On 2020-04-08 12:08, Rudolf Leitgeb wrote: >> I believe that is false too. > You're kidding, yes? Did you somehow miss the opensmtp hole? > > https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
OpenSMTPD does not listen to the internet, by default and even if you do set it to, it only affected certain configurations. Is it hard to write a secure mail server, sure. Look at exims bugs. If your project, like most could; has made sane design choices for simple interfaces then it certainly can be made very secure, remotely unhackable is easier than you think for a modest project. You cannot take the easy road though. How the heck sshd has such as good security record, considering all that it does, interface wise, is rather astounding. I guess a remotely critical bug may be found there one day, but it does not affect my point!
