I don't discuss my clients here, or in any public forums, as a general courtesy. I believe sharing some of my unique technical expertise, experiences (including mistakes), and concerns is helpful to the Internet as a whole, because my consulting income derives substantially from the fundamental belief, represented by the Internet, that a worldwide resource for communication, substantially open to all and made available at very low cost, is a boon to humanity.
Reviewed "Qmail Quickstarter".
Wrote up a page on my concerns about Challenge/Response Systems (for email users).
Significantly revised my "It Wasn't Me!" page, and expanded on my use of (and take on) SPF in a new page.
Introduced some of my thoughts on hostile environments, such as the Internet, focusing on concerns I have that are not generally recognized in the community.
Published my new(-ish) public key, which includes a revoked version of my previous one.
The new key uses my "new" consulting email address,
james at jcb-sc.com,
which I'm switching over to since the old one (craig at etc....)
was joe-jobbed so much that I've gotten the impression some sites
simply drop incoming email allegedly from that address without
any due notice.
Meanwhile, it has now been over 16 months since I first mentioned, on my web site,
that it would be fairly easy for me to fix the infamous
"Guninski bugs"
in
qmail
(other than the one I already fixed in qmail-smtpd).
Yet, though I have since been hired to do all sorts of work on qmail,
including customizing the code in certain cases,
nobody has seen fit to hire me to fix these bugs,
nor have I seen any evidence that anyone else has published fixes to these bugs.
I tentatively conclude that nobody is willing to spend even a modest amount of money or time fixing what they must surely perceive as only theoretical bugs, probably because there still is no evidence that they can be exploited for nefarious purposes.
So, despite all the allegedly "necessary" patches, add-ons, and workarounds
required for a typical qmail installation on a public site,
it has been many years now that we've gotten along quite well with
version 1.03, and pretty much "perfectly" when it comes to qmail's
security record.
While I continue to dream about and design a new email system,
the prospect of having to live up to qmail's record of success
is more than daunting — it is forcing me to think in terms of employing
"bug-free" methods of coding, which I've long considered desireable anyway.
I now believe that the
Guninski "security alerts"
pertaining to
qmail
represent legitimate potential security vulnerabilities.
The vulnerabilities of which I'm presently aware
(as I have not yet studied all potential problems in qmail)
are unlikely to be exploitable on ordinary 32-bit systems
such as 32-bit CPUs running GNU/Linux,
or on any systems that impose reasonable per-process limitations on
virtual-memory usage.
Here's my take on the
Guninski "security alerts"
pertaining to
qmail.
Copyright (C) 2005, 2006 James Craig Burley, Software Craftsperson
Last modified on 2008-02-29.