[jrockway]

Too bad the original qmail is nearly useless these days. (I had a class with DJB in college, and used qmail for quite a while. Eventually I got overrun with spam and switched to something that would reject messages immediately after virus/spam scanning them.)

The point is that writing simple software in C is possible. But writing complex software is very very hard.

[tptacek]

Every mail server I've ever run has been qmail, including my current company's current mail server, which backs a relatively popular blog and a pretty healthy number of press hits with @matasano.com mail addresses, along with several decently active open mailing lists, and I simply don't have any of these problems you're talking about.

If you took a class with Bernstein, you might be familiar with the ISP whose entire mail operation, including customer POP and virtual hosting, I ran on qmail --- that'd be EnterAct. So yeah, I'm not buying your "qmail is too simple to matter" argument. If you want to chase it down, I'll be happy to show you where the last few Sendmail vulnerabilities were found. Clue: not in the crazy Sendmail features that qmail lacks.

But that's besides the point. You didn't answer my question.

Name a piece of code of comparable complexity to qmail that's never had an integer overflow. Here's another hint: Perl isn't one of them.