On Tue, Dec 30, 2003 at 03:50:13PM -0600, McKown, John wrote: > There is some discussion about not wanting SendMail due to it's "many > exploits".
If it's not running in daemon mode, it can't be exploited remotely. You'd already need to be logged in, at which point, you're already a lost cause wrt to security. Make sure your security types understand that in non-daemon mode, the MTA runs only when there is a transmission to make, and then ceases to exist until the next message needs to be sent. The MUA invokes it, and it ends when the message is sent or queued (retries are done at the next invocation of the MTA -- nothing sticks around to try stuff periodically). > Also, the thought was "why implement an MTA when we're not > receiving any mail, just sending it." Unfortunately, that's the way Unix mail works. /bin/mail and /bin/mailx depend on a MTA to operate. You could write a short script to connect to a remote MTA and do the SMTP protocol yourself (which would require the remote MTA to allow relaying from your host, which is a much bigger security hole than a properly configured local MTA). > simply point the Pine config to the actual SMTP server. Hum, I wonder if > that could be done in this case. Again, this is only for outgoing "email > alerts". Pine does have line-mode commands to allow it to be used this way, but a properly configured local MTA with a smarthost configuration is a lot less difficult to manage and audit. You can be certain that if you write your own client, the next thing they'll ask for is an audit trail. You get that for free with the MTA. > Is there a MUA which can talk to an SMTP/MTA server on a different system > and is easily scriptable? Perl has all sorts of prewritten widgets available from CPAN to do this. Regina, PHP, Python, etc all can do it, with a bit more work. -- db
