While perhaps a little on the extreme side, I think the basic reasoning
behind Sasa's post is sound. I'm currently in the process of
"rebuilding" my own mail and web server (mainly because my knowledge of
linux in general is much better now than when I first built the server
and also to help me understand all the tools I have at my disposal and
document them better than I did before).
As part of this, the question of whether I continue to use qmail as my
mail server or switch to another mail server has obviously come up.
Here's some of the questions I'm asking:
While undoubtedly still a definite option to consider, how much longer
can an application that to my knowledge has to have patches applied
before it can even compile on a modern/currrent linux system last?
As far as I can tell, qmail is now unmaintained by djb and the website
doesn't appear to have been updated recently (at a guess, atleast in the
past couple of years). On top of this, qmail's license unfortunately
means that no one can take over qmail or fork it any way (would a "fully
featured" fork that some admins seem to want be such a bad thing?)
While there's nothing inherently wrong with applying patches to a base
code set, applying patches, especially patches on top of already patched
code, surely introduces an inherent risk of introducing bugs and other
flaws that might be avoided if the patches were being submitted to a
central code base which evaluated each patch before applying it to a
central code base?
While djb's security guarantee looks good, how can I know that if there
is a vulnerabiltiy found, that it will be patched in a timely manner and
in a way that won't compromise the security or stability of qmail
further? How can I know that vulnerabilities haven't already been found
and just been ignored / lost because djb has no time to maintain qmail?
Yes, this post possibly reads as inflamatory (tho I didn't intend it to
be so, but the lack of tone and emphasis on the net can lead to
misinterpretations). Yes, I am uninformed, that's why I'm asking -
answer my questions and inform me. =)
AllenJB
Sasa Ugrenovic wrote:
Ok .. i have a question.
Is qmail usable ? I used qmail for 5 years before I switched to postfix.
I hope DJB reads this, because qmail is obsolete... you have to apply a million
patches (which have backward compatibility issues) to have a decent functional
SMTP.
Greylisting, helo checks, blabla ..
This is not a flamebait, i still use qmail/vpopmail on servers behind my MX
processor which doesn't run qmail, since I'm not a zaelot.
Kind Regards,
Sasa
On Wed, 21 Feb 2007 20:23:03 -0800
Jos Backus <jos@catnook.com> wrote:
Congratulations, Dan. On to the next 10 years...
----- Forwarded message from "D. J. Bernstein" <djb@koobera.math.uic.edu> -----
Date: 21 Feb 1997 21:38:51 -0000
From: "D. J. Bernstein" <djb@koobera.math.uic.edu>
To: djb-qmail@koobera.math.uic.edu
Subject: qmail 1.00 available
qmail 1.00 is available through http://pobox.com/~djb/qmail.html.
No code changes from 0.96. I have lots of cleanups scheduled, and I'll
have to add IPv6 support someday, but 1.00 should be an adequate MTA for
the next several years.
---Dan
----- End forwarded message -----
--
Jos Backus
jos at catnook.com
|