Saturday, November 17, 2007

qmail security

Echo chambering here, but for anyone not reading Bruce Schneier regularly, he recently linked to a paper by Daniel Bernstein (djb) about lessons learned from ten years of qmail. You can download it here(pdf). It's an excellent read.

Background: qmail is a Mail Transfer Agent - an email server if you like. It was written in frustration at the security problems of the market leader, sendmail. Bernstein's openness about this origin led to some acrimony with the sendmail chaps, as you'll see if you look over Bernstein's site at the extremely cool url Bernstein offered a $500 reward to anyone pointing out a security hole in qmail and this has gone unclaimed in ten years - he just upped it to $1,000.

djb as he is known also offered a reward for anyone finding a security hole in djbdns, his replacement for bind, the leading DNS server. This has also gone unclaimed.

This is true despite, or because (depending on your view; I think it's 'because'), of the fact that both are open source programs and people can explore the code to find holes, as well as poke at the servers with various bits and pieces.

But this has led to a problem with qmail, and I stopped using it as my MTA of choice in ISP situations a couple of years ago (in favour of postfix) because the security guarantee also had the unfortunate effect of more or less freezing the program. It's much harder to modify an installation to work with other systems, compared with postfix, and this has seen usage fall away, so far as I can see.

This is not the case with djbdns, which has a configuration file designed to be machine readable first and foremost, which makes it a dream to drive from something like a database of customers' registered domains.

So, for what it's worth, my personal choice for an ISP grade hosting farm at the present stage of things is postfix, dovecot, apache2.2, djbdns.

No comments: