Re: [SLUG] mail server.

From: Ronan Heffernan (ronan.heffernan@mindspring.com)
Date: Sat Nov 17 2001 - 23:18:34 EST


>
>
> The SMTP server is usually a program called "sendmail". This
>is an old program, that is pretty much the UNIX standard around the
>world. Unfortunately, it is also the most commonly exploited port of
>entry for malicious "crackers". I recommend qmail instead.
>

Strong assertion and certainly not true for any sendmail
released within the last 3 years -- I'd choose IIS and Nimda
as the most common port of entry, and Outlook as a close #2;
If restricted to Open Source, the portmap, bind, and lpr hole
is each much worse.

... all ship safe on Red Hat -- dunno on other Linux's

Sorry about forgetting that anyone would use Win32 as an Internet server
(and thus neglecting IIS, Outlook). I was only think UNIX. And no, I
still assert that among UNIX boxen, sendmail is probably the most
exploited service. Relatively few boxes run bind (at most ISPs, you
find 2-3 boxes running DNS, and dozens or hundreds runing HTTP and SMTP
servers). I can't imagine running portmap or lpr on an Internet server
unless you have a very specialized need! I was the sys admin for my
companies servers (external and internal), and we were compromised 3
times in 2 years; at least twice, we basically "proved" that the
crackers came in through sendmail (that's why I switched to qmail).
 "certainly not true for any sendmail released in the last 3 years": I
know that the sendmail people are responsive and fix problems, but has
any four month period gone by in the last three years that didn't see
another compromise/exploit discovered? It is possible to apply patches
to keep one step ahead of the crackers, but it is a lot of work, much of
which is necessitated by sendmail.

Right off the sendmail.org homepage, under the heading NewsFlash:

    * Sendmail 8.12.1 <http://www.sendmail.org/8.12.1.html> is
      available; it fixes a potential local security problem for several
      operating systems.
    * Sendmail 8.11.6 <http://www.sendmail.org/8.11.html> is available;
      it fixes a security problem with command line processing.
    * Sendmail 8.11.0 <http://www.sendmail.org/8.11.0.html> is
      available; it includes support for STARTTLS and SMTP AUTH encryption.
    * An important * security announcement
      <http://www.sendmail.org/sendmail.8.10.1.LINUX-SECURITY.txt>* has
      been released regarding a Linux kernel bug in versions up to 2.2.15.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:21:51 EDT