Not logged in
Log in now
Create an account
Subscribe to LWN
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
> Use qpsmtpd instead of qmail-smtpd.
Well... then you're not really using qmail's code, at least in part. So any benefits inherent
in the codebase would seem a bit moot, no?
qmail doesn't *need* any patches
Posted Nov 4, 2007 0:31 UTC (Sun) by njs (guest, #40338)
Esp. since qpsmtpd, though it's written in Perl, appears to be built on Apache -- so you have
another big chunk of C code talking to the network. (Apache's C is far better than
traditional sendmail's C, but it still in no way comes close to meeting DJB's requirements.)
Posted Nov 4, 2007 1:23 UTC (Sun) by xanni (subscriber, #361)
qpsmtpd is not "built on Apache". One supported mode of operation is to run it under Apache
on the basis that many sites are already running Apache anyway and it is well-understood and
supported, but qpsmtpd has always had and continues to support several other modes of
operation including running under djb's daemontools or even under xinetd.
Posted Nov 4, 2007 5:52 UTC (Sun) by njs (guest, #40338)
FWIW, I didn't mean 'built on Apache' as in 'runs as part of an Apache HTTPD'; Apache is in
part a very nice framework for writing generic server apps these days. (Maybe this is
technically part of APR, I haven't followed where exactly they're drawing that boundary.)
On a further look, though, I see that you're right, when qpsmtpd is not running under httpd,
it uses a different home-brew network framework rather than APR. I was misled by looking at
the first anti-malware plugin linked on their homepage:
which contains a bunch of code using APR -- but it turns out that's because there are two
copies of all that code, one that works when being run under Apache and one that works with
the home-brew. I don't know how typical this is of qpsmtpd's codebase, but it doesn't strike
me as The DJB Way either.
(If I were them, I'd consider just using Apache in all cases, even if it is a big hunk of
scary C that makes baby DJB cry, but I don't actually know what I'm talking about so *shrug*.)
Posted Nov 4, 2007 3:08 UTC (Sun) by charlieb (subscriber, #23340)
> So any benefits inherent in the codebase would seem a bit moot, no?
No. The only benefits which would be moot would be those which reside only in qmail-smtpd.
Logic 101, no?
Posted Nov 4, 2007 5:30 UTC (Sun) by CyberDog (guest, #29668)
The "benefit" alluded to here was djb's secure codebase. As soon as your arrangement requires
[original codebase] + [random 3rd party codebase(s) tacked on], the security of the final
product becomes only as secure as the weaker of the two (or three or more) codebases. It
could even be argued that a product which incorporates all the required features into a single
codebase, if written by even moderately competent programmers, could be less risky than
merging multiple products into one.
Posted Nov 4, 2007 14:04 UTC (Sun) by alankila (subscriber, #47141)
Interestingly, djb's paper talks about maintaining security expectations even in the face of
having to run untrusted, random codebases as part of secure application.
The basic idea is compartmentalization: for each component (especially those from a third
party) you should clearly define the input, the output, and set up access and resources
restrictions in which the component must operate. Finally, after it does its job, you
shouldn't trust it but do some validation to check the sanity of the result.
For instance, if the purpose of the component were to extract recipient address of the email,
then the component can only read the email, produce one string as response, not access
anything outside that email and have to run in limited time and memory. Once something comes
out, it must look like an email, for instance match the famous rfc822 pattern.
To achieve this, one might have to run untrusted components under a virtual machine and/or use
the operating system's primitives to constraint cpu, memory, available system calls, etc. I'm
not sure how well Linux can do these things, but the basic idea is that it should be possible
to run even completely random code safely provided that these relatively simple constraints
are worked out first.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds