems.html) for about 14 years,
and your patch was one of the ones that went into netqmail.

~~~
eriksjolund
I'm glad that the patch came into use.

------
pilif
Back in 2001 when I was investigating the dependencies I wanted to take on for
a webmail service, qmail was on my list of possible candidates, also because
of this security guarantee.

However, I quickly learned that while that security guarantee probably was a
good thing and valid, practically nobody was actually running vanilla qmail
because it also had a very limited feature set.

What people were running was a mixture of qmail with various patches of their
own or downloaded from somewhere on the internet, none of them properly
maintained and all of them likely full of security issues nobody was caring
about.

However, if you asked them what they were running, they were still saying
qmail and they were still quoting the security guarantee which at that point
was completely worthless.

In my case I went with a "batteries included" solution that didn't provide a
security guarantee but also came with all the features I needed built-in and
which also got regular updates by its maintainer.

Not needing to add third-party patches was more important than the design and
guarantees of the base-product because the moment you patch the thing
yourself, you own it and all the possibly given guarantees and positive
aspects of the underlying architecture were null and void.

The solution I went with in the end was exim and it still is the MTA on our
central relay. It had more security issues than qmail or postfix over its
history, but I also do not need to patch it for my solution with users-in-SQL.
Meaning that whenever a security issues is found, I can rely on my distro to
provide updates which will fix the issue.

qmail and postfix provided a better security picture out-of-the-box but both
would have needed manual patching for my needs which I deemed too risky.

There is no question that the less functionality offered by a product, the
more secure it is. If you don't need any features, then by all means go with a
product that has no features and you'll automatically enjoy the best security:
Features breed complexity. Complexity breeds security issues.

But if you absolutely need a list of features that is offered by a tool, be
careful in weighing up the risks of manually adding those additional, things
compared to going with the full solution where somebody else is taking care of
the security picture.

~~~
geocar
> which at that point was completely worthless.

I disagree. qmail's design decisions meant that a lot of the patches were
insulated even from themselves.

It also made me a better programmer and a better sysadmin.

------
jedisct1
I still run qmail (in addition to postfix and opensmtpd) for one thing: ezmlm-
idx.

Is there something I can replace ezmlm-idx with, that would seamlessly import
all the lists, subscribers and archives?

~~~
seschwar
[http://mlmmj.org/](http://mlmmj.org/) claims to be heavily inspired by ezmlm.
I haven't used either so I don't know how well it works as a replacement, but
it might be worth a look.

------
dozzie
Ah yes, the one that djb denied to somebody who found a resource exhaustion
hole, from what I remember.

~~~
X-Istence
> In May 2005, Georgi Guninski claimed that some potential 64-bit portability
> problems allowed a ``remote exploit in qmail-smtpd.'' This claim is denied.
> Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no
> problem with qmail's assumption that allocated array lengths fit comfortably
> into 32 bits.

~~~
kstrauser
That's adorably quaint. I wonder if djb still believes that's the case?

~~~
X-Istence
qmail-smtpd is a very small binary that is run per connection received through
tcpserver.

There is no good reason to give it even a gigabyte of ram, let alone many
multiple gigs.

I would say the notion that small binaries working together (the unix way)
would still allow him to believe to be the case.

~~~
lawnchair_larry
Nobody "gives" set amounts of memory to their processes at all, so this
thinking is backwards to begin with. The vulnerability is legitimate.

~~~
yuubi
I seem to remember that the installation directions included something to
limit memory size, and trying to install without reading the directions would
fail well before opening a listener port.

------
danilocesar
"write bug-free code"

There's no such a thing, specially when you decide it's a good idea to rewrite
libc.

But yeah, the "stdio seem designed to encourage bugs" phrase seems pretty
correct.

~~~
ktRolster
That's missing the point.

You can either learn from his techniques and improve your skill, or you can
argue about definitions and not improve your skill.

There is no doubt that DJB has good coding skills.

