> CVE-2011-1720 and CVE-2008-2936 are examples of postfix vulns no one has found, or reasonably expects to find, in djb code.
CVE-2011-1720 is related to SMTP authentication which qmail doesn't support out-of-the box. So. Yes you're right: You don't find that vulnerability in qmail because qmail doesn't have that feature.
Can you run an SMTP server without authentication these days? Not if you have users using you as a relay. So I guess you have to custom patch qmail and now you're back to not running djb code in the first place.
CVE-2008-2936 I grant you. Though once we are at doing hardlinks to symlinks, we might hit other edge-cases too, some might even affect qmail in some way.
Aside of the fact that I doubt your "most people" assertion here, it's beside the point that I was trying to make which is that a CVE affecting a feature of Postfix that qmail doesn't have to begin with is not a fair mark against postfix.
Because if you disable a feature you don't use, you won't be affected by the vulnerability.
If you use smtp authentication, you're not running djb's code and all advantages of djb's code are moot. If you don't use smtp authentication then that CVE is inconsequential and you can't count it as a black mark against Postfix with regards to the security of your specific setup.
> it's beside the point that I was trying to make which is that a CVE affecting a feature of Postfix that qmail doesn't have to begin with is not a fair mark against postfix.
I disagree. It is a fair mark against postfix if (as I claim) most users really don't need it.
Here's my reasoning to that point:
I think most email end-users either use their ISPs mail settings (who know who they are and don't need authentication), or webmail (which doesn't use SMTP for relaying anyway), or outlook (which doesn't need SMTP at all). Fastmail is becoming more popular and it doesn't need SMTP either. The end-users who remain are either business users (who could use a VPN which is better than SMTP AUTH in every way), and nutters with vanity domains.
If that's contended, and note I do believe there are probably end users who are actually still manually entering SMTP AUTH settings into email clients, but I would struggle to believe they're the majority and would need evidence.
Meanwhile on the enterprise, pretty much every machine in every enterprise environment I've ever worked in has been set up for local relay. Again, if you think they're all using SMTP AUTH I'd need to see evidence.
> If you use smtp authentication, you're not running djb's code and all advantages of djb's code are moot
Do you actually believe that if you apt-get install postfix that you don't have any of the advantages of postfix's development processes?
I'm not sure I can engage with that. It's like saying running linux invalidates "all advantages of djb's code" simply because you're (sometimes) not running his code (e.g. when you're in a syscall). Madness runs down that way.
For what it's worth, most of the qmail smtpd patches I've seen to add SMTP AUTH (including the one I wrote nearly twenty years ago) are sensible, integrate well with the rest of qmail. You might not get djb's warrantee, but I can't believe you gain nothing by starting from a solid foundation.
>I disagree. It is a fair mark against postfix if (as I claim) most users really don't need it.
if they don't need it, they won't be affected by that vulnerability because it won't be active.
>Meanwhile on the enterprise, pretty much every machine in every enterprise environment I've ever worked in has been set up for local relay.
In every enterprise setup I have seen, local relay was still protected using SMTP-AUTH for accounting purposes.
Plus in case of end-users, many ISPs still provide SMTP for mail delivery, all of whom need to support SMTP auth. That includes Fastmail and Gmail.
>but I can't believe you gain nothing by starting from a solid foundation.
Of course you do. But saying "Postfix is worse because it had a security vulnerability in a component that qmail doesn't even support" is unfair to postfix.
If you are running qmail with a custom patch then that custom patch will for sure have been exposed to less scrutiny than Postfix proper. It's not valid to extend the scrutiny given to vanilla qmail to all of the custom patches.
> saying "Postfix is worse because it had a security vulnerability in a component that qmail doesn't even support" is unfair to postfix.
Ok, well that's your opinion, and hopefully now you at least know why I have mine.
I can't imagine forgiving Microsoft for all those AD/SMB and explorer CVE just because Linux doesn't support those things, but it's not really that important to me.
> In every enterprise setup I have seen, local relay was still protected using SMTP-AUTH for accounting purposes.
I have no idea what you mean by "accounting purposes" -- it sounds like you're talking about users relaying and not machines relaying.
There is no way you'd get a SOC2 (or SSAE/SOC1) if you used SMTP auth to protect local relays, so perhaps we are talking about different things when we say "enterprise".
> If you are running qmail with a custom patch then that custom patch will for sure have been exposed to less scrutiny than Postfix proper.
I'm still not sure you can have it both ways. Why is it when Debian patches postfix that it's still (in your mind) "postfix proper" but when I download a well-distributed and discussed patch from a mailing list, and read it myself, that you somehow think I'm at higher risk?
>it sounds like you're talking about users relaying and not machines relaying
there is such a thing as machine- or even application-specific accounts that can be terminated or their credentials rotated.
Even better; you could use something like Vault (https://www.vaultproject.io/) to manage such application-specific credentials.
All of this is much better than relying on IP addresses never changing and never being reused.
>Why is it when Debian patches postfix that it's still (in your mind) "postfix proper" but when I download a well-distributed and discussed patch from a mailing list, and read it myself, that you somehow think I'm at higher risk?
I never said it was postfix proper. It really isn't.
Debian is known to f'up the security of its packages. But it's my hope that distributors have a better equipped security team and bigger exposure compared to some guy putting a patch on some website.
Debian also has a proper security update process that makes sure that patches go out to users quickly and painlessly. And because Debian is big enough, it's usually included in embargoed security vulnerability reports, so usually a patch will be out and sometimes even deployed by the time the vulnerability is known.
But the relative security of Debian-maintained postfix vs. Debian-maintained custom-patched qmail is the same as postfix proper vs custom-patched qmail.
However, vanilla whatever, in my opinion is superior to custom-patched whatever. And while postfix is usable vanilla, qmail isn't. It was bordering unusable back in the 90ies and it definitely is unusable nowadays.
qmail doesn't support TLS, it doesn't support spf, much less domainkeys or dmarc. It doesn't (as we're talking about) support SMTP auth, it doesn't support ipv6. It doesn't support any other common anti spam measures like greylisting or rbl checks, nor does it support a plugin system that would allow for easy plugging them in.
Heck, it doesn't even support rejecting mail at SMTP time so it's one of the worst offenders for backscatter which is one of the big annoyances for mail admins.
At this point, an unpatched qmail is as useful in fulfilling MTA roles as a closed port 25 is (which would totally be safer than both qmail and postfix)
Hence my assertion that everybody is running a patched qmail and none of these patches ever enjoyed the same scrutiny as even the security abominations that are sendmail and exim.
And worse: None of these patches were ever reviewed for side-effects of arbitrarily combining them.
Nearly every custom patch was made against a vanilla qmail because there is no central project to manage these patches. So every site runs a different version of qmail, none of them vetted at all for security.
This is a mess and we should really discourage this rather than dreaming of long-gone times where vanilla qmail at least was useful to a minor degree.
Partially-related update: I just looked at the qmail code: This thing is written in K&R style C and sometimes uses single-character variable and function names. I would argue nobody but djb can actually safely make changes to this code-base. This is all from a bygone age. Let it rest.
Sorry, we think it's rested plenty long enough :-)
You've given some excellent examples of how qmail got this way, and what notqmail needs to change to be viable. I have my own running-in-production solutions to most of them -- for instance, https://schmonz.com/qmail/rejectutils for SMTP recipient rejection and https://schmonz.com/qmail/acceptutils for user-facing AUTH and TLS.
These may or may not become part of notqmail. But we believe that together we can carefully and safely evolve notqmail to meet modern needs.
I agree. But if the software is lacking essential features so that everybody patches them back in it's a very ineffective strategy because anybody's home-grown patches are worse than properly maintained features.
I can put a machine on the net with a closed port 25. That's the most minimal implementation of an MTA and it's entirely secure. Guaranteed.
The thing is that qmail was severely lacking features back in the 90ies and it has received zero feature additions by its original author since then, so it's safe to assume that it's now lacking even more features to the point where anybody running qmail these days is nearly guaranteed to be running franken-qmail full of third-party patches which are surely less well maintained than proper Postfix.
CVE-2011-1720 is related to SMTP authentication which qmail doesn't support out-of-the box. So. Yes you're right: You don't find that vulnerability in qmail because qmail doesn't have that feature.
Can you run an SMTP server without authentication these days? Not if you have users using you as a relay. So I guess you have to custom patch qmail and now you're back to not running djb code in the first place.
CVE-2008-2936 I grant you. Though once we are at doing hardlinks to symlinks, we might hit other edge-cases too, some might even affect qmail in some way.