At 23:04 01/02/01 -0700, Mike Forrester wrote:
>Sendmail has had an imfamous past, but according to the security focus
>database, there have been only 5 vulnerabilities in the past four years.
>Only one last year and that one has no known exploit. Is sendmail still
>that bad?
sendmail got better. now, it's up to you to decide using it or not.
pros:
- it's widespred (it's everywhere)
- the various replacements haven't been enough used to guarantee they are
as secure as they claim.
- people know to install it, configure it,... so you'll get support easily..
- many of the problems that we found were due to the "collaboration" with
other programs. so sendmail was wrong in trusting'em, but isn't the only
guilty software (there were however problems related to sendmail by itself).
- you can still install proxies or more secure MTAs at sensitive places if you
really want.
- it apparently has more developpers and is suppported by sendmail Inc.
- it supports SMTP authentication and SASL. not sure whether this has been
added to other MTAs.
cons:
- as you said, it had a bad past.
- the code is unreadable, unmaintainable, .... which makes it suspicious from
a security standpoint. it needs complete rewrite...
- it's hard to configure
- it's DNS-aholic. if you wanna make it work, make your DNS work first!
- it has many things coded for optimizations, that are not optimal!
- postfix has been written by Venema (the tcp wrappers guy) and seems more
"rationnal" and more "secure".
- qmail seems to be a good substitute too. (but his author has been rude in
the news when
criticizing sendmail. that probably has played a role to keep many
sendmailers with sendmail...)
so, you're on your own to choose the right MTA for you.
> Why does everyone still bash it?
it's a kind of "hey guy, why the hell have you written your code that way?"
other programs aren't that bashed cos' they aren't as used as sendmail.
> Is just because they were
>burned badly by an experience?
that's the original reason, which in trun showed that it was not "written
securely".
> What about the version that comes with
>OpenBSD?
you should generally check sendmail.org and get a recent version (not
necessarily the
last, but check which problems have been fixed) anyway. you can use the one
that
comes with *BSD, but update is generally worth the pain (unless you already
have a recent version).
> Forgive my ignorance but I've never had to admin a UNIX based mail
>system and I'm currently debating on which one to learn.
use whatever you want, but configure it correctly. sendmail configuration
is a nightmare if
you want special things. so you might want to try qmail.
>I'm interested in your thoughts and ideas. I'm mainly interested in
>preferences supported by features, security, tuning, maintainence, etc and
>not just "qmail rules". Please reply to me directly as this is a firewalls
>list and I do not wish to start a holy war.
>Mike
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
