He characterized the bug found by Guninski as a "potential overflow of an unchecked counter". At a slide presentation the following day, Bernstein stated that there were 4 "known bugs" in the ten-year-old qmail-1.03, none of which were "security holes". On November 1, 2007, Bernstein raised the reward to US$1000. Configuration of resource limits for qmail components mitigates the vulnerability. Bernstein disputes that this is a practical attack, arguing that no real-world deployment of qmail would be susceptible. On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution. In 2005, security researcher Georgi Guninski found an integer overflow in qmail. In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable security hole in the latest version of the software. It is easy to replace any part of the qmail system with a different module as long as the new module retains the same interface as the original.Ĭontroversy Security reward and Georgi Guninski's vulnerability Qmail is nearly a completely modular system in which each major function is separated from the other major functions. Qmail also introduces the Quick Mail Transport Protocol (QMTP), an e-mail transmission protocol that is designed to have better performance than Simple Mail Transfer Protocol (SMTP), the de facto standard and Quick Mail Queuing Protocol (QMQP), a network protocol designed to share e-mail queues between several hosts. Out of the box, mail addressed to "user- wildcard" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management. Wildcard mailboxes qmail introduced the concept of user-controlled wildcards. Unlike the de facto standard mbox format, which stored all messages in a single file, Maildir avoids many locking and concurrency problems, and can safely be provisioned over NFS. Maildir Bernstein invented the Maildir format for qmail, which splits individual email messages into separate files. Qmail encourages the use of several innovations in mail (some originated by Bernstein, others not): qmail was originally designed as a way for managing large mailing lists.Īt the time of qmail's introduction, Sendmail configuration was notoriously complex, while qmail was simple to configure and deploy. When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was also implemented with a security-aware replacement to the C standard library, and as a result has not been vulnerable to stack and heap overflows, format string attacks, or temporary file race conditions. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components for instance, the SMTP listener component of qmail runs with different credentials from the queue manager or the SMTP sender. The most popular predecessor to qmail, Sendmail, was not designed with security as a goal, and as a result has been a perennial target for attackers. When first published, qmail was the first security-aware mail transport agent since then, other security-aware MTAs have been published. ( March 2015) ( Learn how and when to remove this template message) Unsourced material may be challenged and removed. Please help improve this section by adding citations to reliable sources.
0 Comments
Leave a Reply. |