Paul D. Robertson wrote
>
> Historical defects would be proof, not sure how rigorous you need, but
> it's a no-brainer in my opinion. Sendmail's design and history carry a
> lot of baggage that doesn't have a good place in a security solution.
I have no problem with this. I know sendmail's past experience.
but I'm not convinced that "if security is needed, then sendmail
_MUST_ be replaced with qmail".
one can say "you should...", "I advise you ...", but not
"you must repace sendmail" (although I am no sure that the original
poster means this, a sentence like "firstly kill off sendmail..."
can't go without reaction).
in other words, I am not arguing that sendmail is the best MTA,
or that qmail is bad.
I personally don't like qmail, but that's only a personnal opinion.
first I don't like the restrictive license (the one I read on qmail.org).
second, I don't like having/seeing/... about 300 files (including .[ch]
source
files) in a single directory. I also like well indented code. I don't find
qmail's code readable (for me at least).
All this is not really important, but it makes me feel something is not
ok... just a feeling, but you can't get rid of feelings.
(Note that I absolutely hate sendmail's code, and infinitely prefer that
of qmail. but I wanted to say that qmail is not perfect).
> > Sendmail is still widely used, and not only by stupid people.
>
> The Baywatch argument doesn't hold water in security.
If you understand it in the sense that there ar many nice guys who
know what security is, and who still use sendmail, then that's an
argument, unless you can prove they are wrong.
In other words, to change a habit, you have to prove that it's bad,
even if you are right.
> It's stupid. I've *never* relied on the smap/sendmail combination, even
> on Gauntlet.
I don't like smap/smapd but the minimality of the code makes them more
secure than direct use of the MTA, provided you don't need unsupported
functionalities.
> Anyone with a good clue who was still using smap when
> anti-relay code became necessary probably switched to somethign else then.
some guys have simply added anti-spam code.
> People who were stuck not modifying installs probably stuck a different
> MTA on the outside as the primary MX.
>
> I prefer Postfix to qmail, but both are easily better soltuions to
> mail gatewaying that sendmail. Exim would probably be my third choice.
> If you need a specific feature of sendmail, then by all means use it, but
> if you don't, a smaller more modular MTA is preferable, most especially on
> a firewall.
there's another argument for sendmail. I know a little about it, a little
which
is still more than what I know of qmail. and that makes a difference. It
makes
me reluctant to switch unless I am convinced to do so. and, I am not yet
convinced
to switch.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
