tobold.org

correct • elegant • free

△ comp.mail.* △

◅ Comments on qmail?

Attaching files to email ▻

Sendmail or qmail?

In article <brad-2105991310410001@brad.techos.skynet.be>,
Brad Knowles <brad@shub-internet.org> wrote:
>> Sendmail has earned itself a very bad reputation for security, however I
>> find it hard to blame software when I find systems running versions of
>> sendmail like 8.6.x, we are now up to 8.9.3.

So it's OK to use code with security holes in it, so long as you patch
them as soon as they're discovered?

Of course, given the current state of the art, it is part of an
administrator's responsibility to ensure that patches are applied to
fix security holes in various parts of the system.  I don't expect
this to change for a long time.  But just how many security holes have
been found in sendmail in the last few years?  (And how many in qmail?
That's easy: 0.)

>>                                               The root of the problem
>> is that almost everyone runs sendmail

No, the root of the problem is sendmail's poor design.  Version 8.8.5
is a classic here: it was released to fix a buffer overrun in the MIME
handling code.  If sendmail didn't do everything as root, this would
have had minor implications.  As it was, everybody had to upgrade, about
8 weeks after they'd upgraded *to* 8.8.4 to fix the problems in 8.8.3...

Sendmail's poor reputation is well-deserved.  The problem is not that
its authors occasionally make mistakes (don't we all?).  The problem is
that sendmail's design, a single monolithic program, running as root,
and connected to the outside world via TCP/25, means that even the
tiniest oversight is likely to lead to local or remote root exploits.

Tim.
--
Tim Goodwin   | `I can't believe that someone is releasing
University of | something called "Unix" without something
Leicester, UK | called "/bin/sh".' -- Randal L. Schwartz

Original headers:

From: tjg@ltpcg.star.le.ac.uk (Tim J Goodwin)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Sendmail or qmail?
Date: 21 May 1999 15:43:39 +0100
Organization: University of Leicester, UK
Message-ID: <7i3rer$u1n$1@ltpcg.star.le.ac.uk>
References: <374435ff.7896866@news.rmci.net>
  <7i3dgu$5kt$1@spruce.ukc.ac.uk>
  <brad-2105991310410001@brad.techos.skynet.be>

△ comp.mail.* △

◅ Comments on qmail?

Attaching files to email ▻