[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BTS says qmail's sendmail-clone is broken


On Tue, 2 Feb 1999, Tommi Virtanen wrote:

> 	Hello. This was found from the qmail list; if
> 	someone is familiar with the BTS, you may wish
> 	to reply..

Actually, I'm more familiar with qmail as a whole, figure I'll throw in my
two cents, since I finally got around to testing the qmail-src deb for
qmail 1.02 (I've been using qmail, self-compiled, since .96gamma.) the
other day.

The sendmail replacement bin likely isn't broken. The qmail-src package
is. Quite badly. The entire intent of qmail is *fast* and *secure*. The
qmail-src package is fast, yes, but NOT secure. It does NOT follow the way
qmail was meant to be built by default.

The configuration symlinks, those are not a problem. In fact, I think
they're a great idea. A bit poorly implemented (symlinking the entire
/var/qmail struction to /etc/qmail would be nicer) IMO, but a secure
implementation there.

Using /var/spool/mail/$USER is where it blows up. That's not what qmail is
meant to do. Qmail is meant to deliver using the MBOX format. Which means
mail is delivered to $HOME/Mailbox, as opposed to /var/spool/mail/$USER.
This is a much safer and more secure method. Of course, with network
mounted home directories, sometimes you might lose bits and pieces, but
it'll happen with a network mounted /var/spool too.

If there's a bug/security hole in debian, it's most likely because of
using /var/spool as opposed to the MBOX format. I'll do a dpkg -i of my
qmail-src built qmail.deb today, and see if I can't confirm or deny this
bug once my Motrin kicks in. 

- -Phillip R. Jaenke (prj@nls.net | InterNIC: PRJ5)
 "Look. It works this way." "Why?" "Because the designer said so."
 "Why?" "Because the designer is a moron. Let's fix it." --anon.

Version: 2.6.3a
Charset: noconv


Reply to: