[947] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sendmail security

daemon@ATHENA.MIT.EDU (John Henders)
Wed Jul 24 06:34:40 1996

To: RDMiller@legislate.com (Miller, Raul D.)
Date: Tue, 23 Jul 1996 20:12:05 -0700 (PDT)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <31F3CD74@smtpgw.legislate.com> from "Miller, Raul D." at "Jul 22, 96 11:48:00 am"
Reply-to: jhenders@bogon.com
From: John Henders <jhenders@bogon.com>

Miller, Raul D. writes:

> An example of a mailer which performs at least as well as sendmail, and 
> doesn't have sendmail's security problems exists at 
> ftp://koobera.math.uic.edu/pub/software/
> 
> The most recent version is qmail-0.76.tar.gz
> 
> It's still in beta, but several CERT announcements have gone out on sendmail 
> (and analogous mailers, such as smail) and in each case qmail has not 
> exhibitted the problem.  (qmail is coded very defensively).  The reason it's 
> still in beta has to do with large scale deployment issues -- administration, 
> list management, backwards compatability with (a minimal set of) sendmail 
> features.

Qmail is nice, but in defence of smail, I'd like to point out that smail
has had _one_ cert notice since they started doing cert advisories.
There was one other problem with the Slackware distribution of smail as
it was configured wrong (big surprise there). 

Qmail appears very secure, but I don't like all the things that have
been moved under the user's control.

[REW: I don't believe that the number of CERT warnings is a measure
for security. If company X releases patches to found problems within
a week (with possible further weaknesses) and another waits for a year
gathering lots of security patches together, the last one will get 
much less CERT warnings than the first.....]

-- 
      Artificial Intelligence stands no chance against Natural Stupidity.
                GAT d- -p+(--) c++++ l++ u++ t- m--- W--- !v
                     b+++ e* s-/+ n-(?) h++ f+g+ w+++ y*


home help back first fref pref prev next nref lref last post