While Sendmail is responsible for carrying over two-thirds of the e-mail traffic exchanged over the Internet on a daily basis, it does have some worthy competitors. In fact, one alternative to Sendmail is gaining popularity at an unprecedented pace: Qmail. Developed by Dan Bernstein at the University of Illinois at Chicago, Qmail aims to address the security issues found in Sendmail by offering an MTA designed from the ground up with security in mind. From its inception, Qmail followed some very fundamental rules, such as

■ Avoid running the main MTA daemon as root. Instead, only two of its auxiliary scripts need root privileges.

■ Avoid the use of setuid. Only one Qmail script, qmail-queue, is setuid.

■ Treat addresses differently than programs and files. This is done to avoid a common vulnerability of Sendmail's where users were feeding the Sendmail daemon shell scripts in place of addresses, only to have the server execute them (often with root privileges).

In addition to this design philosophy, Qmail has a few circumstantial advantages over Sendmail:

■ Qmail is more recent. Hindsight is 20/20, and Qmail has learned a lot of the vulnerabilities that are inherent to MTAs in general and that were only discovered because Sendmail was deployed first.

■ Qmail was born in a different climate. The Internet of 1984 was very different from the Internet of 1996. This forced Qmail developers to write applications that would withstand the risks of today's brave new public networks. Sendmail has been keeping up with the new vulnerabilities, but it's done it via patches and slight enhancements to the original design.

■ Qmail is a simpler (and smaller) program. In the 15+ years that Sendmail has been used in a production environment, the feature requests have never stopped flowing. The result is a very complete, but very complex MTA. As is the case with any piece of server software, complexity breeds vulnerability.

However, there are certain areas where Sendmail still has the upper hand:

■ Sendmail is more mature. It still moves the overwhelming majority of SMTP traffic over the Internet and is a much better known quantity. There is extensive Sendmail documentation, including books and tutorials, as well as training and certification.

■ Sendmail's installation procedure is robust and well automated, whereas Qmail still requires a number of manual steps to be executed.

■ Sendmail is more scrutinized, with an installed base that is orders of magnitude larger than Qmail's. This leads to much quicker identification of security vulnerabilities, and prompt availability of the appropriate security fix.

When it comes to advocating the security of the package, the Qmail community backed up their claims with one of the now infamous financial "challenges." The contest started in April of 1997 and ended in April of 1998, and aimed to find a security vulnerability in the Qmail software that would give a remote user unauthorized access to the target system. The contest period ended and no one was able to find a legitimate vulnerability on the software, so the $1,000 prize went unclaimed.

Putting aside the result of this challenge, I recommend that you don't base your decision about which MTA to use solely on Qmail's claims of proven security. Both Qmail and Sendmail can be made secure enough to meet the requirements of any security policy. If you are already using Sendmail in your mail server installation and you have built some core expertise on it, you may want to stay with that package. The danger in changing MTAs is that you'll almost always need a learning period during which you are more prone to making simple configuration mistakes that may lead to a security vulnerability.


If you are building an SMTP server from the ground up and have no previous Sendmail experience, review the features that Qmail offers and make sure that it can meet your overall mail-handling needs. If the answer is yes, then Qmail is a better fit for your needs because it is simpler and easier to configure.

Extensive information on Qmail can be found at www.qmail.org.

The next section describes yet another Sendmail replacement: the Postfix MTA.

Was this article helpful?

0 0

Post a comment