Qmail [was Re: [Israel.pm] Detecting Random characters]

Shlomi Fish shlomif at iglu.org.il
Mon Oct 4 06:55:45 PDT 2004 

On Monday 04 October 2004 14:25, Yuval Yaari wrote:
> I snipped some:
>

No problem.

> Shlomi Fish said:
> >> Qmail is written very well, and thus had very few (if any?) security
> >> holes.
> >
> > True, but what if a security hole is discovered in it? That would
> > require  peple to write patches, to patch the source distribution, and
> > to re-install  qmail in a gazillion different places with a gazillion
> > different
> > configurations. Not exactly a straightforward "apt-get update all"
> > process,  and something that will give Internet low-life plenty of time
> > to write a nice  qmail worm or scanner or whatever.
>
> I'm almost sure you can apt qmail.

You can't. You need to compile the source package, upload it to the host and 
install it using dpkg.

> Not a Debian user.
> You can emerge it, for sure.
>

Right, but Gentoo/FreeBSD/etc. are not options for a great deal of people. 

> >> Sendmail needs to be patched twice a week.
> >
> > That used to be the case in the past. It may still be the case or not.
> > In any  case, I specifically mentioned that there are also postfix
> > (http://www.postfix.org/), exim (http://www.exim.org/), Courier
> > (http://www.courier-mta.org/) and possibly other alternatives. These are
> >  fully open-source.
>
> I used Courier and Postfix.
> 1. They aren't that much easier to install

They should be ./configure ; make ; make install. Plus, they have binary 
packages.

> 2. They aren't that much easier to configure

Even a little is OK.

> 3. They need more maintainance than qmail

More maintenance? How so? Can you give examples? Have you used qmail in the 
same scenarios as you used Postfix and Courier?

> 4. They aren't as secure/stable/fast as qmail
>

Are they not as secure as qmail? Are they not as stable? Are they not as fast? 
Secure, stable and fast are three completely different things.

> >> DJB is entitled for his own opinions about anything, and I don't care
> >> if he thinks he's superior.
> >> I really don't think we should think of the authors of the software we
> >> use. Especially not to decide which mail-server to install.
> >
> > His sense of superiority is the least of my problems. The problem is he
> > thinks  he knows better than anyone else, and has a very bad attitude.
> > Projects used  to fork because of the bad attitude of their developers,
> > or their inability  to manage it properly. And DJB has the worst
> > possible attitude.
> >
> >> Would you use Windows just because Alan Cox or Linus Torvalds think
> >> they are superior?
> >> I assume you'd rather be tortured to death :)
> >
> > Let's skip this superiority argument.
>
> The point is, don't judge the software by the people who wrote it.

I know qmail is an excellent product. However, I cannot rely on its author to 
be supportive of me because of his bad attitude. And I do need maintainers 
that are supportive, or at least the option to fork the project. In qmail, I 
have none.

It already happened to me that a patch I sent to the Cube 3-D game, to enable 
doing some things that until then were possible only using the mouse, to be 
done in the keyboard, was rejected on the spot by the maintainer. He said 
that he doesn't accept patches from the outside and doesn't like my patch. 
And from what people told me, I could not even network play it with the 
regular Cube servers.

But at least Cube is BSD-licensed so I can fork it. In any case this was 
frustrating. Now, imagine if the same happens to qmail? I can always avoid 
playing a stupid 3-D game, but I depend on a mail server.

> Now THAT'S bad attitude :)
> Seriously, I don't care about DJB, but he has one fine piece of mail
> server :)
>
> >> I do not want a piece of software that updates every month, as long as
> >> it stays "secure" (please don't fight about the definition of the word
> >> "secure").
> >
> > It's hard for me to understand this sentence.
>
> I don't want to recompile or patch any software, unless there's a good
> reason to (security or amazing new features).
> As for security, I don't want to recompile twice a month because of
> security holes.
> Qmail didn't have security holes for years, hence I had no need to
> recompile.

Right.

>
> >> Do you know how many times I re-compiled Apache???
> >> I compiled qmail once (per server, that is).
> >
> > Right, you need to compile it once. But according to the qmail handbook,
> > if  you want to add some more features, you need to apply some
> > third-party  patches, in which case you need to compile it again. (and
> > again).
>
> If you can't patch, you're in deep problems.
> Patching takes a few seconds.

And re-compiling the software takes more. And putting the patch in your build 
script for posterity also takes time. And eventually you need to manage a 
great deal of patches. I'm glad I'm using Mandrake (or Debian for that 
matter) instead of a something like Slackware, so I can upgrade packages by 
installing the RPM or SRPM.

> You can use it without patches.

Read "The qmail Handbook" - it describes a great deal of patches that are 
essential for some tasks.

> I only use vpopmail which was VERY easy to install.
>
> >> I really don't understand why you'd want to distribute your binaries
> >> or modified code, and not patches, anyway.
> >
> > Because:
> >
> > 1. I'd like a qmail-1.03-6mdk rpm file that I can install using rpm or
> > urpmi  or whatever. A full-fledged binary package, that everyone can
> > pass around and  not everyone has to compile and install from source
> > himself.
>
> I think there are packages, but I'm not sure.

There aren't binary packages. There are only SRPMs and stuff.

> Why would you install qmail on mandrake?!? Nevermind :)
>

Because I like Mandrake, and think it makes a great distribution for a client 
system, or even a server. If not Mandrake, then Debian, or RedHat, or any 
other binary-based distributions. Naturally, in Gentoo and source-based 
distributions, it is less of an issue, but if I had to recompile everything 
for any simple upgrade, I would lose my mind, and so would most people out 
there.

> > 2. I want a source distribution that compiles out of the box, not a
> > random  collection of tarballs and patches that require a script.
>
> Well, that's true in a lot of other cases, even large open-source projects.
> My latest Apache install was a collection of tarballs and 1 patch.
> (OpenSSL, mod_ssl, mm, mod_perl, Apache)
>

I see.

> >> Hey, is Apache with a few modules ./configure && make && make install?
> >
> > Apache itself is ./configure; make and make install. Each one of the
> > modules  is also usually ./configure ; make and make install. You can
> > write a script  to automate everything, and since everything is
> > open-source there are also  RPMs, DEBs, urpmi sources, apt sources,
> > emerge sources, or your favourite  package manager. None of this exists
> > for qmail.
>
> The packages aren't worth the download bandwidth, honestly.
> I think Reuven Lerner once wrote that even though he's a huge RH fan,
> there are a few things he always compiles from source, Apache being one of
> them.
> And as for the (not so standard but not so complicated) installation I
> did, it was a lot more complicated than ./configure && make && make
> install.
>

Well, I agree that some things should be installed from source. A mail-server 
is usually not one of them. And for many hosts carrying web-servers neither 
is a web-server. Mandrake comes with an excellent Apache distribution, with 
SSL-support, Apache 1 and Apache 2, mod_perl and mod_php, etc. It may be more 
bloated than a distribution kept to the minimum, but it's very nice and 
usable. The configuration was also made very easy.

> >> I agree on some issues about Qmail, but I just don't think you could
> >> find anything better.
> >
> > I think I could: postfix, exim and Courier. All of them open-source and
> > all of  them much better than sendmail. I don't know how they compare
> > against Qmail  (never used them) but they also have their following.
>
> Please try to use them. Even on a small mail server.
> I've been using Qmail for 2 years now, and I really haven't touched it
> except for compiling once.
> Postfix had a lot of security issues, and I personally didn't like it.
> I don't see how Postfix or Courier are any better.
>

"Postfix... I don't see how Postfix or Courier..." - something is wrong here.

Can you please double check this last sentence?

In any case, postfix/courier/exim/whatever will be very easily upgraded at the 
next update round of the packages. This cannot be said on qmail, whose 
upgrade will be much more problematic.

> >> And hey, no one stops you from writing patches :)
> >
> > With the other three, I don't need to write any patches.
>
> But you do need to recompile every other day.
> No thanks.
>

Like I said, I don't think that _I_ need to recompile anything. And so far, 
they had a pretty good security record. (perhaps not as good as qmail's, but 
still good).

> >> What are good alternatives anyway?
> >
> > See above.
>
> They are good, just not "better" except for MAYBE licensing.
> I wouldn't use a package anyway, so I really don't care.
>

I _would_ use a package. I use a package whenever possible.

Regards,

	Shlomi Fish

-- 

---------------------------------------------------------------------
Shlomi Fish      shlomif at iglu.org.il
Homepage:        http://shlomif.il.eu.org/

Knuth is not God! It took him two days to build the Roman Empire.

More information about the Perl mailing list