# OpenSMTPd not worthy of OpenBSD name



## Oko (Oct 6, 2015)

Many off you are familiar with my razor sharp post in which I criticize FreeBSD. Today is apparently OpenBSD day. This is one of more interesting treats I have seen on misc@openbsd

http://marc.info/?l=openbsd-misc&m=144406375710388&w=2

Luckily I don't run mail server. I use OpenSMTPD only to send my local e-mail to Gmail server. However this is a big warning not to use the code which is hastily written and not properly debugged even when it is done by OpenBSD project. As a consequence of this incident I already made decision to use only Postfix if I need a real mail server. I also decided not to touch new native OpenBSD hypervisor when it is available on the OpenBSD. Actually in the light of issues with OpenSMTPD I have no clue who got the idea that OpenBSD needs new native hypervisor. If the hypervisor was needed they should have ported Xen to OpenBSD but even that would complicate the code base. I am also very worried about the new http daemon which is available circa 5.6. but I concur that it might be better solution for in base light weight http for static pages than Nginx.


----------



## Oko (Oct 6, 2015)

And more fall out 

http://undeadly.org/cgi?action=article&sid=20151005200020&mode=expanded&count=0

http://www.openwall.com/lists/oss-security/2015/10/04/2

https://www.qualys.com/2015/10/02/opensmtpd-audit-report.txt


----------



## kpa (Oct 6, 2015)

What worries me most is that this is new code written by people who should know better by now. It paints a very scary picture of open source if it's possible to have such basic errors to slip by because no one really did audit/review the code but just assumed that the person who wrote it knew what he/she was doing. What else can slip by, a NSA backdoor?


----------



## Beastie7 (Oct 6, 2015)

Arrogant induced NiH syndrome sure bit them in the butt, didn't it? OpenBSD has much bigger problems than a few security SMTP daemon vulnerabilities.


----------



## gofer_touch (Oct 6, 2015)

Beastie7 said:


> OpenBSD has much bigger problems than a few security SMTP daemon vulnerabilities.



Care to elaborate?


----------



## Cthulhux (Oct 6, 2015)

What can be worse than security issues?


----------



## pkubaj (Oct 6, 2015)

Reading the topic that Oko linked to, I have noticed another interesting mail:
https://marc.info/?l=openbsd-misc&m=144410738521220&w=2
I think it gives us another point of view, and now I'm not so keen on believing the OP from openbsd-misc.


----------



## robroy (Oct 6, 2015)

Oko, thanks for this thread.

In the mail linked to by pkubaj, Gilles Chehade says, "i'll still run it in production because occasional updates beat having to deal with anything i had to deal with in the past. ever."

That's how I feel about it also.  As an ex-Sendmail user, I'm pretty happy about my fifteen line smtpd.conf, and being able to understand an MTA (well enough) without having to crack any thick mail server books.


----------



## hitest (Oct 6, 2015)

Beastie7 said:


> OpenBSD has much bigger problems than a few security SMTP daemon vulnerabilities.



Please let us know about the problems.


----------



## Beastie7 (Oct 6, 2015)

gofer_touch said:


> Care to elaborate?



Their abrasive, "holier-than-thou" attitude among their community, and the rate of self-righteous (and arguable needless) re-inventions exceeds the capacity to maintain it. I believe even one of their developers highlights a similar tune; can't remember the name. This is just my observation though. Nothing big.


----------



## hitest (Oct 6, 2015)

Beastie7 said:


> Their abrasive, "holier-than-thou" attitude among their community, and the rate of self-righteous (and arguable needless) re-inventions exceeds the capacity to maintain it. I believe even one of their developers highlights a similar tune; can't remember the name. This is just my observation though. Nothing big.


Unfortunately there are zealots in all software communities.  I'm not willing to write off an operating system because a person is xenophobic.


----------



## Oko (Oct 6, 2015)

Beastie7 said:


> Their abrasive, "holier-than-thou" attitude among their community, and the rate of self-righteous (and arguable needless) re-inventions exceeds the capacity to maintain it.


That is a very low quality post which speaks more about you and your lack of knowledge than about OpenBSD community which I was part of for the past 10 years.


----------



## Cthulhux (Oct 6, 2015)

Did you leave OpenBSD, Oko?


----------



## Oko (Oct 6, 2015)

Cthulhux said:


> Did you leave OpenBSD, Oko?


No of course not. Why would I leave OpenBSD? I left FreeBSD about 10 years ago and I partially returned to it about 2 years ago only as a storage solution and more recently Jails on the top of zpools.


----------



## Cthulhux (Oct 6, 2015)

I was just curious about the last part of your previous posting. Sorry for OT, everyone.


----------



## Beastie7 (Oct 6, 2015)

hitest said:


> Unfortunately there are zealots in all software communities.  I'm not willing to write off an operating system because a person is xenophobic.



Nor am I denoting as such.



Oko said:


> That is a very low quality post which speaks more about you and your lack of knowledge than about OpenBSD community which I was part of for the past 10 years.



So the burden is on ones lack of knowledge notwithstanding overt behavior? That's funny. Like I said, it's just my observation.

I'm sure your involvement is relevant. Good for you.


----------



## Oko (Oct 6, 2015)

Cthulhux said:


> I was just curious about the last part of your previous posting. Sorry for OT, everyone.


Well I am sure I am not the only one who was genuinely surprised by the announcement that OpenBSD foundation is dashing some cash for the development of the native hypervisor. Official party line for a long time has been that virtualization goes against the security. Even Jails are flooded security concept from the theoretical mathematics (provability theory).






so I don't get it why do they want to add more code when everyone knows more code is more bugs. OpenSMTPd was a wonderful little project until people start adding new features and requiring full blown mail server. Well you might as well run Postfix if you need that. Finally httpd was surgically created out of relayd which was a cool thing but lacks some basic features. Again httpd which can server only static pages would have been OK if people didn't start asking right away for more stuff.

Historically speaking OpenBSD was all about network. They always had second rate file systems. I am OK with it and I don't want OpenBSD to become storage OS but I would like to see things like WAPBL. LibreSSL was a good move. Hypervisor probably not.


----------



## Oko (Oct 7, 2015)

gpatrick said:


> Oko's post was unnecessary and seems to be a personal attack because of a conflict.


I have impression that you think that I was involved in that threat on misc. I know that you have a very low opinion of me but that is not the case.  You can easily connect my nick with my real name. I post infrequently on misc always using my real name. Between I have no problem posting here using my real name too. I have never exchanged a single e-mail with Gilles. I share your high opinion of him. My post above yours clarifies my standing about the whole "situation".

Cheers,
Predrag


----------



## junovitch@ (Oct 7, 2015)

We all make mistakes in software just as in anything else.  Fix it quickly, learn from it, and move on.  At the end of the day, all software is imperfect software written by imperfect people and sometimes we just choose what sucks the least based on our end goal.


----------



## RichardET (Oct 9, 2015)

Operating Systems are just a tool, right?  I support with $ both OpenBSD & FreeBSD & FSF;  Occasionally Ubuntu.
Users expect too much out of free code for nothing!  Invest in the product, if you want to help fix it;  complaining with insults, is small-minded hypocrisy.


----------



## Oko (Oct 17, 2015)

This is the latest update by the alpha male of OpenSMTPd Gilles Chehade for those who care

http://undeadly.org/cgi?action=article&sid=20151013161745&mode=expanded

It looks like the World in a year or two will be indeed richer for one ultra secure full blown mail server.


----------

