From owner-freebsd-questions Thu Nov 16 10: 2:13 2000 Delivered-To: freebsd-questions@freebsd.org Received: from donkeykong.gpcc.itd.umich.edu (donkeykong.gpcc.itd.umich.edu [141.211.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 5FB1237B4C5 for ; Thu, 16 Nov 2000 10:02:10 -0800 (PST) Received: from qbert.gpcc.itd.umich.edu (smtp@qbert.gpcc.itd.umich.edu [141.211.2.151]) by donkeykong.gpcc.itd.umich.edu (8.8.8/4.3-mailhub) with ESMTP id NAA23668; Thu, 16 Nov 2000 13:02:09 -0500 (EST) Received: from localhost (timcm@localhost) by qbert.gpcc.itd.umich.edu (8.8.8/5.1-client) with ESMTP id NAA06592; Thu, 16 Nov 2000 13:02:08 -0500 (EST) Date: Thu, 16 Nov 2000 13:02:07 -0500 (EST) From: Tim McMillen X-Sender: timcm@qbert.gpcc.itd.umich.edu To: Mike Meyer Cc: Chris Fedde , questions@FreeBSD.ORG Subject: Re: Help: Is Sendmail secure? In-Reply-To: <14867.33937.379915.199934@guru.mired.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG This question also gets run around a lot on the OpenBSD mailing lists. OpenBSD comes with sendmail by default and the dev team considers it the most secure. Their stance is that while sendmail has a bad history, most of the bugs have been worked out of the code (in the slightly older versions of sendmail that OpenBSD includes) and is now secure. Their view on qmail is that while it has a lot of security *features* it does not necessarily have security. There are still bugs in its code (since it has not been audited for security) and those bugs could possibly be exploited. Further they believe that a good administrator configuring the mail program correctly has more to do with security than security features. Qmail's security features are said to be hard to configure properly for a newbie. Tim On Thu, 16 Nov 2000, Mike Meyer wrote: > Chris Fedde types: > > On Wed, 15 Nov 2000 12:54:53 -0800 (PST) "Hiu F. Ho" wrote: > > +------------------ > > | Is Sendmail really that bad? If I use qmail, do I need a separate POP > > | server? > > +------------------ > > Sendmail is not realy that bad. You need a seperate pop server if you > > are running sendmail. > > Sendmail has a history of security problems, mostly because it dates > from the days when the internet was a nice neighborhood. It includes a > lot of functionality that generally isn't needed these days. > > Qmail are designed for dealing with internet mail, not > berknet/uucp/BITNet/ArpaNet/whatever. They were also designed after > the internet stopped being a collection of friends, so security was a > design consideration. > > That said, if you're running a small site, don't plan on making a > target of yourself, and follow the FreeBSD security announcements, > there probably isn't a lot of difference. Sendmail being part of the > FreeBSD distribution means there are fewer headaches if you ant to run > it. > >