> "Qmail admins: Qmail's current version is secure by default, but earlier
> versions were insecure. Most admins know enough to follow the instructions
> for securing it before putting qmail into service, however it usually
drops
> ORBS test messages checking for UUCP pathing vulnerabilities - "!
pathing" -
> into the admin mailbox. As ! is a standard network addressing indicator,
> this can only be charitably described as yet another Qmail bug. Qmail is
> extremely network unfriendly and generates denial of service attacks on
> other mailservers in its enthusiasm to deliver as many messages as
possible
> in a short period of time. For this reason it is best reserved for mailing
> list server purposes only."
At the top of that page it says:
'Everything on this page is based on information supplied to ORBS by server
admins and MTA authors. Opinions are just that - opinions.'
Wow, server admins and MTA authors - that's sure to be a page filled with
friendly, good-natured, level-headed comments.
I guess that's why a page that initially holds a server admin responsible
for his mail server when it comes to being an open relay, later contains a
paragraph that shifts responsibility from the administrator to qmail by
claiming it generates denial of service attacks by sending email too fast.
As for the comments regarding '! pathing' - maybe the author should petition
to have his specification included in the RFC so his bug claim would
actually have a leg to stand on. Maybe we should email qmail's author and
have him re-write it to work around the bugs in the various mail clients
while he's fixing that bug for ORBS test messages.
> Do you all agree with this opinion that qmail is "best reserved for
mailing
> list server purposes only"?
I don't. I really don't see the distinction between sending email to list
subscribers, and sending email to regular mail recipients as far as the
target server is concerned. If it can't do it's job (deliver email) it
shouldn't really be in use as an MTA.
jason
