This ``qmail-pop3d security advisory'' is fraudulent. There are no security problems in the qmail package. There are some serious security problems in the vpopmail/vchkpw package. But vpopmail/vchkpw is not part of qmail. I didn't write it. I haven't reviewed it. I don't distribute it. I don't use it. I am not responsible for its bugs. Blaming qmail-popup for a bug in vpopmail/vchkpw is like blaming qmail-smtpd for a bug in procmail or pine. It deceives people as to the source of the problem and the nature of the correct fix. The claim of protocol non-compliance is neither relevant nor correct. Clients that send long usernames are violating RFC 1939, but servers that allow long usernames as an extension are not violating RFC 1939. The qmail package deliberately and consistently allows such extensions, as documented in the qmail-limits manual page. I don't enjoy being the target of defamation. I don't enjoy receiving email from people who have heard false rumors of bugs in my software. I asked the author of this advisory to make an honest statement of his results. Instead he attempted to frighten qmail users who, in fact, have nothing to worry about. The security community cannot condone this type of behavior. As soon as I have some free time, I am going to track down the author and sue him for libel. I fully expect to win. ---Dan Bernstein
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:30:01 PDT