On Sat, Nov 17, 2001 at 11:18:34PM -0500, Ronan Heffernan wrote:
<snip>
> I was the sys admin for my
> companies servers (external and internal), and we were compromised 3
> times in 2 years; at least twice, we basically "proved" that the
> crackers came in through sendmail (that's why I switched to qmail).
Well of course. Where else would they come in? The most used service on
most internet servers is email or http. So exploits will probably be
one of those two.
> "certainly not true for any sendmail released in the last 3 years": I
> know that the sendmail people are responsive and fix problems, but has
> any four month period gone by in the last three years that didn't see
> another compromise/exploit discovered? It is possible to apply patches
> to keep one step ahead of the crackers, but it is a lot of work, much of
> which is necessitated by sendmail.
>
LWN features exploits weekly for almost any program you can imagine. And
given that sendmail is to ubiquitous, I'd expect most exploits there.
That doesn't mean it's inherently insecure.
As for qmail, the license and author's attitude pretty much say it all.
I think Derek (?) has a pretty good rant about djb. Who's gonna try to
exploit qmail? Not that many people run it, partially because of djb's
attitude.
Sendmail's okay, just complicated to set up sometimes. If you're not
interested in sendmail, use exim or postfix, both under active
development. Exim is the default for Debian, which is a good
recommendation.
Paul
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:24:06 EDT