Re: [Exim] exim & intetd

Inizio della pagina
Delete this message
Reply to this message
Autore: Phil Pennock
Data:  
To: exim-users@exim.org
Oggetto: Re: [Exim] exim & intetd
On 2001-12-27 at 11:32 -0800, Kevin Sindhu wrote:
> Hah! Trust inetd. Never!!! :P
>
> See http://archives.neohapsis.com/archives/openbsd/2001-02/2947.html


So you didn't read the manual-page and discovered independently that
inetd throttles incoming connections? If it didn't, the load on the
machine would go through the roof! Exim has similar protections, but
customised for mail-handling and so able to be much more sophisticated
(options such as queue_only_load, smtp_accept_max,
smtp_accept_max_per_host, smtp_accept_queue and so on).

> Its trivial to crash inetd because of its design. As for xinetd. don't


That's not a crash. It's rate-throttling; inetd won't start more than N
instances of a service in less than one minute, for some N which can be
changed (typically a command-line option).

The inetd on the system I use allows the max to be varied on a
per-service basis, as well as being overriden from the command-line.

Without a maximum, enough connections would make a system thrash so
badly that no functional service could be maintained.

> tell anyone but there is a private exploit on the internet to which
> the current xinetd is vulnerable....unlike any for exim. ;->


Surely, if you have evidence, tell as many sysadmin as possible so that
they can do something about it. If you do have evidence and keep quiet,
and something bad happens, get a good lawyer. A very good lawyer.


inetd has its pros and cons. If mail is not the primary purpose of a
machine, but it does need to be able to accept mail, it can be a
sensible choice. Exim isn't really designed for that -- if it does
become a more recommended install, I (and perhaps others) might start
talking nicely to Philip Hazel about letting Exim accept the
file-descriptor and then fork & accept, until exitting the main parent
some time later, so that inetd could mark the service as 'wait' and a
good compromise install could be reached -- Exim not normally running,
but scaling well should a large volume of connections suddenly arrive.

(Or have I missed the relevant juju to support this now?)
--
Strong Cipher (n.): Cipher devised by oneself.
Weak Cipher (n.): Cipher devised by someone else.