[NCLUG] New School Servers

J. Paul Reed nclug@nclug.org
Sat, 1 Sep 2001 01:18:25 -0700 (PDT)


On Fri, 31 Aug 2001, Michael Dwyer wrote:

> Mail:

> There just doesn't seem to be a small KISS mta out there...

What you want is Postfix: The security and speed of qmail with the config
file-readability of Apache.

It was written by the guy that wrote tcp_wrappers, and was originally
written for IBM, so that should tell you that a) tha author knew what he
was doing, and b) it's software that Doesn't Suck (tm).

I'm using it in our mail server at work, and we've been really happy with
it; even have a couple of mailman lists using it. Had some config file
hiccups, but that was mainly because I hadn't gotten into the Postfix
"mindset" yet.

What I really like is I can run a mail server without having 500 little
.qmail-this and .qmail-that files running around (yes, I know about
fastforward, and no that doesn't count). And Postfix supports Maildir and
mbox.

http://www.postfix.org

> FTP:
>   The guy who did QMail apparently did an FTP server called publicfile
> (I think) which qualifies as a KISS FTPd in my book.  From what I have
> read about it, it seems like the perfect FTPd if you are looking for its
> particular mix of security and power.

Unless you want to actually use your FTP server for... oh, I don't know,
uploading files?

publicfile is meant for anonymous FTP (and it does HTTP too, I guess); if
you want an FTP server that you can actually use as an FTP server,
publicfile isn't what you want.

> I'd try that out a little bit if I used FTP much anymore...

That's a good point; for the most part, I use scp when moving files around
nowadays. OpenSSH also comes with an sftp client and server, which I
hiighly recommend if you're using *nix; I don't know if there's a (free)
Win32 client for sftp; I know of a pay-client called SecureFX that seems to
talk to OpenSSH's sftp server just fine.

> Otherwise, I just use wuftpd -- again, it comes in the box, so to speak.

Any software from the University of Washington is on my shitlist; that
includes wu-ftpd and pine's IMAP server.

I just don't know why FTP is so hard to get right; granted, I haven't ever
written an FTP server, but it seems as if every major FTP server has had
security troubles; you would think they would've learned something from
each other's mistakes.

As for recommendations, OpenBSD's ftpd, which there's a Linux port for, I
believe, and ProFTPD if you need features and an easy-to-read config file
(it also uses an Apache-style format). We're using ProFTPD for a client at
work, and I was pretty amazed at some of the acrobatics we were able to get
ProFTPD to do.

Unfortunately, you have to keep up on ProFTPD security, as it's had some
problems in the past; but that's what you get for using FTP in the first
place.

> WEB:
>   Apache.  With PHP.  What else is there? :)

Why Microsoft IIS, of course. And don't forget those ActiveX-based
Auto-fuck-up-your-web-server plugins for IIS.

Oh... you mean a web server that doesn't turn your machine into a mindless
zombie that tries to compromise other hosts... yeah... then Apache is a
distant second...

There's some really cool stuff going on with Apache 2.0.

> DNS:
>   Once again, the Qmail guy has his DNS server, but I'm afraid I'm not
> convinced.

I'm not either.

You've mentioned a ton of DJB's software and while I don't refute the fact
that DJB's software itself is sound, I refuse to ever use any of his code,
for the following reasons:

a) As a sysadmin, I don't have time to deal with the djb-creep, as I call
it: if you want to install Qmail, DJB wants you to install tcpserver (and
will refuse to support you if you don't). If you want to install Qmail, you
also have to install daemon tools... and if you want sane forwarding
management, fastforward... which requires DJB's CDB library. If you want
logging with Qmail, DJB wants you to install his logging package... and on
and on and on.

What it boils down to is that DBJ has rewritten a significant subset of the
Unix system utilities because he claims that the current tools suck...
which is fine, and maybe even a valid claim. BUT, what DJB does in the
process of rewriting those tools is he makes them completely incompatible
with EVERY current tool you have on your system... and he wants you to
install ALL of those tools... in WEIRD ass places... which leads me to...

b) Screwed up file locations; /var/qmail/bin... WTF? DJB has a policy of
installing his software in weird, non-standard locations... all in the
hypocritical claim of "cross-platform compatibility"
(http://cr.yp.to/compatibility.html); what he fails to realize is that he's
going and creating his own standard which is breaking any semblance of
cross-Unix-platform compatiblity we had... and what's further, he thinks
this is acceptable behavior for a server-software author to engage in.

And the absurdities continue: the latest version of daemontools requires
three new top level directories: /service, /package and ...
/something-else-Paul-can't-remember

c) Lack of a license; Qmail/djbdns/et al. is not free/open source software.
DJB could, theoretically, retract his sofftware, shutdown his webpages, and
proceed to sue everyone distributing his software.

Read the details here: http://www.linuxmafia.com/~rick/faq/#djb

d) Finally, and probably most importantly, as a sysadmin, I don't have time
to deal with DJB's attitude: in a nutshell, DJB is a complete asshole.

He has shutdown threads of discussion about other ways to implement things
in Qmail on the qmail developers list; he even threatened to unsubscribe
someone who wanted to discuss what he felt was a bug in Qmail.

On DJB's web pages, he "taunts" and mocks the developers of other programs
by listing their history of critical bugs (which is fine), but then also
asking rhetorical (and rude) questions like "Can they make this guarantee
in the future" and "They still call it a 'secure' FTP server." There's no
need for that kind of behavior, unless, of course, you're just trying to be
a jerk.

I just don't have the patience to deal with someone who is so pompous and
arrogant; the creator of Postfix, for instance, is much nicer, and will
entertain ideas on how to do things differently, even if it's just for the
sake of discussion.

Sorry for my DJB rant... :-)

> I think this is another opportunity to build a KISS service -- only does
> INET addresses

What about PTR records... or CNAMES. And will this server not do MX
records, in the name of simplicity?

I'm not attacking you, really, but that kind of attitude is what has given
birth to software like djbdns.

The problem I have with this is people who implement services that don't
follow the RFCs... djbdns is one of these. If you're going to
write/distribute service software, at least have the decency to read the
RFC(s) on the subject and implement them.

This is where my problems with djbdns stem from: djbdns doesn't support the
full DNS spec... why, you ask? Because he doesn't like parts of the RFC..
so he didn't implement them.

There are also some very weird interoperability problems with BIND and
djbdns; djbdns doesn't behave the way a standard DNS client (or server) is
expected to on the 'net.

More importantly, BIND, for all of its bugs in the past, can be made to
behave securely... you do need to read some docs, though.

But hey, no one said this Internet-thingy would be easy... especially if
you're setting up and administering a services box.

My vote: BIND 8.2.4 (.3 is fine); or 9.x, if you're feeling daring; I've
heard good things about 9.x, but it hasn't had the track record of bug
fixes that 8.x has (8.2.3 has been around for awhile now...)

A coule of other areas that weren't mentioned:

DATABASES:

Yeah, yeah, I was raised on mySQL, and I thought it was all cool... that is
until I used a real database.

MySQL is fast. It does some cool things. But, repeat after me: It is not a
real database. And yes, even web applications deserve real databases...
which mySQL is not. I've heard it best described as an SQL front-end to
flat files.

If you want a real (free) database: PostgreSQL 7.1.2 rocks.
http://www.postgresql.org

Or you can buy a copy of Oracle for a very affordable $15,000/per
processor.

SSH:

OpenSSH from OpenBSD; not the commercial one with the ever-changing
license requirements from ftp.ssh.fi (www.ssh.com); OpenSSH 2.9p2 rocks,
and has all the tools you need, including sftp, scp, and all the keygen
tools and the server. And, it's an open source license, so no one can muck
with the terms, like ftp.ssh.fi is wanton to do.

And bugs, if any, get fixed really quickly, UNLIKE the ftp.ssh.fi version.

http://www.openssh.com

Later,
Paul
   ---------------------------------------------------------------------
   J. Paul Reed               preed@sigkill.com || web.sigkill.com/preed
   It's amazing what a little brain damage will do for your credibility.
                                              -- Leonard Shelby, Memento