[SLUG] Sendmail security?

From: Brett Simpson (Simpsonb@hillsboroughcounty.org)
Date: Fri Apr 05 2002 - 17:04:38 EST


Recently I had a security consultant come in and offered to take a quick look at our Network and he mentioned that he could do a number of things to Sendmail that could get it to cough up information and other things that he should be able to do. I don't know the exact details of what he said because I'm only getting bits and pieces from my managers closed meeting. Does anyone have any comments about this? Has anyone heard of Sendmail 8.11.6-3 and up being hacked into or exploited?

I did see a number of documents that referenced Sendmail as having numerous security issues but none of them listed the versions of Sendmail that had these issues. Other websites say that Sendmail can be secure depending on how you configure it. According to the Sendmail website the latest release corrects a number of bugs and makes Sendmail 8.12 more secure than 8.11 and below by forcing it to run as a non-root user.

The big question of the day is.... should Postfix be used over Sendmail 8.11.6-3 or 8.12?

If only Sendmail 8.11.6-3 is bad how about Sendmail 8.12?

Or am I ok with Sendmail 8.11.6-3 provided I do certain things?

Brett



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:49:47 EDT