procmail (in)security

Matthias Andree matthias.andree at gmx.de
Mon Mar 10 13:24:11 CET 2003 

Todd Underwood <todd-bogofilter at osogrande.com> writes:

> folx,  
>
> i promise this will be brief and i'll stop after this...
>
> On Mon, 10 Mar 2003, Matthias Andree wrote:
>
>> Todd, what is the problem with Dan's adding a line "you must use
>> softlimit or similar tools to enforce memory limits"?
>
> there's no problem.  it doesn't make it a security bug not to mention it, 
> either. 

I've replied more verbosely in private mail, however:

There is something called "diligence". Dan is more knowledgable than the
average qmail user, at least he tries to convey this impression; so it's
his duty to tell the user where the traps and snares lie to save him
from harm. Putting a web site up in a place that the user doesn't know
about is not enough.

> we can debate the history of this kind of thing ad naseum and we will 
> probably disagree (having both "lived through it" so we already have 
> well-formed perspectives), but here's an important point:
>
> venema has had serious *design* bugs in his software.  bernstein has not.

The point is: venema opened his early betas to public scrutiny, around
27 months before the first stable release (stable-20010228, later also
known as 1.0.0). Did DJB do that? His CHANGES file only dates back to
qmail-0.70. The issue you cook up again was fixed two years before
Postfix went "stable", over fours years ago.

Dan still lets the unsuspecting user who uses just the qmail-1.03
tarball run unguided into the field of resource limits.

Wietse has said that he made a "stupid oversight" on 1998-12-22 (archive
link: <URL:http://www.securityfocus.com/archive/1/11653> and later
announced a vulnerability he introduced and later discovered himself
<http://www.securityfocus.com/archive/1/240354> in November 2001 that he
could've fixed in his private chamber without telling anyone. He
hasn't. Wietse has defended qmail (on the postfix mailing list) against
unjust attacks on multiple occasions.

DJB has not even got his facts straight in his 1998-12-21 post, and has
wilfully failed to add corrections or notices to his outdated and bogus
documents and keeps attacking other software and people.

Now look at who's playing fair, and make sure you don't compare apples
to oranges (such as Postfix betas to qmail 1.03) -- compare apples to
apples, and look at Postfix 2.0.6 (or 1.1.12 or 1.0.8) and qmail
1.03. Look at who gets Maildir delivery bullet-proof on fast
machines. qmail doesn't unless you lock the beast down to allow only
qmail-pop3d access (which means locking your users out from the shell)
-- yet DJB maintains his software is correct, not taking into account
that the user can choose any Maildir reader he desires which may not
have the 2-second holdoff that his qmail-pop3d has.

And then look at which software violates what standards and what the
impact is. DJB tells you quoted-printable is evil and has qmail-smtpd
make bogus claims about qmail's capabilities, it offers 8BITMIME without
implementing the conversion or bouncing 8bit mail to 7bit destination
(but he bounces mail with unterminated last line!). This RFC-1652 can
cause qmail to corrupt mail. Dan claims the exact opposite.

> both have had situations of sub-optimal functioning under particular
> operating systems or particular circumstances.  both have had
> sub-optimal documentation.  based on the history, i trust qmail
> significantly more.

I don't. I've bumped into several qmail bugs that Dan has disclaimed,
and I've never rued the switch to Postfix.

-- 
Matthias Andree

More information about the Bogofilter mailing list