Sendmail has a bad rap because many exploits were FOUND and fixed. How many pieces of software do you use day-to-day that have many exploits that are still in hiding, or worse, only in the hands of the black hats? So, does sendmail deserve its bad reputation? Or should it be called far more tested and secured than any of its competitors?Had. A bad reputation that is. I wondered what on earth was going on when that original worm hit the network at large ...
Why did sendmail get it's poor reputation? Mostly because it was an easy, popular target. Only marginally less popular than Windows :-) That's the point -- it's a nice target. Hitting sendmail hits a very large part of the Internet's mail network. That makes it attractive from the nacker's point of view ...
The last update to sendmail was at the end of March. Last year we had a bit of a flurry. The recent actual exploits on Linux/Unix based software that have had any serious impact have been against SSL-related software (security is very hard to get right anyway) and against bind (a _much_ more attractive target that sendmail, that takes the whole Internet out :-))
Someone commented that they don't like sendmail because it's a single monolithic program. Well, at 1.8M it's a helluva lot less monolithic that the kernel ... It's a very poor way to judge a program though. What matters is how it's put together. The kernel isn't a monolith, as I'm sure you'll agree, it's highly modular. Have you delved into sendmail? It's very well put together. It wasn't all that bad at 5.65, but now it's better.
More than its structure though is the number of eyes its had run over it. It's had, oh, 20 years of development, a lot has been learned and, yes, in 20 years, a lot of bugs fixed and a lot of re-design to get it better.
Postfix is nowhere near as old. It's not had the number of eyes. Or the amount of usage. It's not surprising that the number of bugs uncovered is fewer is it?
Make your own judgements, but I'll stick to sendmail -- but then I prefer to stick to conservative well tried solutions when I'm doing anything that's exposed to the big bad world. Outside of that I'm happy to run the leading edge kernel, RH beta, etc etc, and get cut now and again, that leading edge is a bit sharp.
jch
-- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list