Les Mikesell wrote:
> Sendmail is no different in terms of security holes than named, sshd,
> ftpd, or the kernel itself. They've all had security holes and fixed
> them. Why single out sendmail in this respect?
Because a badly-configured e-mail server can easily be an open relay --
enabling criminal activity and making a real pain of itself to the rest
of the Internet.
That is separate from "security holes". If "security holes" was a reason
not to allow Sendmail to listen to the network by default, it would be
an even better reason not to allow it anywhere near the install media.
Demanding that potential mail server admins know how to configure the
software they are using so that it doesn't become a vector for spam and
malware is not irresponsible, it is *highly* responsible.
If a Sendmail admin finds the sendmail configuration process is obscure,
then they should either find out how to configure it or find a different
MTA. Otherwise, it is highly likely that they will aid and abet some
very nasty criminals. (I shouldn't need to make a list -- look in your
spam box).
There is a very strong argument that this means sendmail should not be
installed by default -- the people who really want it can yum install
it, and the rest of the world can use something more sane. This argument
is currently going on on other Fedora mailing lists, and it looks very
likely that Sendmail will not be the default MTA in Fedora 7.
I still don't think you've thought through the alternatives, too. A
server *must* be secure by default. That means that there are only two
other real alternatives -- an MTA which accepts e-mail from the world,
but only sends e-mail that has originated on that computer (and relays
nothing), and an MTA which accepts e-mail from the world, and relays
e-mails if the sender has authenticated.
The first option, I would suggest, is relatively limited in its use --
it still can't be a mail server for other computers. The other one is of
more use, but given the state of public key cryptography, it would
*still* need the admin to set up PKI to ensure that the passwords that
were exchanged couldn't be eavesdropped (think man-in-the-middle
attacks).
And no, relaying for computers on the local network by default is not
acceptable, since Red Hat and Fedora cannot tell that a particular
computer should relay for other computers on the local network, or that
other computers on the local network are even part of the same
organisation. (Think hosting companies -- a lot of them offer Red Hat
and/or Fedora).
James.
--
E-mail: james@ | Sometimes being a pedant is too much like work.
aprilcottage.co.uk | -- Anthony de Boer
| Other times it's _fun_.
| -- Mike Andrews
