actually for what it's worth, if you follow the directions in INSTALL you
should generally hit the 'read FAQ' before getting down to the section of
INSTALL that says to use inetd (for upgrading from sendmail) :)
FAQ pretty much points you at tcpserver
----- Original Message -----
From: "Ian Lance Taylor" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 01, 2001 2:59 PM
Subject: Re: qmail 2.0 exploit
> Peter Cavender <[EMAIL PROTECTED]> writes:
>
> > What is this qmail version 2.0 that securityfocus.com claims there is an
> > explot for? Am I missing something, or are they?
> >
> > Being that I have better things to do than to try to screw up my mail
> > server, has anyone tried this claimed explot? What really happens?
>
> It depends upon how you run qmail-smtpd. There are several variables.
>
> If you run qmail-smtpd directly from inetd.conf, as suggested in the
> INSTALL file distributed with qmail-1.03, then there is a pretty good
> chance that the instance of qmail-smtpd being attacked will grow to
> eat of all of memory. What happens then depends upon your OS. On
> GNU/Linux, a random process will be killed; there is a pretty good
> chance that the random process will be the large qmail-smtpd.
> Alternatively, a careful attacker who really understands your system
> can create several fairly large qmail-smtpd processes and
> significantly increase the chance that the random process which is
> killed will be something other than qmail-smtpd. In this scenario
> this attack can indeed be a denial of service.
>
> If you run qmail-smtpd as suggested in Life With Qmail, then you are
> not vulnerable to this attack, because qmail-smtpd is run under the
> softlimit program to limit the amount of memory it will allocate.
> (This does not affect the size of the mail messages it can accept, as
> qmail-smtpd does not store mail messages in memory.)
>
> Ian
>
