Qmail [was Re: [Israel.pm] Detecting Random characters]

Shlomi Fish shlomif at iglu.org.il
Wed Oct 6 10:25:49 PDT 2004

On Monday 04 October 2004 19:00, Yuval Yaari wrote:
> Shlomi Fish said:
> >> 2. They aren't that much easier to configure
> >
> > Even a little is OK.
> That's true.
> >> 3. They need more maintainance than qmail
> >
> > More maintenance? How so? Can you give examples? Have you used qmail in
> > the  same scenarios as you used Postfix and Courier?
> Yes.
> Just a quick example: I had to upgrade postfix because of a security hole.
> I never want to recompile anything just to solve a security hole.
> I often find (found...) myself doing it.
> I love qmail because I never upgrade it, and I don't need to.

Well, you can always install the postfix package, in which case the upgrade 
will be done for you as part of urpmi/apt-get/whatever. Usually, a 
mail-server does not require such fine configuration of the package, and a 
package is pretty much enough. I'm pretty sure the Mandrake/Debian/whatever 
package of postfix is adequate for the needs of most mail-servers out there.

> >> 4. They aren't as secure/stable/fast as qmail
> >
> > Are they not as secure as qmail? Are they not as stable? Are they not as
> > fast?  Secure, stable and fast are three completely different things.
> They are not as fast (according to benchmarks, you may or may not trust
> these).

Still, with most modern computers it does not make much difference.

> They are not as stable (I could be wrong on this one, but I had to restart
> postfix, etc).

So you generalize? 

> They are not as secure (look on the net for security issues with each of
> them).

Very well. Part of the reason they have more security issues is because they 
have more features than qmail, and so address a bigger functionality. In any 
case, upgrading the package is very straightforward in all of them because 
they are open-source and qmail isn't.

> > I know qmail is an excellent product. However, I cannot rely on its
> > author to  be supportive of me because of his bad attitude. And I do
> > need maintainers  that are supportive, or at least the option to fork
> > the project. In qmail, I  have none.
> Ok, that's a valid point.
> Still doesn't matter me much (personally).

It does matter to me and to a great deal of other people.

> > But at least Cube is BSD-licensed so I can fork it. In any case this was
> >  frustrating. Now, imagine if the same happens to qmail? I can always
> > avoid  playing a stupid 3-D game, but I depend on a mail server.
> Just modify the source and recompile.
> DJB won't sue you.
> I will cover all your expenses if he does, really :)

But I want to re-distribute my changes to others, or to download a modified 
source package (or a modified binary) from the Net. Something that is 
urpmi/apt-get/yum-able or whatever, etc. And I _cannot_ because of the qmail 

DJB doesn't allow that, and so I cannot, but that's exactly what I need to do.

> > And re-compiling the software takes more. And putting the patch in your
> > build  script for posterity also takes time. And eventually you need to
> > manage a  great deal of patches. I'm glad I'm using Mandrake (or Debian
> > for that  matter) instead of a something like Slackware, so I can
> > upgrade packages by  installing the RPM or SRPM.
> That's what I like in qmail, I never recompile.
> That's exactly the point :)
> I do NOT have to upgrade (tfu-tfu-tfu)...

And what if you do have to upgrade? What if a bug has been discovered in 
qmail? This will throw the entire qmail user-base into chaos. 

> >> You can use it without patches.
> >
> > Read "The qmail Handbook" - it describes a great deal of patches that
> > are  essential for some tasks.
> qmail.org also has a big list.
> I did not need to patch mine.
> Even when I did, once, it took me 5 minutes including download-time, etc.

5-minutes is too much. urpmi or apt takes exactly 5 seconds.

> > Because I like Mandrake, and think it makes a great distribution for a
> > client  system, or even a server. If not Mandrake, then Debian, or
> > RedHat, or any  other binary-based distributions. Naturally, in Gentoo
> > and source-based  distributions, it is less of an issue, but if I had to
> > recompile everything  for any simple upgrade, I would lose my mind, and
> > so would most people out  there.
> I used qmail on a binary based distribution.

Right, compiled from source. That defeats the entire purpose of a binary based 

> I still compile code when it comes to qmail and apache.

Well, I prefer not to. Apache possibly. A mail-server, OTOH, hardly ever 
requires that.

> > Well, I agree that some things should be installed from source. A
> > mail-server  is usually not one of them. And for many hosts carrying
> > web-servers neither  is a web-server. Mandrake comes with an excellent
> > Apache distribution, with  SSL-support, Apache 1 and Apache 2, mod_perl
> > and mod_php, etc. It may be more  bloated than a distribution kept to
> > the minimum, but it's very nice and  usable. The configuration was also
> > made very easy.
> Any default apache configuration/compilation stinks.

Long live the over-generalizations.

> There are things that must match your needs...
> It loads too many modules, which cause it to use a lot more RAM.

You can always uncomment these lines from the httpd.conf file.

> It's good enough for your personal website, maybe.

Right, and for many other web-sites as well.

> > In any case, postfix/courier/exim/whatever will be very easily upgraded
> > at the  next update round of the packages. This cannot be said on qmail,
> > whose  upgrade will be much more problematic.
> You don't see the point.
> Postfix needed too many upgrades.
> And as "easy" (i.e: easier than qmail) as they were, I just don't need to
> do that with qmail.
> Zero updates in two years, w/o giving up on security.
> You just don't upgrade qmail, and that's why I like it.
> Take a look at their version, I think 1.03 came out at 1998!
> If I were to install qmail in 98, and still have the same mail server
> untouched, I would be so happy right now.
> I installed it in 2002 and I hope it could survive until 2008 w/o upgrades
> :) Postfix is going to have too many bugs and security holes by then.
> I hope you see my point.

I see your point. But you depend on the fact that qmail will have less holes 
in this time. That may or may not prove correct. I'd rather install the 
postfix package, and let it upgrade itself in case a security hole is found, 
than install qmail, and pray that I'll never have to upgrade it again.

> > I _would_ use a package. I use a package whenever possible.
> I'd never use a package for qmail, because you install it once, and keep
> it for years.
> I would rather take a WEEK to install qmail from source, than upgrade
> Postfix's package every week.

You don't need to upgrade postfix every week. And you don't have to think 
about the upgrade process - it happens automatically.


	Shlomi Fish


Shlomi Fish      shlomif at iglu.org.il
Homepage:        http://shlomif.il.eu.org/

Knuth is not God! It took him two days to build the Roman Empire.

More information about the Perl mailing list