Article

Some thoughts on security after ten years of qmail 1.0

Author:
Daniel J. Bernstein

University of Illinois, Chicago, IL

University of Illinois, Chicago, IL
View Profile

CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architectureNovember 2007Pages 1–10https://doi.org/10.1145/1314466.1314467

Published:02 November 2007Publication History

CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture

Pages 1–10

ABSTRACT

The qmail software package is a widely used Internet-mail transfer agent that has been covered by a security guarantee since 1997. In this paper, the qmail author reviews the history and security-relevant architecture of qmail; articulates partitioning standards that qmail fails to meet; analyzes the engineering that has allowed qmail to survive this failure; and draws various conclusions regarding the future of secure programming.

References

Anurag Acharya, Mandar Raje, MAPbox: using parameterized behavior classes to confine untrusted applications, 9th USENIX Security Symposium (2000). URL: http://www.usenix.org/publications/library/proceedings/sec2000/acharya.html. Citations in this document: S2.5. Google ScholarDigital Library
Vinod Anupam, Alain Mayer, Security of web browser scripting languages: vulnerabilities, attacks, and remedies, 7th USENIX Security Symposium (1998). URL: http://www.usenix.org/publications/library/proceedings/sec98/anupam.html. Citations in this document: S2.5. Google ScholarDigital Library
M. Lee Badger, Daniel F. Sterne, David L. Sherman, Kenneth M. Walker, Sheila A. Haghighat, A domain and type enforcement UNIX prototype, 5th USENIX Security Symposium (1995). URL: http://www.usenix.org/events/security95/badger.html. Citations in this document: S2.5. Google ScholarDigital Library
Daniel J. Bernstein, Internet host SMTP server survey, posting to comp.security.unix, comp.mail.misc, comp.mail.sendmail (1996). URL: http://cr.yp.to/surveys/smtpsoftware.txt. Citations in this document: S1.1.Google Scholar
Daniel J. Bernstein, Re: Logging question (1996). URL: http://www.ornl.gov/lists/mailing-lists/qmail/1996/12/msg00314.html. Citations in this document: S3.3.Google Scholar
Daniel J. Bernstein, Curve25519: new Diffie-Hellman speed records, in {24} (2006), 207--228. URL: cr.yp.to/papers.html#curve25519. Citations in this document: S2.6.Google Scholar
Richard Blum, Running qmail, Sams Publishing, 2000. ISBN 978-0672319457. Citations in this document: S1.2. Google ScholarDigital Library
Computer Emergency Response Team, CERT advisory CA-2002-19: buffer over ows in multiple DNS resolver libraries (2002). URL: http://www.cert.org/advisories/CA-2002-19.html. Citations in this document: S2.5.Google Scholar
Edsger W. Dijkstra, Introducing a course on mathematical methodology, EWD962 (1986). URL: http://www.cs.utexas.edu/users/EWD/ewd09xx/EWD962.PDF. Citations in this document: S4.Google Scholar
Jeff Gennari, Vulnerability Note VU#834865: Sendmail contains a race condition (2006). URL: http://www.kb.cert.org/vuls/id/834865. Citations in this document: S1.1.Google Scholar
Ian Goldberg, David Wagner, Randi Thomas, Eric Brewer, A secure environment for untrusted helper applications (confining the wily hacker), 6th USENIX Security Symposium (1996). URL: http://www.usenix.org/publications/library/proceedings/sec96/goldberg.html. Citations in this document: S2.5, S2.5, S2.5, S2.5. Google ScholarDigital Library
Internet Security Systems, Remote Sendmail header processing vulnerability (2003). URL: http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950. Citations in this document: S2.3.Google Scholar
Donald Knuth, Structured programming with go to statements, Computing Surveys 6 (1974), 261--301. Citations in this document: S2.6. Google ScholarDigital Library
John R. Levine, qmail, O'Reilly, 2004. ISBN 978-1565926288. Citations in this document: S1.2. Google ScholarDigital Library
Nimisha V. Mehta, Karen R. Sollins, Expanding and extending the security features of Java, 7th USENIX Security Symposium (1998). URL: http://www.usenix.org/publications/library/proceedings/sec98/mehta.html. Citations in this document: S2.5. Google ScholarDigital Library
David S. Peterson, Matt Bishop, Raju Pandey, A flexible containment mechanism for executing untrusted code, 11th USENIX Security Symposium (2002). URL: http://www.usenix.org/events/sec02/peterson.html. Citations in this document: S2.5. Google ScholarDigital Library
Eric Raymond, The cathedral and the bazaar (1997). URL: http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral-bazaar/. Citations in this document: S2.1. Google ScholarDigital Library
Jerry H. Saltzer, Mike D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE 63 (1975), 1278--1308. Citations in this document: S2.5.Google ScholarCross Ref
Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, David Wagner, Detecting format string vulnerabilities with type qualifiers, 10th USENIX Security Symposium (2001). URL: http://www.usenix.org/publications/library/proceedings/sec01/shankar.html. Citations in this document: S3.3. Google ScholarDigital Library
Dave Sill, The qmail handbook, Apress, 2002. ISBN 978-1893115408. Citations in this document: S1.2. Google ScholarDigital Library
Kenneth M. Walker, Daniel F. Sterne, M. Lee Badger, Michael J. Petkac, David L. Sherman, Karen A. Oostendorp, Confining root programs with domain and type enforcement, 6th USENIX Security Symposium (1996). URL: http://www.usenix.org/events/sec96/walker.html. Citations in this document: S2.5. Google ScholarDigital Library
Kyle Wheeler, Qmail quickstarter: install, set up and run your own email server, Packt Publishing, 2007. ISBN 978-1847191151. Citations in this document: S1.2. Google ScholarDigital Library
Chris Wright, Crispin Cowan, Stephen Smalley, James Morris, Greg Kroah-Hartman, Linux security modules: general security support for the Linux kernel, 11th USENIX Security Symposium (2002). URL: http://www.usenix.org/events/sec02/wright.html. Citations in this document: S2.5. Google ScholarDigital Library
Moti Yung, Yevgeniy Dodis, Aggelos Kiayias, Tal Malkin (editors), 9th international conference on theory and practice in public-key cryptography, New York, NY, USA, April 24-26, 2006, proceedings, Lecture Notes in Computer Science, 3958, Springer, Berlin, 2006. ISBN 978-3-540-33851-2. See {6}.Google ScholarDigital Library

Index Terms

Some thoughts on security after ten years of qmail 1.0

Recommendations

qmail
Read More
Running Qmail
Read More
Revisiting Whittaker & Sidner's "email overload" ten years later
CSCW '06: Proceedings of the 2006 20th anniversary conference on Computer supported cooperative work

Ten years ago, Whittaker and Sidner [8] published research on email overload, coining a term that would drive a research area that continues today. We examine a sample of 600 mailboxes collected at a high-tech company to compare how users organize their ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture
November 2007
92 pages
ISBN:9781595938909
DOI:10.1145/1314466
General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chair:
Vijay Atluri
Rutgers University, USA
Copyright © 2007 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 November 2007
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
eliminating bugs
eliminating code
eliminating trusted code
Qualifiers
- Article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 22
  Total Citations
  View Citations
- 469
  Total Downloads
- Downloads (Last 12 months)11
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Some thoughts on security after ten years of qmail 1.0

CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture

ABSTRACT

References

Cited By

Index Terms

Recommendations

qmail

Running Qmail

Revisiting Whittaker & Sidner's "email overload" ten years later