Re: BTS says qmail's sendmail-clone is broken
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 2 Feb 1999, Tommi Virtanen wrote:
> Hello. This was found from the qmail list; if
> someone is familiar with the BTS, you may wish
> to reply..
Actually, I'm more familiar with qmail as a whole, figure I'll throw in my
two cents, since I finally got around to testing the qmail-src deb for
qmail 1.02 (I've been using qmail, self-compiled, since .96gamma.) the
The sendmail replacement bin likely isn't broken. The qmail-src package
is. Quite badly. The entire intent of qmail is *fast* and *secure*. The
qmail-src package is fast, yes, but NOT secure. It does NOT follow the way
qmail was meant to be built by default.
The configuration symlinks, those are not a problem. In fact, I think
they're a great idea. A bit poorly implemented (symlinking the entire
/var/qmail struction to /etc/qmail would be nicer) IMO, but a secure
Using /var/spool/mail/$USER is where it blows up. That's not what qmail is
meant to do. Qmail is meant to deliver using the MBOX format. Which means
mail is delivered to $HOME/Mailbox, as opposed to /var/spool/mail/$USER.
This is a much safer and more secure method. Of course, with network
mounted home directories, sometimes you might lose bits and pieces, but
it'll happen with a network mounted /var/spool too.
If there's a bug/security hole in debian, it's most likely because of
using /var/spool as opposed to the MBOX format. I'll do a dpkg -i of my
qmail-src built qmail.deb today, and see if I can't confirm or deny this
bug once my Motrin kicks in.
- -Phillip R. Jaenke (firstname.lastname@example.org | InterNIC: PRJ5)
"Look. It works this way." "Why?" "Because the designer said so."
"Why?" "Because the designer is a moron. Let's fix it." --anon.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----