Mate Wierdl wrote:
[included qmail list again]
> On Wed, Nov 15, 2000 at 12:29:14AM +0100, Andre Oppermann wrote:
> > I, as the author of the qmail-ldap patch, have looked deeply into the
> > guts of qmail and found it to be secure. If one actually reads the
> > source and see's the way Dan writes software he would find that qmail
> > is secure. The only possible holes are OS bugs or issues.
>
> Now that sounds really good. Does this mean you ran several
> systematic tests? Do you have any observation on DoS attacks like the
> "distributed" qmail-smtpd attack of Russ or the "queue attack" of
> Vietse where a local user could fill up the queue in seconds with
> 0 length files?
DoS attacks were not part of the evaluation. Since the focus of
qmail-ldap is closed non-shell mail servers also local attacks have
not been looked at in very deep detail.
What can be said truely is that qmail is safe from any remote attacks
in terms of exploiting bugs of buffer overflows via SMTP or POP3.
There are two kinds of DoS attacks; attacks that last as long as they
are mounted, as soon as it stop everything goes back to normal. And
attacks that make a system require manual intervention to make it
fulfill it's purpose again.
Given enough resources it is very well possible indeed to DoS qmail
by consuming all available SMTP sessions. While this attack qmail
will not bog down the whole machine and as soon as the attack is over
it will simply return to normal processing of messages. Sendmail on
the other hand (at least used to) fork until the whole machine bogs
down.
Another possible qmail attack is it's late bouncing for non-existent
users. Using a false envelope sender address you could fill up the
queue with double bounces. I consider this a more serious problem.
The decision to handle bouncing this way was appearently part of the
security and modularity concept of qmail. Qmail-ldap contains many
enhancements to check the envelope sender to make this more unlikely.
Never the less it is still possible. Whereas I still rest well at
night because this kind of attack requires significant remote
resources and is not likely to happen. Anyway, this kind of attack
can be mounted against other MTA's as well. It's simply a problem of
finite resources.
While not perfect in any given aspect qmail is surely one of the best,
if not the best, MTA you can run and trust on.
--
Andre
