Qmail [was Re: [Israel.pm] Detecting Random characters]
shlomif at iglu.org.il
Mon Oct 4 06:55:45 PDT 2004
On Monday 04 October 2004 14:25, Yuval Yaari wrote:
> I snipped some:
> Shlomi Fish said:
> >> Qmail is written very well, and thus had very few (if any?) security
> >> holes.
> > True, but what if a security hole is discovered in it? That would
> > require peple to write patches, to patch the source distribution, and
> > to re-install qmail in a gazillion different places with a gazillion
> > different
> > configurations. Not exactly a straightforward "apt-get update all"
> > process, and something that will give Internet low-life plenty of time
> > to write a nice qmail worm or scanner or whatever.
> I'm almost sure you can apt qmail.
You can't. You need to compile the source package, upload it to the host and
install it using dpkg.
> Not a Debian user.
> You can emerge it, for sure.
Right, but Gentoo/FreeBSD/etc. are not options for a great deal of people.
> >> Sendmail needs to be patched twice a week.
> > That used to be the case in the past. It may still be the case or not.
> > In any case, I specifically mentioned that there are also postfix
> > (http://www.postfix.org/), exim (http://www.exim.org/), Courier
> > (http://www.courier-mta.org/) and possibly other alternatives. These are
> > fully open-source.
> I used Courier and Postfix.
> 1. They aren't that much easier to install
They should be ./configure ; make ; make install. Plus, they have binary
> 2. They aren't that much easier to configure
Even a little is OK.
> 3. They need more maintainance than qmail
More maintenance? How so? Can you give examples? Have you used qmail in the
same scenarios as you used Postfix and Courier?
> 4. They aren't as secure/stable/fast as qmail
Are they not as secure as qmail? Are they not as stable? Are they not as fast?
Secure, stable and fast are three completely different things.
> >> DJB is entitled for his own opinions about anything, and I don't care
> >> if he thinks he's superior.
> >> I really don't think we should think of the authors of the software we
> >> use. Especially not to decide which mail-server to install.
> > His sense of superiority is the least of my problems. The problem is he
> > thinks he knows better than anyone else, and has a very bad attitude.
> > Projects used to fork because of the bad attitude of their developers,
> > or their inability to manage it properly. And DJB has the worst
> > possible attitude.
> >> Would you use Windows just because Alan Cox or Linus Torvalds think
> >> they are superior?
> >> I assume you'd rather be tortured to death :)
> > Let's skip this superiority argument.
> The point is, don't judge the software by the people who wrote it.
I know qmail is an excellent product. However, I cannot rely on its author to
be supportive of me because of his bad attitude. And I do need maintainers
that are supportive, or at least the option to fork the project. In qmail, I
It already happened to me that a patch I sent to the Cube 3-D game, to enable
doing some things that until then were possible only using the mouse, to be
done in the keyboard, was rejected on the spot by the maintainer. He said
that he doesn't accept patches from the outside and doesn't like my patch.
And from what people told me, I could not even network play it with the
regular Cube servers.
But at least Cube is BSD-licensed so I can fork it. In any case this was
frustrating. Now, imagine if the same happens to qmail? I can always avoid
playing a stupid 3-D game, but I depend on a mail server.
> Now THAT'S bad attitude :)
> Seriously, I don't care about DJB, but he has one fine piece of mail
> server :)
> >> I do not want a piece of software that updates every month, as long as
> >> it stays "secure" (please don't fight about the definition of the word
> >> "secure").
> > It's hard for me to understand this sentence.
> I don't want to recompile or patch any software, unless there's a good
> reason to (security or amazing new features).
> As for security, I don't want to recompile twice a month because of
> security holes.
> Qmail didn't have security holes for years, hence I had no need to
> >> Do you know how many times I re-compiled Apache???
> >> I compiled qmail once (per server, that is).
> > Right, you need to compile it once. But according to the qmail handbook,
> > if you want to add some more features, you need to apply some
> > third-party patches, in which case you need to compile it again. (and
> > again).
> If you can't patch, you're in deep problems.
> Patching takes a few seconds.
And re-compiling the software takes more. And putting the patch in your build
script for posterity also takes time. And eventually you need to manage a
great deal of patches. I'm glad I'm using Mandrake (or Debian for that
matter) instead of a something like Slackware, so I can upgrade packages by
installing the RPM or SRPM.
> You can use it without patches.
Read "The qmail Handbook" - it describes a great deal of patches that are
essential for some tasks.
> I only use vpopmail which was VERY easy to install.
> >> I really don't understand why you'd want to distribute your binaries
> >> or modified code, and not patches, anyway.
> > Because:
> > 1. I'd like a qmail-1.03-6mdk rpm file that I can install using rpm or
> > urpmi or whatever. A full-fledged binary package, that everyone can
> > pass around and not everyone has to compile and install from source
> > himself.
> I think there are packages, but I'm not sure.
There aren't binary packages. There are only SRPMs and stuff.
> Why would you install qmail on mandrake?!? Nevermind :)
Because I like Mandrake, and think it makes a great distribution for a client
system, or even a server. If not Mandrake, then Debian, or RedHat, or any
other binary-based distributions. Naturally, in Gentoo and source-based
distributions, it is less of an issue, but if I had to recompile everything
for any simple upgrade, I would lose my mind, and so would most people out
> > 2. I want a source distribution that compiles out of the box, not a
> > random collection of tarballs and patches that require a script.
> Well, that's true in a lot of other cases, even large open-source projects.
> My latest Apache install was a collection of tarballs and 1 patch.
> (OpenSSL, mod_ssl, mm, mod_perl, Apache)
> >> Hey, is Apache with a few modules ./configure && make && make install?
> > Apache itself is ./configure; make and make install. Each one of the
> > modules is also usually ./configure ; make and make install. You can
> > write a script to automate everything, and since everything is
> > open-source there are also RPMs, DEBs, urpmi sources, apt sources,
> > emerge sources, or your favourite package manager. None of this exists
> > for qmail.
> The packages aren't worth the download bandwidth, honestly.
> I think Reuven Lerner once wrote that even though he's a huge RH fan,
> there are a few things he always compiles from source, Apache being one of
> And as for the (not so standard but not so complicated) installation I
> did, it was a lot more complicated than ./configure && make && make
Well, I agree that some things should be installed from source. A mail-server
is usually not one of them. And for many hosts carrying web-servers neither
is a web-server. Mandrake comes with an excellent Apache distribution, with
SSL-support, Apache 1 and Apache 2, mod_perl and mod_php, etc. It may be more
bloated than a distribution kept to the minimum, but it's very nice and
usable. The configuration was also made very easy.
> >> I agree on some issues about Qmail, but I just don't think you could
> >> find anything better.
> > I think I could: postfix, exim and Courier. All of them open-source and
> > all of them much better than sendmail. I don't know how they compare
> > against Qmail (never used them) but they also have their following.
> Please try to use them. Even on a small mail server.
> I've been using Qmail for 2 years now, and I really haven't touched it
> except for compiling once.
> Postfix had a lot of security issues, and I personally didn't like it.
> I don't see how Postfix or Courier are any better.
"Postfix... I don't see how Postfix or Courier..." - something is wrong here.
Can you please double check this last sentence?
In any case, postfix/courier/exim/whatever will be very easily upgraded at the
next update round of the packages. This cannot be said on qmail, whose
upgrade will be much more problematic.
> >> And hey, no one stops you from writing patches :)
> > With the other three, I don't need to write any patches.
> But you do need to recompile every other day.
> No thanks.
Like I said, I don't think that _I_ need to recompile anything. And so far,
they had a pretty good security record. (perhaps not as good as qmail's, but
> >> What are good alternatives anyway?
> > See above.
> They are good, just not "better" except for MAYBE licensing.
> I wouldn't use a package anyway, so I really don't care.
I _would_ use a package. I use a package whenever possible.
Shlomi Fish shlomif at iglu.org.il
Knuth is not God! It took him two days to build the Roman Empire.
More information about the Perl