Greg Zartman wrote:
> AFAIK, Qmail hasn't seen a security related patch in months
> if not years.
qmail 1.03 was released in June 1998, and hasn't required any security patches.
From the file BLURB in the release tarball:
Secure: Security isn't just a goal, but an absolute requirement. Mail
delivery is critical for users; it cannot be turned off, so it must be
completely secure. (This is why I started writing qmail: I was sick of
the security holes in sendmail and other MTAs.)
From SECURITY in the source tarball:
Background: Every few months CERT announces Yet Another Security
Hole In Sendmail---something that lets local or even remote users take
complete control of the machine. I'm sure there are many more holes
waiting to be discovered; sendmail's design means that any minor bug in
46000 lines of code is a major security risk. Other popular mailers, such
as Smail, and even mailing-list managers, such as Majordomo, seem
nearly as bad.
Note added in 1998: I wrote the above paragraph in December 1995, when
the latest version of sendmail was 8.6.12 (with 41000 lines of code).
Fourteen security holes were discovered from sendmail 8.6.12 through
8.8.5. See
http://pobox.com/~djb/docs/maildisasters/sendmail.html.
I started working on qmail because I was sick of this cycle of doom. ...
See also:
http://cr.yp.to/qmail/guarantee.htmlCharlie
4 Replies
617 Views