> Yes i intentionally did not answer them > because to me they are non-issues. The mere > fact that a lot of 'big' companies use > sendmail means squat because the fact that > they are 'big' companies does not necessarily > mean they make the _CORRECT_ decisisons with > respect to technology.
Your assuming again! Have you ever actually seen the operations of a data center of medium/large company? You would not say that if you have seen one. :) I've met some, and these people are really good and they know what they are doing. Comparing IT security skills, I'm nothing compared to them. You're assuming that people work there are dumb. In reality, they are not. You've been reading too many slashdot comments lately? :) There are gems in some comments... in a sea of shitty comments. :) > Most of the time, > their decisions are borne out of politics, > laziness and money. And yes, contrary to what > you said, it's the 'pre-installed' factor > that actually is the reason why sendmail is > used, because money-wise, it makes no sense > spending for replacing pre-installed > technology with another unless the technial > issues are fully understood. Another assumption! many would agree with you cause what youre saying by reading your comments, are "sound" opinions. But reality is different. People in the IT industry generally are smart. Of course, there are always exemptions to the rules. > In this case, > if these people really know what the > technical issues were, sendmail would have > been retired for good. So, people working in Sun, HP, IBM, Redhat, Slackware, and a dozen more companies don't know technical issues because they are running sendmail as their default mta? > I am a developer and i know the design of the > products which means what goes on inside > postfix and qmail, and yes, sendmail, as i've > hacked on the code several times over. So > it's more than just 'bashing' sendmail for no > reason, because to those that have reviewed > the code and design, it's so clearly obvious > that newer MTAs are much more efficient and > secure. Okay... so you have reviewed them all. That's good. > If only port 25, and assuming there is no > remote root just waiting to be discovered. You can just imagine how many ways they secure thier machines even with just port 25 open. Even with a remote root exploit avail. for sendmail, They can still secure it. Trust me, they can. i'm not saying this out of thin air. > In any case, a server with only port 25 open > is rare, and most of the time admins just > take the stock install and deploy it. It's > not conjecture, its fact! hmm... your assuming two things again, it's rare and sysadmins are stupid. reality is different. > That's why the > solaris worm was so prolific in the first > place! Given that, all it takes is to break > in as a normal user, and then exploit > sendmail to get a root prompt right? That's > nice to know. Very assuring. sorry, but the solaris worm does not target port 25. And you will only be affected if you install Solstice Adminsuite(second hand goods! veritas still rules.) and port 111 is open. The exploit targets the sadmind daemon via inetd. Actually, It's an rpc service running via inetd. > The issue at hand here is MTAs not databases. > Heck, a lot of F500 companies use IIS? > Given the same train of thought do you see > anyone blinking? sorry, I dunno about IIS. I know little about it. > In another post i gave the reasons why. I > actually enumerated them. Hmm... I seen no hard facts. regards, --- Andre Varon, CSA http://andre.lasaltech.com _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
