On Nov 30, 2007 4:32 PM, Liviu Daia <[EMAIL PROTECTED]> wrote: > On 30 November 2007, Amarendra Godbole <[EMAIL PROTECTED]> > wrote: > > Please note that postfix does not undergo the rigorous code scrub that > > sendmail goes through. > [...] > > Will you please cut the crap? Thank you. > > Unlike Sendmail, Postfix was written from scratch with security in > mind. It had only one published security flaw since its first public > release in 1998. The author, Wietse Venema, is also the author of > SATAN and tcpwrappers. He knew one or two things about writing secure > code long before OpenBSD came into existence. The objections people > occasionally have against Postfix are related to its license, not the > code quality. [...]
I guess my statement was mis-interpreted - I did not question the security of postfix, but asserted that sendmail, being in base, was code audited by OBSD developers. I surely trust stuff from the base more than something that gets installed through a port. As a second note, postfix as a standalone entity may be secure, but I am not sure how secure it will be if it starts interacting with some other piece of software. Also, from the top of my head I can say that postfix's 'mailq' gets me the status even as a normal user, while that of sendmail does not (maybe I am wrong, and defaults have changed now). YMMV. -Amarendra
