Jonathan, I agree to a certain point, but Sendmail's architecture, a monolithic program that runs as root, is bad. Thats what makes any slip in programming as bad. As for the other popular MTA's (exim, postfix, and qmail) I think they are pretty thoroughly checked out. After all Dan Bernstein offered up his own cash for anyone who could find a security hole in qmail in 1997 and still no one has collected: http://cr.yp.to/qmail/guarantee.html And both Exim and Postfix were able to learn from Sendmail's mistakes. You have to remember that Sendmail is still stuck providing all of the kruft that was added in to make this or that feature work when the Internet was a much friendlier place, and now has to make all of that work securely in our modern world. Scott Helms On Thu, 2003-07-24 at 13:08, Jonathan Gardner wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Wednesday 16 July 2003 17:41, Mark Hoover wrote: > > Not trying to say that there is an exploit either. It's just easy to > > get > > over confident about the security of your system just because there > > aren't > > any updates or exploit notices...... > > Agreed. If Joe Hacker puts together a mail server tomorrow, or he has been > using his own mail server for the past three years, just because he doesn't > see any exploits doesn't mean none exist. The same holds true for projects > that don't have the same mindshare and deployment as sendmail has in its > heyday. > > Sendmail has a bad rap because many exploits were FOUND and fixed. How many > pieces of software do you use day-to-day that have many exploits that are > still in hiding, or worse, only in the hands of the black hats? So, does > sendmail deserve its bad reputation? Or should it be called far more tested > and secured than any of its competitors? > > - -- > Jonathan Gardner <jgardner@xxxxxxxxxxxxxxxxxxx> > (was jgardn@xxxxxxxxxxxxxxxxxxxxx) > Live Free, Use Linux! > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE/IBKEWgwF3QvpWNwRAp45AJ0eanRZYpoUGpIY4MSDIfgU7qA4JgCggQHz > wpm+fRBFESd32iYrjf7NPOg= > =1gk7 > -----END PGP SIGNATURE----- -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
