ABSTRACT
The qmail software package is a widely used Internet-mail transfer agent that has been covered by a security guarantee since 1997. In this paper, the qmail author reviews the history and security-relevant architecture of qmail; articulates partitioning standards that qmail fails to meet; analyzes the engineering that has allowed qmail to survive this failure; and draws various conclusions regarding the future of secure programming.
- Anurag Acharya, Mandar Raje, MAPbox: using parameterized behavior classes to confine untrusted applications, 9th USENIX Security Symposium (2000). URL: http://www.usenix.org/publications/library/proceedings/sec2000/acharya.html. Citations in this document: S2.5. Google ScholarDigital Library
- Vinod Anupam, Alain Mayer, Security of web browser scripting languages: vulnerabilities, attacks, and remedies, 7th USENIX Security Symposium (1998). URL: http://www.usenix.org/publications/library/proceedings/sec98/anupam.html. Citations in this document: S2.5. Google ScholarDigital Library
- M. Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A domain and type enforcement UNIX prototype, 5th USENIX Security Symposium (1995). URL: http://www.usenix.org/events/security95/badger.html. Citations in this document: S2.5. Google ScholarDigital Library
- Daniel J. Bernstein, Internet host SMTP server survey, posting to comp.security.unix, comp.mail.misc, comp.mail.sendmail (1996). URL: http://cr.yp.to/surveys/smtpsoftware.txt. Citations in this document: S1.1.Google Scholar
- Daniel J. Bernstein, Re: Logging question (1996). URL: http://www.ornl.gov/lists/mailing-lists/qmail/1996/12/msg00314.html. Citations in this document: S3.3.Google Scholar
- Daniel J. Bernstein, Curve25519: new Diffie-Hellman speed records, in {24} (2006), 207--228. URL: cr.yp.to/papers.html#curve25519. Citations in this document: S2.6.Google Scholar
- Richard Blum, Running qmail, Sams Publishing, 2000. ISBN 978-0672319457. Citations in this document: S1.2. Google ScholarDigital Library
- Computer Emergency Response Team, CERT advisory CA-2002-19: buffer over ows in multiple DNS resolver libraries (2002). URL: http://www.cert.org/advisories/CA-2002-19.html. Citations in this document: S2.5.Google Scholar
- Edsger W. Dijkstra, Introducing a course on mathematical methodology, EWD962 (1986). URL: http://www.cs.utexas.edu/users/EWD/ewd09xx/EWD962.PDF. Citations in this document: S4.Google Scholar
- Jeff Gennari, Vulnerability Note VU#834865: Sendmail contains a race condition (2006). URL: http://www.kb.cert.org/vuls/id/834865. Citations in this document: S1.1.Google Scholar
- Ian Goldberg, David Wagner, Randi Thomas, Eric Brewer, A secure environment for untrusted helper applications (confining the wily hacker), 6th USENIX Security Symposium (1996). URL: http://www.usenix.org/publications/library/proceedings/sec96/goldberg.html. Citations in this document: S2.5, S2.5, S2.5, S2.5. Google ScholarDigital Library
- Internet Security Systems, Remote Sendmail header processing vulnerability (2003). URL: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950. Citations in this document: S2.3.Google Scholar
- Donald Knuth, Structured programming with go to statements, Computing Surveys 6 (1974), 261--301. Citations in this document: S2.6. Google ScholarDigital Library
- John R. Levine, qmail, O'Reilly, 2004. ISBN 978-1565926288. Citations in this document: S1.2. Google ScholarDigital Library
- Nimisha V. Mehta, Karen R. Sollins, Expanding and extending the security features of Java, 7th USENIX Security Symposium (1998). URL: http://www.usenix.org/publications/library/proceedings/sec98/mehta.html. Citations in this document: S2.5. Google ScholarDigital Library
- David S. Peterson, Matt Bishop, Raju Pandey, A flexible containment mechanism for executing untrusted code, 11th USENIX Security Symposium (2002). URL: http://www.usenix.org/events/sec02/peterson.html. Citations in this document: S2.5. Google ScholarDigital Library
- Eric Raymond, The cathedral and the bazaar (1997). URL: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/. Citations in this document: S2.1. Google ScholarDigital Library
- Jerry H. Saltzer, Mike D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE 63 (1975), 1278--1308. Citations in this document: S2.5.Google ScholarCross Ref
- Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wagner, Detecting format string vulnerabilities with type qualifiers, 10th USENIX Security Symposium (2001). URL: http://www.usenix.org/publications/library/proceedings/sec01/shankar.html. Citations in this document: S3.3. Google ScholarDigital Library
- Dave Sill, The qmail handbook, Apress, 2002. ISBN 978-1893115408. Citations in this document: S1.2. Google ScholarDigital Library
- Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David L. Sherman, Karen A. Oostendorp, Confining root programs with domain and type enforcement, 6th USENIX Security Symposium (1996). URL: http://www.usenix.org/events/sec96/walker.html. Citations in this document: S2.5. Google ScholarDigital Library
- Kyle Wheeler, Qmail quickstarter: install, set up and run your own email server, Packt Publishing, 2007. ISBN 978-1847191151. Citations in this document: S1.2. Google ScholarDigital Library
- Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, Greg Kroah-Hartman, Linux security modules: general security support for the Linux kernel, 11th USENIX Security Symposium (2002). URL: http://www.usenix.org/events/sec02/wright.html. Citations in this document: S2.5. Google ScholarDigital Library
- Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, Tal Malkin (editors), 9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24-26, 2006, proceedings, Lecture Notes in Computer Science, 3958, Springer, Berlin, 2006. ISBN 978-3-540-33851-2. See {6}.Google ScholarDigital Library
Index Terms
- Some thoughts on security after ten years of qmail 1.0
Recommendations
Revisiting Whittaker & Sidner's "email overload" ten years later
CSCW '06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative workTen years ago, Whittaker and Sidner [8] published research on email overload, coining a term that would drive a research area that continues today. We examine a sample of 600 mailboxes collected at a high-tech company to compare how users organize their ...
Comments