chewie writes: > Hmm... I searched the iss.net[1] site and came up with a few "not > quite > a security bug in qmail" results. DJB excludes DOS attacks from his > idea of a "security bug" with a fairly reasonable explaination[2]. > All-in-all, qmail has performed well throughout its history wrt to > security. Too bad DJB can't relax his distribution restrictions, but > that's getting off topic. The only thing you found was arbitrary memory allocation. This is easily solved with rlimits, which is the correct place to handle it. As Dan says, ``Apparently Venema thinks it's better design to include separate code in every application to impose configurable artificial limits on every dynamically allocated structure for network data. I think that this is remarkably bad engineering. The bottom line is that well-managed systems are not damaged by memory exhaustion attacks, whether or not they are running qmail.'' Other types of denial of services attacks cannot be mitigated by qmail or any other MTA. Everything else listed on there is either not related to qmail or is for third party add-ons to qmail. > It's a methodology that programmers follow. Any language > has it's security risks, some more than others. If the programmer > uses the correct methodology and approach to writing software, > security problems are often mitigated before they have a chance to be > distributed. Yep. NEVER TRUST USER INPUT. If you follow that rule, you will avoid at least 90% of all security problems. Any security holes in PHP applications are due to breaking that, or something similarly stupid. -- David Phillips <david at acz.org> http://david.acz.org/ _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list