Slashdot Mirror

Actually, Dan Bernstein, the author of qmail, is already ready with QMTP (Quick Mail Transfer Protocol), a replacement for SMTP.

Actually, Dan Bernstein, the author of qmail, is already ready with QMTP (Quick Mail Transfer Protocol), a replacement for SMTP.

Well, to be honest, its your fault for using BIND!

BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.

Also, investigate alternative, and far superior servers for services you want to run.

Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.

Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.

Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.

1. When a standard says MUST, then the implementation might
2. When a standard says SHOULD, then the implementation will not
3. When a standard RECCOMENDS, then the implementer will laugh scornfully
4. When there are two possible interpertations of a standard there will be 4 possible implementations, correct for readings 1 and 2, a mad attempt to fit both contraditory meanings and the the old reliable invention of something completely incompatible with both.

Your average programmer is a completely incompetent ego riden madman. A standard is an affront to his cherised belief that he is the best programmer on the planet. How dare someone restrict his options to make a complete mess. So they trample all over the standards, and each program that is broken but not broken enough to fail immediately and catastrophically adds to the standards pollution. Limiting the solution space in which it is possible to create an app that interoperates correctly with everything else.

A proper standard shouldn't be released unless it has a few things which most lack,

1. A rationale, Why are decisions made, egoboy is more likely to follow a standard if its reasoning is made clear and the thinking behind various decisions are explicit.
2. A big set of tests which the app must pass before it can conform to the standard. Not that that mattered much in the case of rfc822 btw most mail programs wouldn't know what to do with the complex commenting and line folding behaviour.
3. A section threatening intense physical suffering for anyone caught trying to subvert it. "By reading this document you hereby agree to a punishment no less than being nailed to a tree for creating any software which almost but not quite matches the standard herein"
4. And a sample implementation released.

C.

kindbud wrote:

I can hardly say enough good things about Dan's suite of DNS servers and client programs.

Having gone through the annoyance of administering a qmail site, I don't suffer from this disability.

dnscache, dnsfilter, tinydns, pickdns, walldns, rbldns, axfrdns, axfr-get, and the sundry associated libraries are just yet more screwball non-free software from Bernstein: He can keep 'em, and all his other non-FHS-compliant offerings. If I switch to anything, it'll be the GPLed Dents package.

Rick Moen
rick@linuxmafia.com

If you are that confident in sendmail, why don't you put up the same amount for sendmail?

Read this before deciding to use postfix.

Important security features in its design:

1. Client resolver is a separate process from the authoritative NS. Reduces damage potential should cache poisoning occur.
2. Client resolver does not cache out-of-zone additionals. For a dot-com domain, it only believes answers from the root servers, the com servers and the auth NS for the dot-com domain, and only if those answers are in the zone it's asking about. More proof against poisoning.
3. Client resolver sets TTL in responses to zero. Helps prevent client mischief. Does not return additionals or authorities to clients.
4. All programs run chrooted as a non-priv uid.
5. Discards all queries in classes other than IN. No CHAOS or HS classes. No "version.bind" stupidity.
6. Its "hints" file is not really taken as "hints". It believes you when you tell it who the roots are, it does not go ask the servers in the hints file who the real roots are.

1. Authoritative server gives immediate feedback in the event of typos or syntax errors. No grepping log files looking for problems.
2. Erroneous data is rejected. Previous data is used until the error is corrected.
3. Reads zone info directly from a fast database, memory requirements are very small compared to BIND.
4. All zone data is contained in a single database file, which is easily rsync'd to slaves. Zone transfers are supported for compatibility with BIND, but it's not necessary to use it.
5. Client resolver can be set to ask certain servers about certain domains, ignoring the roots. This is great for split DNS setups.

For and IMAP server I use the Courier IMAP package. It is a small, featurefull server which support Maildir. It would probably be fine for your needs as it has a very well designed authentication model which supports LDAP (among other things). Courier is faster and smaller than UW-IMAP and Cyrus.

Finally I use TWIG for Webmail. It supports IMAP mail, calendars, contact lists, newsgroups, etc. It is also based on PHP (yay!).

It is a very nice setup, and wasen't too hard to setup. Oh, I forgot to mention that the server is FreeBSD 3.4.

I definitely second the choice of qmail + ezmlm[-idx]. (-idx for the moderation features) ;)

But for a list of any size you probably want the software to handle subscriptions and bounces automatically and securely, and ezmlm does just that by sending cryptographically secure confirmation requests and handling bounces by encoding the subscribers address in the Return-Path.

See http://cr.yp.to/qmail.html and http://www.qmail.org for more advertising.

I'm only interested in dynamic content, by the way. For static content, we have Dan Bernstein's publicfile server. Small, fast, secure.

qmail with ezmlm is your solution. Use it instead of sendmail. To create a mailing list, you put a file in your home directory called .qmail-listname, and use the address yourlogin-listname, and qmail does the right thing (instant listserver! No admin needed!). There is even a couple of web-based interfaces (EZmlm-Web 1.02 and another one here) for adding and deleting users from a list.

qmail is pretty sweet anyway, you should be using it.

darren

The Ken Thompson cc story is just a story. And guess what? Real software needs to be rewritten from scratch every five years, because the assumptions you make about trade-offs become invalidated. Both sendmail and bind are *long* overdue for a rewrite.
-russ

The Ken Thompson cc story is just a story. And guess what? Real software needs to be rewritten from scratch every five years, because the assumptions you make about trade-offs become invalidated. Both sendmail and bind are *long* overdue for a rewrite.
-russ

Just nitpicking, but BIND isn't the only game in town: TinyDNS by D.J. Bernstein, the author of qmail, is much better if you take the time to figure it out.

It is complemented by DNSCache, for (obviously) caching, and others tools.

All have small footprints, are highly efficient, and were designed to be secure.


- Technik

Just nitpicking, but BIND isn't the only game in town: TinyDNS by D.J. Bernstein, the author of qmail, is much better if you take the time to figure it out.

It is complemented by DNSCache, for (obviously) caching, and others tools.

All have small footprints, are highly efficient, and were designed to be secure.


- Technik

Just nitpicking, but BIND isn't the only game in town: TinyDNS by D.J. Bernstein, the author of qmail, is much better if you take the time to figure it out.

It is complemented by DNSCache, for (obviously) caching, and others tools.

All have small footprints, are highly efficient, and were designed to be secure.


- Technik

If Dan Bernstein's software runs on it, it's Unix.

According to the CONTU Final Report, which is generally interpreted by the courts as legislative history, ``the right to add features to the program that were not present at the time of rightful acquisition'' falls within the owner's rights of modification under section 117.

Note that, since it's not copyright infringement for you to apply a patch, it's also not copyright infringement for someone to give you a patch. For example, Galoob's Game Genie, which patches the software in Nintendo cartridges, does not infringe Nintendo's copyrights. ``Having paid Nintendo a fair return, the consumer may experiment with the product and create new variations of play, for personal enjoyment, without creating a derivative work.'' Galoob v. Nintendo, 780 F. Supp 1283 (N.D. Cal. 1991), affirmed, 22 U.S.P.Q.2d 1587 (9th Cir. 1992). See also Foresight v. Pfortmiller, 719 F. Supp 1006 (D. Kan. 1989).

Yes. Easily. qmail with the vpopmail addon from Inter7 will make you wonder why you ever bothered to try and configure Sendmail.

You might also be interested in their qmailadmin addon which allows web-based management of domains, and sqwebmail which adds a hotmail-esque web interface for checking & sending email.

qmail is different than Sendmail, considerably so. But once you understand how it works, I think it's design is far superior to that of Sendmail. It's much more unixy, IMNSHO. There is ample evidence that qmail is considerably faster and less resource intensive than Sendmail, but what really made the difference for me was the security focus of qmail.

As I said, qmail is different from Sendmail, but there is a lot of contributed documentation available as well as commercial support. The qmail community is large, capable and very motivated. They do have one problem though, they don't have a 4-inch-thick O'Reilly book dedicated to their MTA...
...hmmm, maybe there's a reason for that!

Yes. Easily. qmail with the vpopmail addon from Inter7 will make you wonder why you ever bothered to try and configure Sendmail.

You might also be interested in their qmailadmin addon which allows web-based management of domains, and sqwebmail which adds a hotmail-esque web interface for checking & sending email.

qmail is different than Sendmail, considerably so. But once you understand how it works, I think it's design is far superior to that of Sendmail. It's much more unixy, IMNSHO. There is ample evidence that qmail is considerably faster and less resource intensive than Sendmail, but what really made the difference for me was the security focus of qmail.

As I said, qmail is different from Sendmail, but there is a lot of contributed documentation available as well as commercial support. The qmail community is large, capable and very motivated. They do have one problem though, they don't have a 4-inch-thick O'Reilly book dedicated to their MTA...
...hmmm, maybe there's a reason for that!

If you are concerned about security and reliability, then BIND may not be the best solution for you. It has a history of security exploits, and in general the codebase is a complete mess.

Everyone's favourite daemon-revamper Dan Bernstein has an excellent DNS suite of tools called DNSCache which you can obtain from http://cr.yp.to/dnscache.html. This looks pretty much ultrasecure (as most of his stuff is), and also very robust and modular. In addition, you don't need to muck around with zone files and so on, and the interface for adding information is ridiculously simple thanks to some scripts in the package.

For example, to add a new alias to an already existing domain, all I have to do is :

./add-alias new.recoil.org 1.2.3.4
make

and thats it! Serial numbers etc all taken care of automatically for you.

I've been running and playing with DNSCache and can recommend to anyone looking for an alternative to BIND.

Anil