Re: [Exim] virtual domains - popper

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Paul Robinson
Data:  
Para: Jeff burton
CC: exim-users
Assunto: Re: [Exim] virtual domains - popper
On Sat, 01 Jul 2000, you wrote:
> You can this with qpopper (there is a patch for it on freshmeat, search
> for exim), but since qpopper has severe security flaw, I
> would not use it.


Ummmm... could you please enlighten me as to what 'severe security flaw' there
is in qpopper 3.0.2 (i.e. current), because I'm sure BUGTRAQ would love to hear
about it...

Your information is out of date. There have been a few advisories out on
qpopper recently, but none of the very recent ones were about overflows (see
bottom of mail). The thing with open source software is that it tends to get
patched very, very, very quickly. Therefore if you're a competent admin you can
have it patched before working exploits are released. I've been running qpopper
for years on many sites, and not one single time have I been attacked through it
whilst I was still vulnerable.

> You could use qmail-pop3d, with a suitable checkpassword-module. There are
> a lot of checkpassword-implementation that support everything from a mysql
> db to flat files.


Or, if you're interested in using MySQL (if you have a lot of accounts and you
don't want to give them system accounts) then I can heartily reccomend the
patch (for qpopper it's a patch, it's just a config file for exim) available at
http://www.netd.co.za/mysql-mail/ which takes a little messing to get working
properly if you're not too used to MySQL setups, but on the whole quite nice.

> This means that you'll have to use maildir, though.


(vomits all over floor)... Maildir is such a nice idea, but I can't see the
performance benefits out-weighing the hassle unless you have lots of
accounts receiving large amounts of mail greater than 8K in size (or whatever
the cluster size on your disks are).. when I have lots of money to build big
mail servers, I'll consider it, but generally it's more hassle than it's worth
for small sites, IMHO of course.      


There is one advantage with Maildir that I can really think of - if you have
more than 65,536 users in a single domain, then on a lot of OSes you're going
to have problems getting that many files into a single directory. However,
those same OSes (read 'Linux' and 'SunOS' here IIRC) will normally allow 4
billion directories in a single directory. Because Maildir is (as it's name
suggests) directory orientated, it makes sense to use it on these types of
systems. OK, I'll back down and stop giving people a hardtime over Maildir
then. :-)

> I use an installation of qmail-pop3d with a virtual exim implementation.
>
> Other than that, cucipop (IIRC) has a patch to use PAM for
> authentication. That opens for a lot of alternatives.


(spit)... I really, really, really didn't like cucipop when I was playing with
it. It just seemed to be a poor equivalent in terms of performance on my setup
to qpopper. Unless somebody can prove me wrong of course.

I think however I've sussed your tactic out here - you find lots of different
daemons to do a given task, and then search BUGTRAQ for them. If they don't
show, you assume it's secure and advise that even though it maybe a horribly
designed piece of code that it's secure and should be used. This is false
logic in that if something has had a hole found in it, and then is patched,
you can be rest assured that it's had a full security audit, and *then* you can
assume it's pretty tight on the security. The reason qpopper shows up so much
on BUGTRAQ is that it is being audited so much... noticed the vulnerabilities
are starting to get a little tedious and obscure these days -

2000-04-19: Multiple Vendor popd Lock File Denial of Service Vulnerability
2000-04-21: Qualcomm Qpopper Unsafe fgets() Vulnerability
2000-05-24: Qualcomm Qpopper 'EUIDL' Format String Input Vulnerability

The last normal overflow was in Janurary... the format string vulnerability was
a bit on the dangerous side potentially, but I feel pretty safe to be honest...
it's a bit like the OpenBSD of the pop3 daemon world - it's being audited so
much that as time goes by the holes become fewer and lesser and more obscure.

--
Paul Robinson - Internet Services @ Akita - http://www.akita.co.uk
------------------------------------------------------------------
Sales:- T: 01869 337088 F: 01869 337488 E: sales@???
Techs:- T: 0161 228 6388 F: 0161 228 6389 E: root@???
------------------------------------------------------------------