Re: Is qmail "best reserved for mailing list server purposes only"?

[Karsten W. Rohrbach]

Russ Allbery([EMAIL PROTECTED])@2001.04.29 14:49:03 +:
> q question <[EMAIL PROTECTED]> writes:
[...]
> > Qmail is extremely network unfriendly and generates denial of service
> > attacks on other mailservers in its enthusiasm to deliver as many
> > messages as possible in a short period of time.
> 
> False.  qmail's default configuration is incapable of doing that except
> possibly to a pathetically undersized e-mail server that would have
> problems with all sorts of normal deliveries.
exchange, notes. systems not primarily designed to process mail.
consider _them_ broken by default ;-)

/k

-- 
> Definition of Windows 95: A 32-bit extension and graphical shell for a
> 16 Bit patch to an 8 Bit OS originally coded for an 4 Bit CPU, written
> by a 2-Bit Company that can't stand 1 Bit of competition. 
KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de
[Key] [KeyID---] [Created-] [Fingerprint-]
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46

Re: Is qmail "best reserved for mailing list server purposes only"?

[q question]

I appreciate your pointing this out.


>From: [EMAIL PROTECTED] (John R. Levine)
>To: [EMAIL PROTECTED]
>CC: [EMAIL PROTECTED]
>Subject: Re: Is qmail "best reserved for mailing list server purposes 
>only"?
>Date: 30 Apr 2001 19:15:38 -0400
>
> >One last note on this thread. While rereading the FAQ, I came across this
> >which indicates qmail has brakes to keep from generating denial of 
>service
> >attacks.
> >
> >http://cr.yp.to/qmail/faq/efficiency.html
> >
> >Does qmail back off from dead hosts?
> >Answer: Yes. qmail has three backoff features: ...
>
>Qmail backs off very well, but doesn't work all that well with
>sendmail under heavy load.  The problem is that sendmail keeps
>accepting connections even when it doesn't have enough system
>resources to accept mail, and tends to thrash to death.  (Qmail
>systems usually use tcpserver which enforces a maximum number of
>simultaneous connections rejecting any beyond that limit.)  But since
>sendmail doesn't reject connections, qmail can't tell that the
>recipient system isn't responding.
>
>Sendmail users tend to assume that anything sendmail does must be
>right, and anything different must be wrong, so they often blame qmail
>for opening "too many" connections.  In reality, the connections could
>just as easily come from any other mail system, of course.
>
>
>--
>John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
>[EMAIL PROTECTED], Village Trustee and Sewer Commissioner, 
>http://iecc.com/johnl,
>Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

Re: Is qmail "best reserved for mailing list server purposes only"?

[David L. Nicol]

Oleg Polyakov wrote:
> 

> I'm not sure how qmail works if you are sending 100 messages
> from server to another one.
> Does it open 100 connections concurrently?


it opens "maxconcurrency" connections. It doesn't have per-site
concurrency limit, unles you patch it.  It is reccommended, if
you are having a problem killing a particular smtp peer, to 
trap all outgoing mail for it by defining it as a local virtual host,
and then passing the stack of mail in the local virtual host's
MailDir to the peer with something called "serialmail."


-- 
  David Nicol 816.235.1187 [EMAIL PROTECTED]
  Parse, munge, repeat.

Re: Is qmail "best reserved for mailing list server purposes only"?

[David L. Nicol]

Russ Allbery wrote:


> Rather, it tries to bounce them and the bounce bounces as undeliverable.
> The solution is for ORBS to stop probing systems from which no spam has
> ever been sent and for which there is no reason to suspect a lack of
> security.


they were a lot easier to igore when they were still calling
themselves "dorkslayers"


-- 
  David Nicol 816.235.1187 [EMAIL PROTECTED]
  Parse, munge, repeat.

Re: Is qmail "best reserved for mailing list server purposes only"?

[Oleg Polyakov]

--- "John R. Levine" <[EMAIL PROTECTED]> wrote:

> Qmail backs off very well, but doesn't work all that well with
> sendmail under heavy load.  The problem is that sendmail keeps
> accepting connections even when it doesn't have enough system
> resources to accept mail, and tends to thrash to death. 

well - it's VERY misconfigured sendmail ;)

> (Qmail
> systems usually use tcpserver which enforces a maximum number
> of
> simultaneous connections rejecting any beyond that limit.) 
> But since
> sendmail doesn't reject connections, qmail can't tell that the
> recipient system isn't responding.

It rejects, really 
 
> Sendmail users tend to assume that anything sendmail does must
> be
> right, and anything different must be wrong, so they often
> blame qmail
> for opening "too many" connections.  In reality, the
> connections could
> just as easily come from any other mail system, of course.

I'm not sure how qmail works if you are sending 100 messages
from server to another one.
Does it open 100 connections concurrently?
 
---
Oleg
 
> -- 
> John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387
> 6869
> [EMAIL PROTECTED], Village Trustee and Sewer Commissioner,
> http://iecc.com/johnl, 
> Member, Provisional board, Coalition Against Unsolicited
> Commercial E-mail


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

Re: Is qmail "best reserved for mailing list server purposes only"?

[John R. Levine]

>One last note on this thread. While rereading the FAQ, I came across this 
>which indicates qmail has brakes to keep from generating denial of service 
>attacks.
>
>http://cr.yp.to/qmail/faq/efficiency.html
>
>Does qmail back off from dead hosts?
>Answer: Yes. qmail has three backoff features: ...

Qmail backs off very well, but doesn't work all that well with
sendmail under heavy load.  The problem is that sendmail keeps
accepting connections even when it doesn't have enough system
resources to accept mail, and tends to thrash to death.  (Qmail
systems usually use tcpserver which enforces a maximum number of
simultaneous connections rejecting any beyond that limit.)  But since
sendmail doesn't reject connections, qmail can't tell that the
recipient system isn't responding.

Sendmail users tend to assume that anything sendmail does must be
right, and anything different must be wrong, so they often blame qmail
for opening "too many" connections.  In reality, the connections could
just as easily come from any other mail system, of course.


-- 
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
[EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, 
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

Re: Is qmail "best reserved for mailing list server purposes only"?

[q question]

One last note on this thread. While rereading the FAQ, I came across this 
which indicates qmail has brakes to keep from generating denial of service 
attacks.

http://cr.yp.to/qmail/faq/efficiency.html

Does qmail back off from dead hosts?
Answer: Yes. qmail has three backoff features:

Each message is automatically retried on a quadratic schedule, with longer 
and longer intervals between delivery attempts.
If a remote host does not respond to two connection attempts (separated by 
at least two minutes with no intervening successful connections), qmail 
automatically leaves the host alone for an hour. At the end of the hour it 
``slow-starts,'' allowing one connection through to see whether the host is 
up.
Some mailers opportunistically bombard a host with deferred messages as soon 
as the host comes back online. qmail does not do this. Each message waits 
until the appropriate retry time.

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

Re: Is qmail "best reserved for mailing list server purposes only"?

[q question]

Hi Russ, John, and Jason,

I appreciate your taking the time to respond to my question about the ORBS 
opinion. I felt I should check it out before installing qmail and 
unexpectedly becoming an infamous generator of denial of service attacks!

Russ, I appreciated hearing some of the background issues in communication 
difficulties between the ORBS and qmail groups.

John, I started to shrug it off when I read it because I had the exact same 
thought immediately that you expressed, which was why would an mta that 
supposedly "generates denial of service attacks" be especially suited to 
being a mailing list server? It seems to me that it would be especially 
UNsuitable for that task.

Jason, I agree with you that there is no real distinction between list 
subscribers and regular mail recipients. You can get an equally high volume 
either way, and not all lists restrict the members to text only emails. Some 
lists promote the html email, but these lists are of course usually not 
technical lists.

Thanks for the feedback!

-

(I'm getting the error messages from the qmail list about soleil as well.)

_
Get your FREE download of MSN Explorer at http://explorer.msn.com

Re: Is qmail "best reserved for mailing list server purposes only"?

[Jason Brooke]

> "Qmail admins: Qmail's current version is secure by default, but earlier
> versions were insecure. Most admins know enough to follow the instructions
> for securing it before putting qmail into service, however it usually
drops
> ORBS test messages checking for UUCP pathing vulnerabilities - "!
pathing" -
> into the admin mailbox. As ! is a standard network addressing indicator,
> this can only be charitably described as yet another Qmail bug. Qmail is
> extremely network unfriendly and generates denial of service attacks on
> other mailservers in its enthusiasm to deliver as many messages as
possible
> in a short period of time. For this reason it is best reserved for mailing
> list server purposes only."

At the top of that page it says:

'Everything on this page is based on information supplied to ORBS by server
admins and MTA authors. Opinions are just that - opinions.'

Wow, server admins and MTA authors - that's sure to be a page filled with
friendly, good-natured, level-headed comments.

I guess that's why a page that initially holds a server admin responsible
for his mail server when it comes to being an open relay, later contains a
paragraph that shifts responsibility from the administrator to qmail by
claiming it generates denial of service attacks by sending email too fast.

As for the comments regarding '! pathing' - maybe the author should petition
to have his specification included in the RFC so his bug claim would
actually have a leg to stand on. Maybe we should email qmail's author and
have him re-write it to work around the bugs in the various mail clients
while he's fixing that bug for ORBS test messages.


> Do you all agree with this opinion that qmail is "best reserved for
mailing
> list server purposes only"?

I don't. I really don't see the distinction between sending email to list
subscribers, and sending email to regular mail recipients as far as the
target server is concerned. If it can't do it's job (deliver email) it
shouldn't really be in use as an MTA.

jason

Re: Is qmail "best reserved for mailing list server purposes only"?

[John P]

From: q question <[EMAIL PROTECTED]>
> Qmail is
> extremely network unfriendly and generates denial of service attacks on
> other mailservers in its enthusiasm to deliver as many messages as
possible
> in a short period of time. For this reason it is best reserved for mailing
> list server purposes only."

Surely if it did generate denial of service attacks [by making lots of
deliveries in a short period of time], then the one thing qmail /shouldn't/
be used for is a mailing list server? I mean, what else does a listserver
do??!

Clearly someone there has a deep dislike of qmail!

Regards
John

Re: Is qmail "best reserved for mailing list server purposes only"?

[Russ Allbery]

q question <[EMAIL PROTECTED]> writes:

> One of the reasons I was interested in qmail was the security aspect of
> it. I've been impressed that noone has won the reward that is available
> from Dan Bernstein. This is probably the most negative comment I have
> seen about qmail while surfing for info:

That's because the ORBS folks made completely false statements, were
called on it, and don't like being wrong.

> http://www.orbs.org/otherresources.html

> "Qmail admins: Qmail's current version is secure by default, but earlier
> versions were insecure.

False.

> Most admins know enough to follow the instructions for securing it
> before putting qmail into service, however it usually drops ORBS test
> messages checking for UUCP pathing vulnerabilities - "! pathing" -
> into the admin mailbox.

Rather, it tries to bounce them and the bounce bounces as undeliverable.
The solution is for ORBS to stop probing systems from which no spam has
ever been sent and for which there is no reason to suspect a lack of
security.

> As ! is a standard network addressing indicator,

False.

> Qmail is extremely network unfriendly and generates denial of service
> attacks on other mailservers in its enthusiasm to deliver as many
> messages as possible in a short period of time.

False.  qmail's default configuration is incapable of doing that except
possibly to a pathetically undersized e-mail server that would have
problems with all sorts of normal deliveries.

> For this reason it is best reserved for mailing list server purposes
> only."

> Do you all agree with this opinion that qmail is "best reserved for
> mailing list server purposes only"?

No.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Is qmail "best reserved for mailing list server purposes only"?

[q question]

One of the reasons I was interested in qmail was the security aspect of it. 
I've been impressed that noone has won the reward that is available from Dan 
Bernstein. This is probably the most negative comment I have seen about 
qmail while surfing for info:

http://www.orbs.org/otherresources.html

"Qmail admins: Qmail's current version is secure by default, but earlier 
versions were insecure. Most admins know enough to follow the instructions 
for securing it before putting qmail into service, however it usually drops 
ORBS test messages checking for UUCP pathing vulnerabilities - "! pathing" - 
into the admin mailbox. As ! is a standard network addressing indicator, 
this can only be charitably described as yet another Qmail bug. Qmail is 
extremely network unfriendly and generates denial of service attacks on 
other mailservers in its enthusiasm to deliver as many messages as possible 
in a short period of time. For this reason it is best reserved for mailing 
list server purposes only."

Do you all agree with this opinion that qmail is "best reserved for mailing 
list server purposes only"?

_
Get your FREE download of MSN Explorer at http://explorer.msn.com