[I'm assuming and hoping Bill won't mind my posting this on-list.] Quoting Bill Broadley ([EMAIL PROTECTED]):
> Heh, I pissed off your mailserver, a recent change to our aliases had left > out postmaster, and your server seems to cache it's probe of the postmaster > address. Presumably the cache expires at some point. Sorry about that. Upon seeing your note (above), I exempted cse.ucdavis.edu from the checks for RFC-mandated mailboxes (abuse and postmaster). > I'll try to resend my previous mail later, but I did want to mention > that I do agree with Ranum in that patching to justify running crappy > software is inexcusable. But I pick my network facing applications > rather carefully, things like postfix, apache2, ssh, ISC bind, etc. Well, FWIW, I think all of those things are overfeatured for most/many deployments. BIND9 is, even after Nominum's from-scratch rewrite that replaced the BIND8 spaghetti code, still a mess at the design level and OpenSSH is sadly dependent on the horribly buggy OpenSSL spaghetti code. Apache2 is reasonably implemented but has way, way too much that it's willing to do. It's capable of being locked down, which is the good news in that picture, but I personally prefer Lighttpd or even Boa/thttpd for many deployments. I respect Postfix, but wish there were a general-purpose MTA that was a _bit_ more bare-bones. If you implement less overfeatured alternatives _or_ limit the functionality of the overfeatured thing you did choose, you can probably ignore most security advisories after skim-reading them to make sure you have buggy module [foo] disabled, and thus elude the patch treadmill. Note Ranum's example: Back in 1996 a buddy of mine and I set up a web server for a high-traffic significant target. It was not the White House; it was a porn site. We invested 8 hours (of our customer's money) writing a small Web server daemon that knew how to serve up files, cache them, and virtualize filenames behind hashes. It ran chrooted on a version of UNIX that was very minimized and had code hacked right into the IP stack to toss traffic that was not TCP aimed at port 80. 10 years later, it's still working, has never been hacked, and has never been patched. When I was chief sysadmin at a one-time famous Linux company in San Francisco, I insisted (against management qualms) on using a stripped-down Boa installation for an important site deployment. Years later, when the firm shut down, I believe they were still running my unpatched installation, and with no problems. > But even when you make decisions where you carefully consider the > security implications and try to pick the most practical solution not > patching for 5 years seems impossible at least for a non-trivial set > of servers and services. Ranum begs to differ. I'm still working on getting OpenSSL out of my life. Maybe GNU TLS will turn out to be less of a basket case -- but that's been a problem area, and difficult to replace. _______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
