On Thu, 4 Oct 2001 [EMAIL PROTECTED] wrote: > > Hmmm... You did not answer the points I raised > regarding about sendmail. Instead, you put this > link of security thingy which can be another > topic altogether.
Yes i intentionally did not answer them because to me they are non-issues. The mere fact that a lot of 'big' companies use sendmail means squat because the fact that they are 'big' companies does not necessarily mean they make the _CORRECT_ decisisons with respect to technology. Most of the time, their decisions are borne out of politics, laziness and money. And yes, contrary to what you said, it's the 'pre-installed' factor that actually is the reason why sendmail is used, because money-wise, it makes no sense spending for replacing pre-installed technology with another unless the technial issues are fully understood. In this case, if these people really know what the technical issues were, sendmail would have been retired for good. I am a developer and i know the design of the products which means what goes on inside postfix and qmail, and yes, sendmail, as i've hacked on the code several times over. So it's more than just 'bashing' sendmail for no reason, because to those that have reviewed the code and design, it's so clearly obvious that newer MTAs are much more efficient and secure. > And you know what? In all my e-mails about > sendmail I did not say it's the most *secure* of > all mta. Why brought this topic out? Because in my points i clearly stated that sendmail being of monolithic design is so terribly prone to security issues that even though a handful have been discovered recently there are sure to be others just waiting to be exploited. Sendmail wasn't designed to be secure from the start, and no amount of security patches can take away this fact. > You need shell access on the mailserver. Since > you were concerned about the fortune > companies/large ISP's getting hit, It's no big > deal for them. What can anybody hacker wannabe do > if only port 25 exists on the mailserver? no > telnet, pop3/imap, even no ssh! If only port 25, and assuming there is no remote root just waiting to be discovered. In any case, a server with only port 25 open is rare, and most of the time admins just take the stock install and deploy it. It's not conjecture, its fact! That's why the solaris worm was so prolific in the first place! Given that, all it takes is to break in as a normal user, and then exploit sendmail to get a root prompt right? That's nice to know. Very assuring. > these fortune companies to ditch oracle instead :) The issue at hand here is MTAs not databases. Heck, a lot of F500 companies use IIS? Given the same train of thought do you see anyone blinking? > Oh well. I think you misunderstood me. I'm not, > repeat, a sendmail advocate/zealot. My views are > that postfix/qmail/sendmail/exim mta's are good. > They have their strengths and weaknesses. Hell, > if you ask me, I'll go for exim rather than > sendmail for low/medium loads. sendmail for > company/enterprise mail server. That's your opinion which i respect but totally disagree on. > > and age, NO new and modern day linux > > user/admin should _EVER_ consider using > > sendmail when there exists more mature and > > efficient MTAs going around. > > Can you backup your statements with hard facts? > Talk is cheap, give the reasons why. In another post i gave the reasons why. I actually enumerated them. _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
