qmail Digest 15 Nov 2000 11:00:00 -0000 Issue 1184
Topics (messages 52138 through 52229):
Re: MX routing question
52138 by: Paul Farber
HELP!
52139 by: Casey Allen Shobe
Fresh Installation
52140 by: Mark Anderson
52141 by: James Raftery
reg. qmail-qmqpd and qmail-qmtpd
52142 by: RamKumar
52150 by: Dave Sill
Startup Script
52143 by: Travis Turner
52145 by: Charles Cazabon
52179 by: Roger Walker
52194 by: Greg Cope
how best to log rblsmtpd?
52144 by: brandon.discontent.com
hello
52146 by: Alexander Mardirossian
52149 by: Dave Sill
Removing Delivered-To header
52147 by: Peter Cavender
accessing $local in fastforward alias file
52148 by: Tristan Graham
52155 by: Charles Cazabon
52159 by: Tristan Graham
Re: Antispam with authorization from POP3 server.
52151 by: Dave Sill
Re: How do I route to another host?
52152 by: Dave Sill
52154 by: mark.sidell.org
Re: Clear the queue of qmail
52153 by: Dave Sill
secrets and lies
52156 by: Mate Wierdl
52158 by: Dave Sill
52160 by: Adam McKenna
52161 by: anon-dns.sitefoundry.com
52162 by: Charles Cazabon
52163 by: Ryan Russell
52164 by: markd.bushwire.net
52165 by: Bennett Todd
52166 by: Mate Wierdl
52167 by: Ian Lance Taylor
52168 by: markd.bushwire.net
52169 by: Mate Wierdl
52170 by: Paul Jarc
52171 by: Adam McKenna
52172 by: Matthias Andree
52173 by: Chris K. Young
52174 by: Mate Wierdl
52175 by: Gustavo Vieira Goncalves Coelho Rios
52176 by: Paul Jarc
52177 by: Mate Wierdl
52178 by: Bennett Todd
52180 by: Paul Jarc
52181 by: Lipscomb, Al
52182 by: Robin S. Socha
52183 by: Bennett Todd
52184 by: Bennett Todd
52185 by: Russ Allbery
52186 by: Russ Allbery
52187 by: Adam McKenna
52188 by: Travis Turner
52189 by: Travis Turner
52190 by: Adam McKenna
52191 by: Bennett Todd
52192 by: Lipscomb, Al
52193 by: Felix von Leitner
52195 by: Mate Wierdl
52196 by: Ryan Russell
52197 by: Felix von Leitner
52198 by: Adam McKenna
52199 by: markd.bushwire.net
52200 by: markd.bushwire.net
52201 by: Felix von Leitner
52202 by: dreamwvr
52203 by: David Dyer-Bennet
52204 by: Bennett Todd
52205 by: Andre Oppermann
52207 by: Adam McKenna
52208 by: Bennett Todd
52210 by: Chris K. Young
52211 by: Russ Allbery
52212 by: markd.bushwire.net
52213 by: Adam McKenna
52214 by: Ryan Russell
52217 by: Mate Wierdl
52218 by: Mate Wierdl
52219 by: Nathan J. Mehl
52220 by: David Dyer-Bennet
52221 by: Chris Olson
52224 by: Mate Wierdl
52225 by: Chris K. Young
52227 by: Adam McKenna
Personalising emails to lists and prohibited subjects in ezmlm-idx/qmail
52157 by: Darren Honeyball
52209 by: Darren Honeyball
Alias - .qmail-default
52206 by: Expert
User mail delivery statistics
52215 by: Mikko Hänninen
accepting and delivering locally for a different IP ...
52216 by: wolfgang zeikat
Help Required .....
52222 by: RamKumar
52223 by: Charles Warwick
DFSG and DJB (was Re: secrets and lies)
52226 by: Greg Hudson
running daemontools on qmail with large locals and rcpthosts files
52228 by: Eric Yu
Qmailanalog ...
52229 by: Daniel POGAC
Administrivia:
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
take the non-local domains out of the locals file. Paul Farber Farber Technology [EMAIL PROTECTED] Ph 570-628-5303 Fax 570-628-5545 On Mon, 13 Nov 2000, Oliver Menzel wrote: > Hi, > > I'm trying to make all mail incoming for a bunch of hosts to be > delivered to this one mail host. > > So i've setup an MX record for each one of those domains to be that > mail host. > > Problem is, the mail is always delivered for that host, ie: if I send > mail to [EMAIL PROTECTED], and the MX is mx.host.com, the mail will be > delivered to host.com, regardless of the MX entry. > > Is this a DNS problem, or the way qmail delivers mail? > > Thanks in advance, > Oliver > > __________________________________________________ > Do You Yahoo!? > Yahoo! Calendar - Get organized for the holidays! > http://calendar.yahoo.com/ >
Hi, I cannot unsubscribe an old email address which I no longer use but forwards to this one. I'd like to subscribe using the proper account, but don't want duplicates... -- Casey Allen Shobe [EMAIL PROTECTED] http://aixos.net **Using AixOS.net Webmail Interface**
I just moved from Sendmail to Qmail and I'm having problems with it. Mails from a mail client seem to go through without any problems but when I manually send a mail through a telnet connection to port 25 I get the following error after I send the EOF during the message section; 451 unable to exec qq (#4.3.0) I toke the brave step to find the error in the source code. It was returned from a switch/case clause in qmail.c I believe. Any help... please... Mark Anderson
On Tue, Nov 14, 2000 at 02:54:00PM -0000, Mark Anderson wrote: > 451 unable to exec qq (#4.3.0) To place a message in to the queue qmail needs to run /var/qmail/bin/qmail-queue The error you're seeing is often caused by having /var mounted with the nosuid option (qmail-queue is setuid). james
Hi i would like to know what qmail-qmqpd and qmail-qmtpd are used for? and where i could get more information about the same. thanks ram
"RamKumar" <[EMAIL PROTECTED]> wrote: >i would like to know what qmail-qmqpd and qmail-qmtpd are used for? and >where i could get more information about the same. QMQP is the Quick Mail Queueing Protocol. QMTP is the Quick Mail Transfer Protocol. QMQP is used by clients of smart hosts to pawn off delivery to the smart host. QMTP is a high speed SMTP replacement. The only client I'm aware of is maildirqmtp from serialmail. More information on both of the daemons is in their man pages. -Dave
Does any one Have a good startup script for qmail on RH 6.2 Linux. The one that came with the "Running Qmail" book has some sort of error in it. It basically gives me an error on startup that says line 14 error somewhere around stop). I would appreciate the help Regards, Travis Travis Turner Information Technology Manager Applied Integration Corporation Tucson, Arizona U.S.A. Phone (520) 743-3095 Fax (520) 623-1683 "Do not meddle in the affairs of dragons for you are crunchy and taste good with ketchup."
Travis Turner <[EMAIL PROTECTED]> wrote: > Does any one Have a good startup script for qmail on RH 6.2 Linux. The one > that came with the "Running Qmail" book has some sort of error in it. The quality of that book has been questioned on this list and elsewhere. Try "Life with qmail" by Dave Sill. You can find a pointer to it on www.qmail.org under User-contributed Documentation IIRC. It contains a flexible startup script. Charles -- ----------------------------------------------------------------------- Charles Cazabon <[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. -----------------------------------------------------------------------
On Tue, 14 Nov 2000, Travis Turner wrote: > Does any one Have a good startup script for qmail on RH 6.2 Linux. The one > that came with the "Running Qmail" book has some sort of error in it. It > basically gives me an error on startup that says line 14 error somewhere > around stop). I would appreciate the help csh -cf '/var/qmail/rc &' I think that's the line you are looking for to get it started within the script. The 'rc' script is the real startup script, and is a copy of one of several in the /var/qmail/boot/ directory, depending on whether or not you want to use procmail, etc. Using 'daemon' to start the script fails - possibly because the 'rc' script dies after it executes. -- Roger Walker <http://www.rat-hole.com> Voice/Fax 1-780-440-2685 <http://www.man-from-linux.com> "HIS Pain; YOUR Gain" <http://www.rope.net> <http://www.rope.net/signature.html>
Travis Turner wrote: > > Does any one Have a good startup script for qmail on RH 6.2 Linux. The one > that came with the "Running Qmail" book has some sort of error in it. It > basically gives me an error on startup that says line 14 error somewhere > around stop). I would appreciate the help mine works fine - what is the exact error ? Greg > > Regards, > Travis > Travis Turner > Information Technology Manager > Applied Integration Corporation > Tucson, Arizona U.S.A. > Phone (520) 743-3095 > Fax (520) 623-1683 > > "Do not meddle in the affairs of dragons for you are crunchy > and taste good with ketchup."
Gang - I've just reimplemented rblsmtpd and have received requests to log seperately the hosts which are beign denied. A cursory scan of the log shows that I should be able to parse the log based on the 451 errors, but I am an unskilled scripter and cannot figure out how to further manipulate multilog to log the 451's seperately. I thought I might be able to use qmailanalog to help, but I can't figure out how to get the desired output, even after straining through the list archives. Anyone out there have any suggestions? I have RATFMICF, but no luck. Also, although I can find several threads in the archives on how tai64nfrac helps multilogs work with qmailanalog, I can't get it to work myself. Any suggestions there? Thanks, Brandon Dudley
how do I erase the contents of the mailqueue! I put large mails by mistake for sending. Since I'm paying my traffic, i would like to erase all that is in the queue. How do i do that? Thank you!
[EMAIL PROTECTED] wrote: >how do I erase the contents of the mailqueue! I put large mails by >mistake for sending. Since I'm paying my traffic, i would like to >erase all that is in the queue. How do i do that? See: http://www.faqts.com/knowledge-base/view.phtml/aid/6567/fid/286/lang/en -Dave
Hi- I have a qmail server hosting several virtual domains, and all mail delivered to recipients in the virtual domains have a Delivered-To header line indicating the "main" domain name of the server. I want to delete this line, and I understand that the -d option to preline is the way to do this, but *where* do do do this? TIA --Pete
Hi, I need to implement forwarding of the form user@somedomain -> user@someotherdomain. i.e. the original user at the original domain is propagated to the forwarded domain. Are there any mystical variables that can be used within the alias file ? If anyone can help I would be most grateful, Tristan Graham, Inweb.
Tristan Graham <[EMAIL PROTECTED]> wrote: > > I need to implement forwarding of the form user@somedomain -> > user@someotherdomain. i.e. the original user at the original domain is > propagated to the forwarded domain. Are there any mystical variables that > can be used within the alias file ? The variables cannot be used within a .qmail file; however, you can use them in a shell script which is called by a .qmail file. Use a command delivery in the .qmail file (like '|scriptname'). In the script, do something like: #!/bin/sh qmail-inject -f"$SENDER" "$LOCAL@otherdomain" Charles -- ----------------------------------------------------------------------- Charles Cazabon <[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. -----------------------------------------------------------------------
Ok, I was a little reserved about calling another script due to performance issues, but if that is the only way then that will suffice... Many Thanks, Tristan Graham. At 13:01 14/11/2000 -0600, Charles Cazabon wrote: >Tristan Graham <[EMAIL PROTECTED]> wrote: > > > > I need to implement forwarding of the form user@somedomain -> > > user@someotherdomain. i.e. the original user at the original domain is > > propagated to the forwarded domain. Are there any mystical variables that > > can be used within the alias file ? > >The variables cannot be used within a .qmail file; however, you can use >them in a shell script which is called by a .qmail file. Use a command >delivery in the .qmail file (like '|scriptname'). In the script, do >something like: > >#!/bin/sh > >qmail-inject -f"$SENDER" "$LOCAL@otherdomain" > >Charles >-- >----------------------------------------------------------------------- >Charles Cazabon <[EMAIL PROTECTED]> >GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ >Any opinions expressed are just that -- my opinions. >-----------------------------------------------------------------------
"Michael A. Borisov" <[EMAIL PROTECTED]> wrote: >Hello. It is necessary to me to authorize everyone, who tries to send mail >through my SMTP server. I want to use for this purpose authorization of a >POP3 server. Sounds like you want SMTP-after-POP. I.e., users who successfully authenticate via POP are allowed to relay via SMTP for some short period of time. Look for "open-smtp" on www.qmail.org. >I want that authorization was requested for the user, which is >specified in a field 'from:' of the head of the sent message. How it is >possible to solve this problem? Now you're saying you want to allow relaying based on the From header field? That's a very bad idea because some spammers (and realy checkers) are aware of this method and forge their headers to take advantage of it. -Dave
[EMAIL PROTECTED] wrote: >My qmail host, mail.sidell.org, is the MX host for domain sidell.org. >I have another host named lyris.sidell.org. (Actually, it's another >IP address on the same host, being handled by Lyris.) > >If I SMTP to mail.sidell.org and send a message addressed to >[EMAIL PROTECTED], qmail replies with the bounce: > >Sorry. Although I'm listed as a best-preference MX or A for that host, >it isn't in my control/locals file, so I don't treat it as local. >(#5.4.6) What does qmail-showctl for mail.sidell.org say? Do you have a separate smtp daemon for lyris.sidell.org? -Dave
On Tue, 14 Nov 2000 13:27:10 -0500, Dave Sill wrote: > [EMAIL PROTECTED] wrote: > > >My qmail host, mail.sidell.org, is the MX host for domain sidell.org. > >I have another host named lyris.sidell.org. (Actually, it's another > >IP address on the same host, being handled by Lyris.) > > > >If I SMTP to mail.sidell.org and send a message addressed to > >[EMAIL PROTECTED], qmail replies with the bounce: > > > >Sorry. Although I'm listed as a best-preference MX or A for that host, > >it isn't in my control/locals file, so I don't treat it as local. > >(#5.4.6) > > What does qmail-showctl for mail.sidell.org say? > > Do you have a separate smtp daemon for lyris.sidell.org? I think I figured out the problem. I'm running the lyris listserv on the same system as qmail. I have the qmail smtp daemon listening on one IP address, and the lyris daemon listening on another. Apparently, qmail-remote complains if it looks up a destination host address and discovers that it is one of the IPs assigned to the host on which qmail-remote is running. The workaround is to add an entry to smtproutes that maps the host name to an IP address. -- Mark
"Pedro Pires" <[EMAIL PROTECTED]> wrote: >Can anyone tell me how do i clear the queue of qmail? See: http://www.faqts.com/knowledge-base/view.phtml/aid/6567/fid/286/lang/en -Dave
I am reading this book by B. Schneier, in particular, the section `Cracking and hacking contests'. He thinks that contests (like offering $1000 for finding a security hole in a product) are bad for four main reasons, the first reason being that the contests are usually unfair since the author of the software decides what he/she considers a "hole". He also thinks that even having a software out and used for a few years without incidence does not imply that it is secure. He says, the best way to evaluate the security of a product is to have it audited by security experts. So has any expert ever audited qmail or djbdns? Mate
Mate Wierdl <[EMAIL PROTECTED]> wrote: >I am reading this book by B. Schneier, in particular, the section >`Cracking and hacking contests'. He thinks that contests (like >offering $1000 for finding a security hole in a product) are bad for >four main reasons, the first reason being that the contests are >usually unfair since the author of the software decides what he/she >considers a "hole". He's right, of course. However, the qmail challenge I ran was not judged by Dan, and, although I'd have been pleased to pay out the $1000 because it would have closed a major security hole, the primary purpose was promoting qmail, which I think it did pretty effectively. >He also thinks that even having a software out and used for a few >years without incidence does not imply that it is secure. He says, >the best way to evaluate the security of a product is to have it >audited by security experts. Again, he's right. Of course, he'd be happy to sell you such an audit. :-) >So has any expert ever audited qmail or djbdns? No. Any audit worth doing would be prohibitively expensive for a freeware project. $1000 wouldn't even begin to cover it, at least for qmail. -Dave
On Tue, Nov 14, 2000 at 02:39:25PM -0500, Dave Sill wrote: > >So has any expert ever audited qmail or djbdns? > > No. Any audit worth doing would be prohibitively expensive for a > freeware project. $1000 wouldn't even begin to cover it, at least for > qmail. Not to mention that the whole point of freeware and open source software in general is to give everyone the ability to audit the software, not just a select few. It sounds like the author of this book is a M$-type weenie. --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 2:48pm up 157 days, 13:04, 10 users, load average: 0.03, 0.03, 0.00
At 11:49 AM -0800 on 11/14/00, Adam McKenna wrote: > It sounds like the author of this book is a M$-type weenie. No, I think not. He regularly publishes articles about weak encryption in Microsoft products. His perspective is just different than yours. See http://www.counterpane.com (especially the CRYPTO-GRAM newsletter past issues) for more info. -- matt.
re: Schneier's commentary in Secrets and Lies Mate Wierdl <[EMAIL PROTECTED]> wrote: > > He says, the best way to evaluate the security of a product is to have it > audited by security experts. > So has any expert ever audited qmail or djbdns? As Dave Sill pointed out, no formal security audit has been conducted by an independent party. However, as far as qmail goes: all the crackers in the world have had access to the qmail source code and design documentation for years, and none have yet found an exploitable security hole. You could consider that a fairly thorough audit-by-fire. Charles -- ----------------------------------------------------------------------- Charles Cazabon <[EMAIL PROTECTED]> GPL'ed software available at: http://www.qcc.sk.ca/~charlesc/software/ Any opinions expressed are just that -- my opinions. -----------------------------------------------------------------------
On Tue, 14 Nov 2000, Adam McKenna wrote: > Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. It sounds like the author of this book is a M$-type weenie. > Who, Bruce? Bwahaha... no. Suggest you do some reading of Bruce's works before you continue down that train of thought. The Crypto-gram is a good start: http://www.counterpane.com/crypto-gram.html Ryan
On Tue, Nov 14, 2000 at 01:20:32PM -0600, Mate Wierdl wrote: > I am reading this book by B. Schneier, in particular, the section > `Cracking and hacking contests'. He thinks that contests (like > offering $1000 for finding a security hole in a product) are bad for > four main reasons, the first reason being that the contests are > usually unfair since the author of the software decides what he/she > considers a "hole". > > He also thinks that even having a software out and used for a few > years without incidence does not imply that it is secure. He says, > the best way to evaluate the security of a product is to have it > audited by security experts. Does he mean by a company such as the one he runs (that sells security audit services - surprise surprise) or does he mean a non-commercial audit such as that done by the OpenBSD folk or the informal one of a "thousand eyes" of the open source community? It's all about increasing confidence levels. Whilst an audit is a good idea, I don't see how a competition and time in the field can actual make matters worse. Certainly no worse than relying on an audit and happening to select an incompeted expert (of which there are plenty specializing in security at the moment - one recently expressed surprise to me that qmail was running an x86 Solaris as "that was usually installed on Sparcs"). But to answer your question, I've not seen mention of a formal audit of qmail by certified security experts (or by self-appointed script kiddies for that matter). However, it would be very interesting to see such an audit. Mr Schneier could convince a lot of sceptics if he conducted an eye-opening audit on qmail. Regards.
> > >So has any expert ever audited qmail or djbdns? > > > > No. Any audit worth doing would be prohibitively expensive for a > > freeware project. $1000 wouldn't even begin to cover it, at > > least for qmail. Whoa, sure, it'd cost a load if you paid someone to do it, but open source has other routes. A team can be formed. I betcha if someone could get a dozen or so volunteers who were serious programmers who were willing to invest serious time on the project, that they could approach the folks at OpenBSD, who have been doing a perpetual on-going security audit with _great_ results for some years now, and get a lot of assistence and instruction in exchange for some good press. > Not to mention that the whole point of freeware and open source > software in general is to give everyone the ability to audit the > software, not just a select few. So if we want to try and pursue an audit it might be more harmonious with our whole approach if we did so using a volunteer effort coordinated over the internet and open to anybody with the necessary resources to donate. > It sounds like the author of this book is a M$-type weenie. I'm afraid that doesn't follow at all. Bruce Schneier has some very strong opinions, and his long-standing dislike of these "challenges" is very well defended in its setting. Bruce is also a vocal proponent of open source in security-critical settings, and a really vicious critic of Microsoft. The view that you dispute (that the only way to get a good security audit is to pay a bazillion dollars to a company for a commercial one) isn't a view that I'd expect Bruce to advocate, and in fact really hasn't been expressly advocated by anyone here, it's more of an implication that you sorta tripped over. Neither Bruce nor dsill are what you'd call Microsoft drones:-). -Bennett
PGP signature
On Tue, Nov 14, 2000 at 02:39:25PM -0500, Dave Sill wrote: > >So has any expert ever audited qmail or djbdns? > > No. Any audit worth doing would be prohibitively expensive for a > freeware project. $1000 wouldn't even begin to cover it, at least for > qmail. I need to add that Schneier thinks open source is the only way for secure software. Are not there many experts/half experts regularly auditing the Linux kernel? It is weird that no one has ever audited qmail or djbdns, while many big businesses are using them... Mate
Date: Tue, 14 Nov 2000 14:49:34 -0500 From: Adam McKenna <[EMAIL PROTECTED]> Not to mention that the whole point of freeware and open source software in general is to give everyone the ability to audit the software, not just a select few. It sounds like the author of this book is a M$-type weenie. Bruce Schneier is a very long way from being an ``M$-type weenie.'' He's a pretty serious security dude. See, e.g., http://www.counterpane.com/crypto-gram.html. Ian
> Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. It sounds like the author of this book is a M$-type weenie. I don't think so. He's the author of perhaps the most popular book on computer security that's available to the public. He's generally well regarded - though having sendmail 8.8.8 on the secondary MX of his domain doesn't make you feel super confident :> Regards.
On Tue, Nov 14, 2000 at 02:49:34PM -0500, Adam McKenna wrote: > Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. It sounds like the author of this book is a M$-type weenie. I cannot agree on this one. He always gives arguments/examples when he states something. And he does contribute to open source: he created Blowfish, for example. Many of you would enjoy his remarks/examples on Microsoft's "security" policies. Mate
Adam McKenna <[EMAIL PROTECTED]> writes: > On Tue, Nov 14, 2000 at 02:39:25PM -0500, Dave Sill wrote: > > >So has any expert ever audited qmail or djbdns? > > > > No. Any audit worth doing would be prohibitively expensive for a > > freeware project. $1000 wouldn't even begin to cover it, at least for > > qmail. > > Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. Dan's software isn't open source. I imagine he might value peer review, but I'm not aware of his having stated so - certainly not in regard to motivation for his distribution terms. Also, making source available does not give everyone the ability to audit the software. It gives them permission. But most people won't be any better able to do a quality audit for having the source. Only the "select few" will be able to audit it well, regardless of the license, and they can afford to charge a hefty fee, regardless of the license. paul
On Tue, Nov 14, 2000 at 12:02:40PM -0800, Ryan Russell wrote: > On Tue, 14 Nov 2000, Adam McKenna wrote: > > > Not to mention that the whole point of freeware and open source software in > > general is to give everyone the ability to audit the software, not just a > > select few. It sounds like the author of this book is a M$-type weenie. > > > > Who, Bruce? Bwahaha... no. Suggest you do some reading of Bruce's works > before you continue down that train of thought. The Crypto-gram is a good > start: > > http://www.counterpane.com/crypto-gram.html OK, I stand corrected. But you have to realize that this is the same argument put forward by many people pushing closed source solutions over open source ones (that it has been analyzed by "experts"), and invariably many security holes are found anyway. Cases in point, most major closed-source firewall software, MS's shoddy PPTP implementation, etc. --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 3:09pm up 157 days, 13:25, 10 users, load average: 0.06, 0.04, 0.00
Adam McKenna <[EMAIL PROTECTED]> writes: > Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. It sounds like the author of this book is a M$-type weenie. Do you know Bruce Schneier? Have you read anything that he wrote except these summaries out of context? If not so, please refrain from personal judgement about people that cannot even hear these claims and thus cannot defend themselves. Mr. Schneier is respected for his expertise and cryptography, and just because he states that head money for bugs is no good, does not make him an M S type weenie. These are DJBDNS and QMail mailing lists, not meant for personal ranting against somebody you don't know, and if you know that person, you better discuss that over a good beer or in mail or on the telephone. -- Matthias Andree
Quoted from Adam McKenna [15 Nov 2000]: > Not to mention that the whole point of freeware and open source software in > general is to give everyone the ability to audit the software, not just a > select few. I agree with the general statement, but neither qmail nor djbdns are open source (I don't know the definition of ``freeware'', so I'll leave it alone). I believe (without further justification) that a piece of software without general modification permissions does not really inspire improvement from the general public. At http://www.technocrat.net/974143798/974162475/index_html we have this nugget from Bruce Perens: It happened to me once - I was an early tester for Qmail, and then DJB pulled his wierd license thing on the release. Now, I am more careful. A non-free software licence also deters people from looking at the source, for fear of tainting their own free software projects. ---Chris K. -- Chris, the Young One |_ but what's a dropped message between friends? Auckland, New Zealand |_ this is UDP, not TCP after all ;) ---John H. GnuPG: CCC6114E/706A6AAD |_ Robinson, IV
On Tue, Nov 14, 2000 at 02:01:07PM -0600, Charles Cazabon wrote: > re: Schneier's commentary in Secrets and Lies > > Mate Wierdl <[EMAIL PROTECTED]> wrote: > > > > He says, the best way to evaluate the security of a product is to have it > > audited by security experts. > > So has any expert ever audited qmail or djbdns? > > As Dave Sill pointed out, no formal security audit has been conducted by > an independent party. > > However, as far as qmail goes: all the crackers in the world have had access > to the qmail source code and design documentation for years, and none have > yet found an exploitable security hole. You could consider that a fairly > thorough audit-by-fire. Not really. There are many examples to the contrary---quoted in the book. For example, there were buffer overflows discovered in Kerberos which had been in the code for 10 years, or Mailman had glaring security flows no one noticed for three years. It seems the comforting thing would be if some commercial companies using qmail would pay for auditing. Mate
Mate Wierdl wrote: > > I am reading this book by B. Schneier, in particular, the section > `Cracking and hacking contests'. He thinks that contests (like > offering $1000 for finding a security hole in a product) are bad for > four main reasons, the first reason being that the contests are > usually unfair since the author of the software decides what he/she > considers a "hole". > > He also thinks that even having a software out and used for a few > years without incidence does not imply that it is secure. He says, > the best way to evaluate the security of a product is to have it > audited by security experts. > > So has any expert ever audited qmail or djbdns? > > Mate Yeah! he is right! Just because you don't have runned into crash does not mean i have no bug! Although it's not possible to garantee software correctness, you can get close to, by using a formal design approach. I would use the Z language for that, the same used by QNX (very rigorous mission critical needs). While UNIX does not get into a formal approach, developing secure systems will be only a wish, not a fact (even considering openbsd).
Mate Wierdl <[EMAIL PROTECTED]> writes: > So has any expert ever audited qmail or djbdns? I imagine Dan has, and many would consider him an expert, but one is rarely the best auditor of one's own work. paul
On Tue, Nov 14, 2000 at 03:16:27PM -0500, Paul Jarc wrote: > Mate Wierdl <[EMAIL PROTECTED]> writes: > > So has any expert ever audited qmail or djbdns? > > I imagine Dan has, and many would consider him an expert, but one is > rarely the best auditor of one's own work. Indeed, it would be interesting what kind of testing he is running on qmail, say (he says there are over 100 tests), and how he is trying to make sure his software is secure. Perhaps his closed to the public cryptography course notes would give a hint. In any case, Dan's auditing his own software does not mean much in this context. Can we say with confidence that now Postfix is secure just because the last security problem it had was 2 years ago? Mate
2000-11-14-15:01:07 Charles Cazabon: > However, as far as qmail goes: all the crackers in the world have > had access to the qmail source code and design documentation for > years, and none have yet found an exploitable security hole. You > could consider that a fairly thorough audit-by-fire. And a case could be made that the charming and personable way qmail has been represented in various public fora makes this audit-by-fire even better: at this point, there are enough people around the world who hate djb's guts and would never touch anything that he even advocated much less wrote, just because of how much they like his way of carrying on discussions in public mailing lists, that I kinda expect more than one person has gone wading through qmail with blood in his eye, desperately hoping to wipe the smug grin off djb's face and get him to knock off the damned gloating already. Hasn't happened yet. _That's_ trial by fire. In a backwards kind of way this reminds me of a funny I heared referenced recently, apparently some exceptionally unnaturally clueless spammer harvested _bugtraq_. Makes me feel all warm and snuggly just thinking about it:-). Hmm. Wonder if he was located in the mid-east, maybe all this news about a "cyber-war" there is just bystanders being taken out by the schrapnel thrown from the smoking hole where that spammer used to reside. -Bennett
[EMAIL PROTECTED] writes: > Whilst an audit is a good idea, I don't see how a competition and > time in the field can actual make matters worse. It can make people think a program is secure when no audit has been done, reducing the likelihood that anyone will call for an audit, leaving holes undiscovered. paul
> > He also thinks that even having a software out and used for a few > years without incidence does not imply that it is secure. He says, > the best way to evaluate the security of a product is to have it > audited by security experts. > There is no one right answer for this. Payment for a discovery will tend to bring out some discoveries. For example if I was looking over some code and found something odd for the potential reward I may think it over a little more to see what may come of it. The time a product is out will increase the chances that some errors will be found. But a lot of code is under constant change and new problems only take one little coding error to open up a major exploit. Older products will tend to be better understood and some errors will be harder to introduce. Security "experts" are a dime a dozen. What you want is software written and reviewed by competent programmers. The fewer defects in software the fewer exploits (i.e. If I check my array bounds I will not overflow a buffer). Good code will not crash and will not be hacked.
* Dave Sill <[EMAIL PROTECTED]> writes: > Mate Wierdl <[EMAIL PROTECTED]> wrote: >> So has any expert ever audited qmail or djbdns? > No. Any audit worth doing would be prohibitively expensive for a > freeware project. $1000 wouldn't even begin to cover it, at least for > qmail. Doesn't the fact that they are included in OpenBSD (as ports) hint at the fact that some of the OpenBSD guys have had at least a cursory glance at it? -- Robin S. Socha <http://socha.net/>
2000-11-14-15:07:28 [EMAIL PROTECTED]: > [Bruce Schneier is] the author of perhaps the most popular book on > computer security that's available to the public. Which book are you referring to? "Secrets and Lies"? While it's a powerful contribution in the way of standing back and re-examining the big picture from a different direction, and has some important thoughts on limitations of what can be achieved, I'm not sure I'd cite it as the most popular book on computer security. It's hard to say what that might be, but I'd be more inclined to nominate Practical Unix and Internet Security. If you mean Applied Cryptography, it's certainly the most valuable and popular book on applied crypto available to the public, it approaches being the final and definitive work on the topic, and if he keeps updating it to track developing crypto technology (as he's uniquely qualified to do) it may hold that role for some time. But cryptography is only loosely related to computer security; it's a tool which can sometimes be used to help with some security problems, is all. > He's generally well regarded - though having sendmail 8.8.8 on > the secondary MX of his domain doesn't make you feel super > confident :> As a computer security generalist (as opposed to a cryptanalyst), his major thrust seems to be an argument that it's impossible to really secure systems, and after perhaps some superficial efforts to knock out the biggest problems, the place to concentrate your efforts is on monitoring and risk management. With that as a given, I expect he runs sendmail and BIND; things like qmail and djbdns are for those of us who haven't given up on really completely securing our systems:-). -Bennett
2000-11-14-15:11:43 Paul Jarc: > Only the "select few" will be able to audit it well, regardless of > the license, and they can afford to charge a hefty fee, regardless > of the license. They certainly can. They do not always choose to do so, however. If enough people really wanted to get a determined and thorough audit of qmail done, and they included some reasonably skilled programmers, I expect that we could borrow the missing auditing expertise from the big name-brand squadron of open source code auditors, the OpenBSD team. -Bennett
Mate Wierdl <[EMAIL PROTECTED]> writes: > I am reading this book by B. Schneier, in particular, the section > `Cracking and hacking contests'. He thinks that contests (like offering > $1000 for finding a security hole in a product) are bad for four main > reasons, the first reason being that the contests are usually unfair > since the author of the software decides what he/she considers a "hole". He's not alone in that opinion; I think that opinion has a lot of merit, although I wouldn't go so far as to say that such contests are *bad*. But I don't think they actually prove anything. > He also thinks that even having a software out and used for a few years > without incidence does not imply that it is secure. He says, the best > way to evaluate the security of a product is to have it audited by > security experts. It's worth bearing in mind, when evaluating this opinion, that Bruce Schneier is a security expert that people hire to perform such security audits. He has a point, but it's also unsurprising that he's in favor of the work that he personally does. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
Adam McKenna <[EMAIL PROTECTED]> writes: > OK, I stand corrected. But you have to realize that this is the same > argument put forward by many people pushing closed source solutions over > open source ones (that it has been analyzed by "experts"), and > invariably many security holes are found anyway. Cases in point, most > major closed-source firewall software, MS's shoddy PPTP implementation, > etc. I believe that Bruce Schneier, like most (although not all) security and cryptography experts, is pretty strongly opposed to closed-source solutions to security problems due to precisely the sorts of things that you're talking about. I think his point is more that just having the source available doesn't automatically mean that the software has been audited. Having the source be closed is obviously worse, but open source isn't a sufficient condition. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
On Tue, Nov 14, 2000 at 03:11:43PM -0500, Paul Jarc wrote: > Adam McKenna <[EMAIL PROTECTED]> writes: > > Not to mention that the whole point of freeware and open source software in > > general is to give everyone the ability to audit the software, not just a > > select few. > > Dan's software isn't open source. I imagine he might value peer > review, but I'm not aware of his having stated so - certainly not in > regard to motivation for his distribution terms. Also, making source > available does not give everyone the ability to audit the software. > It gives them permission. But most people won't be any better able to > do a quality audit for having the source. I said, "freeware and open source software". Do you always selectively ignore part of what someone says to make your point? > Only the "select few" will > be able to audit it well, regardless of the license, and they can > afford to charge a hefty fee, regardless of the license. I think "select few" as you have used it needs clarification -- even if only one half of one percent of all advanced C programmers are part of the "select few", that's still hundreds or thousands of people, and many of those people are part of the open source community. A hell of a lot more, anyway, than are working at so-called "security firms", ready to stamp their approval on any product they get six or seven digit payments to "certify". --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 4:06pm up 157 days, 14:22, 10 users, load average: 0.13, 0.08, 0.03
I am going to go out on a limb here and declare Bruce a non-M$ weenie. It took guts I tell you. Regards, Travis At 03:11 PM 11/14/2000 -0500, Paul Jarc wrote: >Adam McKenna <[EMAIL PROTECTED]> writes: > > On Tue, Nov 14, 2000 at 02:39:25PM -0500, Dave Sill wrote: > > > >So has any expert ever audited qmail or djbdns? > > > > > > No. Any audit worth doing would be prohibitively expensive for a > > > freeware project. $1000 wouldn't even begin to cover it, at least for > > > qmail. > > > > Not to mention that the whole point of freeware and open source software in > > general is to give everyone the ability to audit the software, not just a > > select few. > >Dan's software isn't open source. I imagine he might value peer >review, but I'm not aware of his having stated so - certainly not in >regard to motivation for his distribution terms. Also, making source >available does not give everyone the ability to audit the software. >It gives them permission. But most people won't be any better able to >do a quality audit for having the source. Only the "select few" will >be able to audit it well, regardless of the license, and they can >afford to charge a hefty fee, regardless of the license. > > >paul Travis Turner Information Technology Manager Applied Integration Corporation Tucson, Arizona U.S.A. Phone (520) 743-3095 Fax (520) 623-1683 "Do not meddle in the affairs of dragons for you are crunchy and taste good with ketchup."
I am going to go out on a limb here and declare Bruce a non-M$ weenie. It took guts I tell you. Regards, Travis At 03:11 PM 11/14/2000 -0500, Paul Jarc wrote: >Adam McKenna <[EMAIL PROTECTED]> writes: > > On Tue, Nov 14, 2000 at 02:39:25PM -0500, Dave Sill wrote: > > > >So has any expert ever audited qmail or djbdns? > > > > > > No. Any audit worth doing would be prohibitively expensive for a > > > freeware project. $1000 wouldn't even begin to cover it, at least for > > > qmail. > > > > Not to mention that the whole point of freeware and open source software in > > general is to give everyone the ability to audit the software, not just a > > select few. > >Dan's software isn't open source. I imagine he might value peer >review, but I'm not aware of his having stated so - certainly not in >regard to motivation for his distribution terms. Also, making source >available does not give everyone the ability to audit the software. >It gives them permission. But most people won't be any better able to >do a quality audit for having the source. Only the "select few" will >be able to audit it well, regardless of the license, and they can >afford to charge a hefty fee, regardless of the license. > > >paul Travis Turner Information Technology Manager Applied Integration Corporation Tucson, Arizona U.S.A. Phone (520) 743-3095 Fax (520) 623-1683 "Do not meddle in the affairs of dragons for you are crunchy and taste good with ketchup."
On Tue, Nov 14, 2000 at 09:11:32PM +0100, Matthias Andree wrote: > Mr. Schneier is respected for his expertise and cryptography, and just > because he states that head money for bugs is no good, does not make him > an M S type weenie. You're right, Bruce Scheiner is a god, and I'm really sorry for disagreeing with him. --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 4:23pm up 157 days, 14:39, 9 users, load average: 0.09, 0.06, 0.01
2000-11-14-15:11:55 Adam McKenna: > But you have to realize that this is the same argument put forward > by many people pushing closed source solutions over open source > ones (that it has been analyzed by "experts"), and invariably many > security holes are found anyway. Again, it helps to understand his particular background on the matter. He's very very specifically criticising "hack me" challenges, as contrasted with open audits of the design, and this is right out of his crypto roots. > Cases in point, [...] MS's shoddy PPTP implementation, [...] of which Bruce Schneier is the most vocal and respected critic, always cited in disputes over the merits or demerits of the protocol design and implementation. See <URL:http://www.counterpane.com/pptp.html>, the leading reference on PPTP's insecurity. What is more interesting to me is that Bruce has distinctly waffled on the topic of full disclosure re security problems. If you want to attack his views, I recommend looking there:-). -Bennett
> I agree with the general statement, but neither qmail nor djbdns are > open source (I don't know the definition of ``freeware'', so I'll > leave it alone). I believe (without further justification) that a > piece of software without general modification permissions does not > really inspire improvement from the general public. > Open Source is often used to describe software that has its source code available regardless of the license involved. "Free Software" as promoted by the Free Software Foundation (FSF) is a different thing. I belive that the DJB software is Open Source, but not free. Based on the FSF definition it is not the cost, but what you are allowed to do with it that is the issue.
Thus spake Mate Wierdl ([EMAIL PROTECTED]): > Not really. There are many examples to the contrary---quoted in the > book. For example, there were buffer overflows discovered in Kerberos > which had been in the code for 10 years, or Mailman had glaring > security flows no one noticed for three years. Great. So why are you lamenting here instead of doing such an audit or finding someone who will? You are at a University, for God's sake, where if not there can you find people who would actually be willing to use something like Z? Don't talk. Do. Felix
On Tue, Nov 14, 2000 at 12:04:46PM -0800, Ian Lance Taylor wrote: > Bruce Schneier is a very long way from being an ``M$-type weenie.'' > He's a pretty serious security dude. See, e.g., > http://www.counterpane.com/crypto-gram.html. Indeed, he is using ezmlm (idx!) for his newsletter. So he *does* have a clue. Mate
On Tue, 14 Nov 2000, Mate Wierdl wrote: > Indeed, it would be interesting what kind of testing he is running on > qmail, say (he says there are over 100 tests), and how he is trying to > make sure his software is secure. If you want to see some of the tests he does, check out rts.tests that comes in the djbdns distribution. I happened to be looking at that last night. It's far from a complete security audit, of course, but it does try out a lot of the obvious stuff. It would probably be fun to point his tests at someone else's DNS software... Ryan
Thus spake Mate Wierdl ([EMAIL PROTECTED]): > Indeed, it would be interesting what kind of testing he is running on > qmail, say (he says there are over 100 tests), and how he is trying to > make sure his software is secure. Perhaps his closed to the public > cryptography course notes would give a hint. Mate, what kind of problem do you have? What does qmail have to do with cryptography? Do you need a break? Maybe you should go on vacation for a few weeks. Please have a look at the qmail architecture and show me, even if there were buffer overflow in qmail-smtpd, how you would do harm to the system. Please have a look with what privileges the different components run. > In any case, Dan's auditing his own software does not mean much in > this context. Nobody's audit means much. If the Gartner Group came and declared that they had spent $250 billion on auditing qmail for two years and found it to be secure, would that mean anything? No, of course not. Software security auditing does not work that way. Software is secure iff the architecture and trust model is sound, which you can verify yourself in a few hours. Other concerns like technical errors in the implementation are much less important. And there has not even been one of those in the last years. > Can we say with confidence that now Postfix is secure just because the > last security problem it had was 2 years ago? Who cares if Postfix is secure? Postfix has several times the size of qmail and there have been several catastrophic errors in the past that could cause mail loss. Nothing the Postfix authors do can restore trust in this software. Again, I beg of you: Don't talk. Do. Felix
On Tue, Nov 14, 2000 at 03:35:35PM -0500, Paul Jarc wrote: > [EMAIL PROTECTED] writes: > > Whilst an audit is a good idea, I don't see how a competition and > > time in the field can actual make matters worse. > > It can make people think a program is secure when no audit has been > done, reducing the likelihood that anyone will call for an audit, > leaving holes undiscovered. And a formal audit can miss security holes, reducing the likelihood that anyone will call for further audits, leaving holes undiscovered -- it's a double-edged sword. Auditing is an ongoing process, not something which takes place at one point in time and unilaterally declares something "secure". --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 5:21pm up 157 days, 15:37, 10 users, load average: 0.08, 0.02, 0.01
On Tue, Nov 14, 2000 at 03:35:35PM -0500, Paul Jarc wrote: > [EMAIL PROTECTED] writes: > > Whilst an audit is a good idea, I don't see how a competition and > > time in the field can actual make matters worse. > > It can make people think a program is secure when no audit has been > done, reducing the likelihood that anyone will call for an audit, > leaving holes undiscovered. Conversely, maybe an audit reduces the likelihood that anyone will bother to scuitinize the source, leaving holes undiscovered... All we're doing is speculating about which source of a "false sense of security" is worse. Both have serious weaknesses. Ideally of course we have lots of points of reference to give us confidence - a formal audit, public scrutiny, large field usage, etc. I don't think that any one is enough. On that basis, the more boxes you tick off, the closer you get to feeling comfortable. Regards.
On Tue, Nov 14, 2000 at 04:13:19PM -0500, Bennett Todd wrote: > 2000-11-14-15:07:28 [EMAIL PROTECTED]: > > [Bruce Schneier is] the author of perhaps the most popular book on > > computer security that's available to the public. > > Which book are you referring to? "Secrets and Lies"? While it's a Nup. > If you mean Applied Cryptography, it's certainly the most valuable Yup. > > He's generally well regarded - though having sendmail 8.8.8 on > > the secondary MX of his domain doesn't make you feel super > > confident :> > > As a computer security generalist (as opposed to a cryptanalyst), > his major thrust seems to be an argument that it's impossible to > really secure systems, and after perhaps some superficial efforts to > knock out the biggest problems, the place to concentrate your > efforts is on monitoring and risk management. With that as a given, > I expect he runs sendmail and BIND; things like qmail and djbdns are > for those of us who haven't given up on really completely securing > our systems:-). Postfix is on the primary MX, go figure. Biodiversity I suppose... Regards.
Thus spake Robin S. Socha ([EMAIL PROTECTED]): > > No. Any audit worth doing would be prohibitively expensive for a > > freeware project. $1000 wouldn't even begin to cover it, at least for > > qmail. > Doesn't the fact that they are included in OpenBSD (as ports) hint at > the fact that some of the OpenBSD guys have had at least a cursory > glance at it? The OpenBSD guys lost their credibility as software security authority when they decided to include sendmail as standard MTA. Theo is rumored to have said something like "There were no remote root exploits for two years, so it must be secure now, right?" Felix
hi, Agreed seems IMHO that ifone wanted to smear djb they would do it as soon as they had the evidence and they have tried and so far failed to provide evidence that the specific proggies are flawed. Whereas some of the add ons have been shown to be.. One of the reasons am interested in rolling out djbdns is to let fire be the judge but confort zone is with the programs as each day passes a bit more:-)) Best Regards, [EMAIL PROTECTED] Bennett Todd wrote: > 2000-11-14-15:01:07 Charles Cazabon: > > However, as far as qmail goes: all the crackers in the world have > > had access to the qmail source code and design documentation for > > years, and none have yet found an exploitable security hole. You > > could consider that a fairly thorough audit-by-fire. > > And a case could be made that the charming and personable way qmail > has been represented in various public fora makes this audit-by-fire > even better: at this point, there are enough people around the world > who hate djb's guts and would never touch anything that he even > advocated much less wrote, just because of how much they like his > way of carrying on discussions in public mailing lists, that I kinda > expect more than one person has gone wading through qmail with blood > in his eye, desperately hoping to wipe the smug grin off djb's face > and get him to knock off the damned gloating already. Hasn't > happened yet. _That's_ trial by fire. > > In a backwards kind of way this reminds me of a funny I heared > referenced recently, apparently some exceptionally unnaturally > clueless spammer harvested _bugtraq_. Makes me feel all warm and > snuggly just thinking about it:-). Hmm. Wonder if he was located in > the mid-east, maybe all this news about a "cyber-war" there is just > bystanders being taken out by the schrapnel thrown from the smoking > hole where that spammer used to reside. > > -Bennett > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature
Lipscomb, Al <[EMAIL PROTECTED]> writes on 14 November 2000 at 15:37:51 -0500 > Security "experts" are a dime a dozen. That's certainly true. I've actually testified in court on the topic, which goes to show how desperate people get sometimes. (I suspect I know more relevant stuff than quite a few security "experts", and would never call myself expert or even professionally competent at computer security. Luckily it's not my profession.) -- David Dyer-Bennet / Welcome to the future! / [EMAIL PROTECTED] SF: http://www.dd-b.net/dd-b/ Minicon: http://www.mnstf.org/minicon/ Photos: http://dd-b.lighthunters.net/
2000-11-14-16:24:36 Adam McKenna: > Bruce Scheiner is a god, [...] It's possible you're being sarcastic, but there are those who would very nearly agree with you. While he may not actually be a god, he is certainly the single most important contributor to getting really top notch crypto out of research and into engineering; he's been teaching a lot of us the basic principles of sound design with crypto for a decade or more. -Bennett
Paul Jarc wrote: > > Mate Wierdl <[EMAIL PROTECTED]> writes: > > So has any expert ever audited qmail or djbdns? > > I imagine Dan has, and many would consider him an expert, but one is > rarely the best auditor of one's own work. I, as the author of the qmail-ldap patch, have looked deeply into the guts of qmail and found it to be secure. If one actually reads the source and see's the way Dan writes software he would find that qmail is secure. The only possible holes are OS bugs or issues. -- Andre
On Tue, Nov 14, 2000 at 06:22:27PM -0500, Bennett Todd wrote: > 2000-11-14-16:24:36 Adam McKenna: > > Bruce Scheiner is a god, [...] > > It's possible you're being sarcastic, but there are those who would > very nearly agree with you. While he may not actually be a god, he > is certainly the single most important contributor to getting really > top notch crypto out of research and into engineering; he's been > teaching a lot of us the basic principles of sound design with > crypto for a decade or more. For what its worth, I was only originally expression an opinion on the few paragraphs that Mate posted, from some book that I had never heard of, by a "B. Schneier" [sic] I didn't know who he was talking about at first, and I was reacting to getting attacked from all sides. Perhaps in the future when people post quotes from print, they should include a little bit more context, and perhaps an ISBN number to eliminate confusion. By the way, why are the cr.yp.to lists so slow lately? Have we finally reached the limit of processing power on the list server? --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 6:32pm up 157 days, 16:48, 10 users, load average: 0.01, 0.02, 0.00
2000-11-14-16:37:06 Lipscomb, Al: > Open Source is often used to describe software that has its source > code available regardless of the license involved. Could be, people use words as they wish. But if you'll take a visit to <URL:http://www.opensource.org/>, you'll find that the term was very specifically drafted by a group of people with an agenda, and they've produced a branding service based on an Open Source Definition, which definitely excludes weirdo licenses like djb's. > "Free Software" as promoted by the Free Software Foundation (FSF) > is a different thing. I belive that the DJB software is Open > Source, but not free. Unlike Open Source, the phrase "free software" strongly predates the Free Software Foundation and they've made no attempt at branding it; rather, they pursue branding the GNU General Public License (GPL), which is stricter than (but compatible with) the Open Source Definition. > Based on the FSF definition it is not the cost, but what you are > allowed to do with it that is the issue. The FSF and the Open Source Initiative (OSI) are in pretty close agreement in a lot of these basics, and neither of them would endorse djb's license; he chooses to prohibit his users from making unrestricted use of the code he writes: they aren't allowed to distributed modified versions. That restriction is what leaves qmail and djbdns a bit off the main stream of the free software movement as it's crusading these days; people believe that that ability contributes in a basic and important way to preserving their investment in the time and effort required to become really expert in a package. If ever djb decides to stop maintaining his software, it stagnates, because while individuals may do so for their own benefit, the community as a whole cannot work together to do so --- redistribution of modified versions is critical for that sort of collaboration. Heck, even doing standards-compliant software packaging of his software is prohibited. It's not free software or open source in a fairly important way. This doesn't matter to djb, but it's important and this distinction shouldn't be glossed over. -Bennett
Quoted from Lipscomb, Al [15 Nov 2000]: > Open Source is often used to describe software that has its source code > available regardless of the license involved. Just because it's ``often'' done doesn't mean it's correct. To me, and possibly others, open source is used to describe software that uses a licence conforming to the Open Source Definition. Have a look at clause 4, and let me know if you think that's consistent with the qmail and djbdns licences. Specifically: ``The [licence] must explicitly permit distribution of software built from modified source code.''. > I belive that the > DJB software is Open Source, but not free. I used to too, and once advocated that view in my Linux users group. I was shot down pretty quickly.... :-) > Based on the FSF definition it is not the cost, but what you are allowed to > do with it that is the issue. Of course. Whenever I say ``free software'', that is always what I mean (``freedom, not price''---don't you just love propaganda from the free software movement?). ---Chris K. -- Chris, the Young One |_ If you can't afford a backup system, you can't Auckland, New Zealand |_ afford to have important data on your computer. GnuPG: CCC6114E/706A6AAD |_ ---Tracy R. Reed
Bennett Todd <[EMAIL PROTECTED]> writes: > Could be, people use words as they wish. But if you'll take a visit to > <URL:http://www.opensource.org/>, you'll find that the term was very > specifically drafted by a group of people with an agenda, and they've > produced a branding service based on an Open Source Definition, which > definitely excludes weirdo licenses like djb's. > Unlike Open Source, the phrase "free software" strongly predates the > Free Software Foundation and they've made no attempt at branding it; > rather, they pursue branding the GNU General Public License (GPL), which > is stricter than (but compatible with) the Open Source Definition. RMS tries to "brand" the term free software just as much as the Open Source folks try to "brand" the term open source; neither of them have any kind of trademark or service mark on the term (the one on Open Source wasn't pursued) and both of them have been known to argue at great length over the precise meaning of the terms with people who they feel are using them incorrectly. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
On Wed, Nov 15, 2000 at 01:14:15PM +1300, Chris K. Young wrote: > Quoted from Lipscomb, Al [15 Nov 2000]: > > Open Source is often used to describe software that has its source code > > available regardless of the license involved. > > Just because it's ``often'' done doesn't mean it's correct. To me, and > possibly others, open source is used to describe software that uses a > licence conforming to the Open Source Definition. > > Have a look at clause 4, and let me know if you think that's consistent > with the qmail and djbdns licences. Specifically: ``The [licence] must > explicitly permit distribution of software built from modified source > code.''. I'm confused. How exactly does any of this affect the ability of people to download the source and examine/use it to determine if it's secure or not? After all, wasn't that the point of the discussion? Regards.
On Wed, Nov 15, 2000 at 01:14:15PM +1300, Chris K. Young wrote: > Quoted from Lipscomb, Al [15 Nov 2000]: > > Open Source is often used to describe software that has its source code > > available regardless of the license involved. > > Just because it's ``often'' done doesn't mean it's correct. To me, and > possibly others, open source is used to describe software that uses a > licence conforming to the Open Source Definition. > > Have a look at clause 4, and let me know if you think that's consistent > with the qmail and djbdns licences. Specifically: ``The [licence] must > explicitly permit distribution of software built from modified source > code.''. > > > I belive that the > > DJB software is Open Source, but not free. > > I used to too, and once advocated that view in my Linux users group. I > was shot down pretty quickly.... :-) qmail conforms loosely to the OSD, there is a footnote to section 4 that (ambiguously) states that licenses that allow third party distribution of patches conform. The main problem is that qmail doesn't really have a "license" that ships with it. All people have to go on is public remarks made by Dan, http://cr.yp.to/qmail/dist.html, and http://cr.yp.to/softwarelaw.html . --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 8:06pm up 157 days, 18:23, 10 users, load average: 0.08, 0.06, 0.01
On Tue, 14 Nov 2000 [EMAIL PROTECTED] wrote: > I'm confused. How exactly does any of this affect the ability of people > to download the source and examine/use it to determine if it's secure > or not? After all, wasn't that the point of the discussion? > Some folks who are capable of doing good audit work won't spend their time on projects that don't have the right license. This is either because they would rather spend their time contributing work towards their favorite license, or because there might later be accusation that someone stole code from qmail, and used it in another product with an incompatible license. For example, there was a flap recently when some MS code may have been stolen. There was concern that if any Samba teams members saw the code, they couldn't work on the project anymore; they'd be "tainted". There are some OS distributions that will only include code of a particular license, and some of those do code audits. So, the license can have some affect on how much review a program gets. No, in general the license won't stop people whose motivation is to publish holes, or who want to use qmail for themselves. Ryan
On Tue, Nov 14, 2000 at 01:21:03PM -0800, Russ Allbery wrote: > He's not alone in that opinion; I think that opinion has a lot of merit, > although I wouldn't go so far as to say that such contests are *bad*. But > I don't think they actually prove anything. Exactly Schneier's opinion: contests could be good (like RSA's), but alone they prove absolutely nothing about the security of a product. What I do not understand is this: why not treat a software as a research paper? A research paper is usually refereed---and in most sciences referees are not paid a dime. Referees get their salaries from elsewhere, but they usually do their refereeing very thoroughly because it is in the culture to accept this pro bono job as one's very important responsibility. The expectation is that if I publish a paper, I'd like to have a tough referee's opinion---if for nothing else but to check the correctness of the result, and I also must return the favor. Mate
On Tue, Nov 14, 2000 at 11:25:27PM +0100, Felix von Leitner wrote: > Thus spake Mate Wierdl ([EMAIL PROTECTED]): > > make sure his software is secure. Perhaps his closed to the public > > cryptography course notes would give a hint. > > Mate, what kind of problem do you have? > What does qmail have to do with cryptography? I thought it was possible that Dan would give some hints on his view on secure programming in these notes. > Software security auditing does not work that way. > > Software is secure iff the architecture and trust model is sound, which > you can verify yourself in a few hours. You make software security look easy, and Schneier's book tells me otherwise. My two points: 1) It seems that systematic (scientific?) testing of qmail or djbdns has not happened---except by Dan. 2) The only way we could get a hint on the guiding ideas of Dan on secure computing is to read the source code he writes. But this is reverse engineering, and is similar to trying to undertand Gauss's ideas by reading his proofs---good luck. Or does everybody on this list who read qmail's sources is writing 100% secure software now? Does everybody have a clear idea what Dan considers a security problem? For example, he clearly does not care about preventing some DoS attacks. Is it clear for everybody which ones are considered unimportant by Dan? DoS attacks against djbdns or qmail will not give you $1000 but there are two attacks listed at http://cr.yp.to/maildisasters/sendmail.html. Mate
In the immortal words of Adam McKenna ([EMAIL PROTECTED]): > > It sounds like the author of this book is a M$-type weenie. Bruce Schneier, "M$-type weenie." God I'm glad I wasn't trying to eat or drink anything when I read that... "That would be `no.'" -n -------------------------------------------------------------<[EMAIL PROTECTED]> "Many argue that it is an outrage to expect Elián González to live in a place that tolerates no dissent or freedom of political expression. But I don't think Miami is so bad." (--Maureen Dowd) <http://www.blank.org/memory/>-------------------------------------------------
Mate Wierdl <[EMAIL PROTECTED]> writes on 14 November 2000 at 15:57:34 -0600 > On Tue, Nov 14, 2000 at 12:04:46PM -0800, Ian Lance Taylor wrote: > > Bruce Schneier is a very long way from being an ``M$-type weenie.'' > > He's a pretty serious security dude. See, e.g., > > http://www.counterpane.com/crypto-gram.html. > > Indeed, he is using ezmlm (idx!) for his newsletter. So he *does* > have a clue. In fact, crypto-gram has so far been sent out from my server, because that was where the employee who set it up had shell access. I hear they do plan to eventually move it to corporate hardware, and I don't know what they'll be running there. It's by far the biggest email activity on this system, every month (in fact, tomorrow, if they're on schedule). They're closing in on 50,000 subscribers; that's not immense by some of your standards, or by ezmlm and qmail standards, but this Cyrix P166+ with 96 meg of ram and IDE disks wasn't really planned to be a mail blaster. But it tears through it pretty darned well anyway. -- David Dyer-Bennet / Welcome to the future! / [EMAIL PROTECTED] SF: http://www.dd-b.net/dd-b/ Minicon: http://www.mnstf.org/minicon/ Photos: http://dd-b.lighthunters.net/
Ryan Russell wrote: > If you want to see some of the tests he does, check out rts.tests that > comes in the djbdns distribution. I happened to be looking at that last > night. It's far from a complete security audit, of course, but it does > try out a lot of the obvious stuff. It would probably be fun to point his > tests at someone else's DNS software... BIND8 fails at least a dozen of his tests. I'm running BIND right now but plan on switching to djbdns in the near future...... -- Chris Olson
On Tue, Nov 14, 2000 at 04:13:19PM -0500, Bennett Todd wrote: > efforts is on monitoring and risk management. With that as a given, > I expect he runs sendmail and BIND; things like qmail and djbdns are > for those of us who haven't given up on really completely securing > our systems:-). First I thought B.S. runs qmail and ezmlm, but it seems his mailinglist is run by DD-B. counterpane.com servers run postfix and sendmail---as you indicated. Mate
Quoted from Adam McKenna [15 Nov 2000]: > On Wed, Nov 15, 2000 at 01:14:15PM +1300, Chris K. Young wrote: > > ``The [licence] must > > explicitly permit distribution of software built from modified source ^^^^^^^^^^ > > code.''. > > qmail conforms loosely to the OSD, there is a footnote to section 4 that > (ambiguously) states that licenses that allow third party distribution of > patches conform. Allowing patches is necessary, but it's not sufficient. Debian's Free Software Guidelines has a similar clause, and I see no other clause that DJB's licence conflicts with. If I go by your statement, why is qmail listed under the non-free section? > The main problem is that qmail doesn't really have a > "license" that ships with it. All people have to go on is public remarks > made by Dan, http://cr.yp.to/qmail/dist.html I say that dist.html should be considered authoritative. There are references in the qmail and djbdns documentation that contain the URL to their respective pages. ---Chris K. -- Chris, the Young One |_ If you can't afford a backup system, you can't Auckland, New Zealand |_ afford to have important data on your computer. GnuPG: CCC6114E/706A6AAD |_ ---Tracy R. Reed
On Wed, Nov 15, 2000 at 08:18:29PM +1300, Chris K. Young wrote: > Quoted from Adam McKenna [15 Nov 2000]: > > On Wed, Nov 15, 2000 at 01:14:15PM +1300, Chris K. Young wrote: > > > ``The [licence] must > > > explicitly permit distribution of software built from modified source > ^^^^^^^^^^ > > > code.''. > > > > qmail conforms loosely to the OSD, there is a footnote to section 4 that > > (ambiguously) states that licenses that allow third party distribution of > > patches conform. > > Allowing patches is necessary, but it's not sufficient. Debian's Free > Software Guidelines has a similar clause, and I see no other clause > that DJB's licence conflicts with. If I go by your statement, why is > qmail listed under the non-free section? That's why it conforms loosely. It only violates one part, and the rationale for that part explains why an author would want to make his license that way. I can't speak for the strictness of the Debian project because I am not a part of it, but it has been my experience that it doesn't take much of an infracton of the OSD (which was originally the DFSG) to get exiled to non-free. > > The main problem is that qmail doesn't really have a > > "license" that ships with it. All people have to go on is public remarks > > made by Dan, http://cr.yp.to/qmail/dist.html > > I say that dist.html should be considered authoritative. There are > references in the qmail and djbdns documentation that contain the > URL to their respective pages. That's what you say. But there isn't a definitive license (i.e. LICENSE or COPYING) in the qmail distribution that explains those rights -- some web page could be altered or taken down at any time, leaving users without any rights whatsoever. --Adam -- Adam McKenna <[EMAIL PROTECTED]> | "No matter how much it changes, http://flounder.net/publickey.html | technology's just a bunch of wires GPG: 17A4 11F7 5E7E C2E7 08AA | connected to a bunch of other wires." 38B0 05D0 8BF7 2C6D 110A | Joe Rogan, _NewsRadio_ 3:12am up 158 days, 1:28, 10 users, load average: 0.01, 0.01, 0.00
Hi, I'm running qmail-1.03, ezmlm-idx, verh patch, big concurrency patch. We have subscribers to morning, midday and afternoon bulletins that receive a single message with no personalisation. I'd like to send one-off email that are personalised (i.e. Dear Name-Here). My current set-up for this is a script which queries a database with an email address, retrieves a name, and the uses qmail-inject to send the mail. My question is, is there anyway using ezmlm-idx to perform this function? Maybe adding a comment field when manually subscribing a user? Which qmail/ezmlm can then substitute with some kind of meta tag in the message body?? Also, is there anyway to make ezmlm-idx prohibit a subject if it's already been sent to a particular mailing list? The outbound bulletins don't want to be sent twice! (Our current system does this). TIA, Darren -- +----------------------------+----------------------------+ | Darren Honeyball | DDI: +44(0)20 7863 1672 | | Senior Systems Consultant | Office: +44(0)20 7863 1600 | | & Technical Team Leader | Fax: +44(0)20 7863 1601 | | TheStreet.com (UK) Ltd | Mobile: +44(0)7971 032292 | +----------------------------+----------------------------+ ********************************************************************* * http://www.thestreet.co.uk * * * * This E-Mail is intended for the use of the addressee only and may * * contain confidential information. If you are not the intended * * recipient, you are hereby notified that any use or dissemination * * of this communication is strictly prohibited. * * If you receive this transmission in error, please notify us * * immediately then delete this E-Mail. * * * * [EMAIL PROTECTED] * *********************************************************************
Hi, I'm running qmail-1.03, ezmlm-idx, verh patch, big concurrency patch. We have subscribers to morning, midday and afternoon bulletins that receive a single message with no personalisation. I'd like to send one-off email that are personalised (i.e. Dear Name-Here). My current set-up for this is a script which queries a database with an email address, retrieves a name, and the uses qmail-inject to send the mail. My question is, is there anyway using ezmlm-idx to perform this function? Maybe adding a comment field when manually subscribing a user? Which qmail/ezmlm can then substitute with some kind of meta tag in the message body?? Also, is there anyway to make ezmlm-idx prohibit a subject if it's already been sent to a particular mailing list? The outbound bulletins don't want to be sent twice! (Our current system does this). TIA, Darren -- +----------------------------+----------------------------+ | Darren Honeyball | DDI: +44(0)20 7863 1672 | | Senior Systems Consultant | Office: +44(0)20 7863 1600 | | & Technical Team Leader | Fax: +44(0)20 7863 1601 | | TheStreet.com (UK) Ltd | Mobile: +44(0)7971 032292 | +----------------------------+----------------------------+ ********************************************************************* * http://www.thestreet.co.uk * * * * This E-Mail is intended for the use of the addressee only and may * * contain confidential information. If you are not the intended * * recipient, you are hereby notified that any use or dissemination * * of this communication is strictly prohibited. * * If you receive this transmission in error, please notify us * * immediately then delete this E-Mail. * * * * [EMAIL PROTECTED] * *********************************************************************
Hi, My .qmail-default have the line: | /var/qmail/bin/fastforward -d /etc/aliases.cdb. The /etc/aliases have the line: MAILER-DAEMON: admin . I'm receiving a lot of emails from someone trying to spam me but, the accounts that the spamer is trying to spam doesn't exists so, the qmail send a MAILER-DAEMON message to admin saying that the account doesn't exists. I disabled this line from .qmail-default in order to prevent the qmail from send this message but, I looked at the logs and I saw that when a message to an unknown arrive this logs the message DID. My question is : Where this messages to an unknown user is stored ? Is this message discarded ? Roberto Samarone Araujo
Hi, I'm currently using a single address for all my list mail, and I run procmail to filter the emails to their respective mail folders. I'd like to switch to separate addresses (one per list) and filter the mails with .qmail-listname files. However, the reason I've not yet changed is that I have a nice perl script that reads procmail's log file and tells me statistics about the delivered mail. Here's an example output: Delivered mail messages: IN.42: 1 IN.corrs: 1 IN.corrs-friends: 27 INBOX: 4 own: 1 Total of 34 delivered messages in 5 folders. Before I switch to separate .qmail-list mail filtering, I want to have similar kind of mail accounting/statistics in place. It should be simple enough, just add an additional delivery instruction to a program that will log the mail. And then have a separate program for displaying the current statistics and possibly clearing the accumulated data. My question is, has anyone yet done such a program? I looked on the qmail.org web page, but couldn't find anything. If there is no such program, I guess I will have to write it myself. Regards, Mikko -- // Mikko Hänninen, aka. Wizzu // [EMAIL PROTECTED] // http://www.wizzu.com / // The Corrs list maintainer // net.freak // DALnet IRC operator / // Interests: roleplaying, Linux, the Net, fantasy & scifi, the Corrs / Energizer Bunny arrested, charged with battery.
how can i make qmail accept mails for user@[123.123.123.123] when the machine 123.123.123.123 forwards all mails to our qmail server? wolfgang
From: RamKumar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, 15 November 2000 3:47 PM
To: [EMAIL PROTECTED]
Subject: Help Required .....My proposed setup is something like this. clients connect for smtp and pop to this machine mach1. When i receive a mail from remote or from local, it goes through the usual routine of checking for receipt host and other things and writes to the qmail queue. From the queue the mail has to be taken and sent to the machine 2 (where i do some checking for virus and spam) and put it in the mailboxes which are shared by both these machines machine1 and machine 2.Machine1 ---------------------------------------------------------------------------------- Machine2| || || |------------------------------------MailBOXes----------------------------------------------I wanted to know how i could get the mails from the queue and pump it out to the machine 2. Can somebody help ?thanks and regards.ram
Please Note:
The information contained in this email is confidential. If you are not the intended recipient, you may not disclose or use the information in this email in any way. If you have received this email in error, kindly notify the sender. The sender does not guarantee the integrity of this email or any attached files.
> Allowing patches is necessary, but it's not sufficient. Debian's > Free Software Guidelines has a similar clause, and I see no other > clause that DJB's licence conflicts with. If I go by your statement, > why is qmail listed under the non-free section? Ability to distribute binaries built from modified source would seem to be the key issue. From DFSG section 4: The license must explicitly permit distribution of software built from modified source code. (As a note of personal preference, I think allowing "you can only distribute the pristine source since patches" is a ridiculous concession, and I don't consider software with such a license to be "free" in the liberated sense at all. But my personal preference isn't especially relevant to this discussion.)
Dear all, I'd upgraded my daemontools on qmail from version 0.53 to 0.7. The file size for both /var/qmail/control/locals and rcpthosts exceeds 1M (this incl. around 65000 cobrands). However using the new daemontool with svscan somehow prevent qmail from running with big locals and rcpthosts, i hv try to reducing the file size to around 160K (around 10000 cobrands) and it works. However when i add 5000 cobrand more into the locals and rcpthosts, it crashes again. The error shown when telneting port 25 as follows: bash-2.03# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 421 unable to read controls (#4.3.0) Connection closed by foreign host. Now I'd role back to previous daemontools version 0.53, it works for a day or two but now it comes up with the same error message again!!!!!! I'm using SunOS 5.8, did someone has such an experience? Is it because the locals and rcpthosts too large? I'd be highly appreciated if someone can give me any suggestion. (p.s. Please also cc to my email address.) thanks, Eric
Can you help me with use qmail analog ??? I have installed qmailanalog and have log file without time stamps... I think that i use incorrect syntaxes... Daniel POGAČ Tech. Support TatraSoft Group s.r.o Sibírska 4 83102 Bratislava tel: +421-7-55574033 fax: +421-7-55566385 [EMAIL PROTECTED]
