q question <[EMAIL PROTECTED]> writes:
> One of the reasons I was interested in qmail was the security aspect of
> it. I've been impressed that noone has won the reward that is available
> from Dan Bernstein. This is probably the most negative comment I have
> seen about qmail while surfing for info:
That's because the ORBS folks made completely false statements, were
called on it, and don't like being wrong.
> http://www.orbs.org/otherresources.html
> "Qmail admins: Qmail's current version is secure by default, but earlier
> versions were insecure.
False.
> Most admins know enough to follow the instructions for securing it
> before putting qmail into service, however it usually drops ORBS test
> messages checking for UUCP pathing vulnerabilities - "! pathing" -
> into the admin mailbox.
Rather, it tries to bounce them and the bounce bounces as undeliverable.
The solution is for ORBS to stop probing systems from which no spam has
ever been sent and for which there is no reason to suspect a lack of
security.
> As ! is a standard network addressing indicator,
False.
> Qmail is extremely network unfriendly and generates denial of service
> attacks on other mailservers in its enthusiasm to deliver as many
> messages as possible in a short period of time.
False. qmail's default configuration is incapable of doing that except
possibly to a pathetically undersized e-mail server that would have
problems with all sorts of normal deliveries.
> For this reason it is best reserved for mailing list server purposes
> only."
> Do you all agree with this opinion that qmail is "best reserved for
> mailing list server purposes only"?
No.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
