[TriLUG] Which is better?
bak at picklefactory.org
Wed Oct 10 22:10:50 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
I have only my anecdotal admin experience of patching or upgrading
again, and again, and again in response to security bulletins regarding
Sendmail. In a heterogeneous environment this gets old fast, believe me.
But just for fun, I went and searched CVE (cve.mitre.org) for a strict
count of reported vulnerabilities. I started at 2001, as that's when
the first Postfix vulnerability was reported.
Of course Sendmail has a much wider usage, in that it's the default
mailer still in Solaris, AIX, etc. etc. But still -- 10:1, FWIW.
I do agree with you that 15 years ago security was not much thought of.
But Sendmail stagnated, for the most part, and Postfix, exim, & qmail
have filled in the Unix mailer gap. qmail in particular, but also
Postfix, also take a pretty strict "never lose it" approach. Barring
sudden loss of power I have never seen qmail lose a single message.
Like I said, no reason for a person who values his sanity to do a new
Sendmail install. :)
Joseph Mack NA3T wrote:
> On Wed, 10 Oct 2007, bak wrote:
>> Sendmail has had a long and storied history of vulnerabilities, though
>> lately it's been far more robust.
> I don't like sendmail anymore than the next person (the m4
> config file was for an era before IP dominated networking
> and when an MTA was expected to handle all protocols),
> however in the absence of a reference to hard data, your
> statement here seems a little harsh. I don't have any data
> either to rebut your statement, so I'm in no better position
> than you to speak. I don't know what "lately" is, so I'll go
> with this
> o sendmail was written in an era when people were glad for
> anything that worked, and people were expected to write
> clients which abided by the protocols, or else programs
> would crash. Sendmail in this case has the disadvantage of
> being first off the block.
> o at a Lisa/Sage conference about 10yrs ago, the sendmail
> code was held up as an example of safe coding, in that it
> was impossible to loose a piece of e-mail: it would either
> be delivered or returned as undeliverable. The speaker
> seemed to regard the code as all round well written.
> I agree that sendmail is horrible to configure (it should
> have shed its non-IP capabilities long ago), and if it's not
> secure, I'm sorry to hear it. I don't know why Allman didn't
> rewrite it 10yrs ago but instead allowed postfix etc to take
> over the niche.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)
-----END PGP SIGNATURE-----
More information about the TriLUG