Date: Sun, 17 Nov 1996 19:46:30 -0700 From: Warner Losh <imp@village.org> To: batie@agora.rdrop.com (Alan Batie) Cc: adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Message-ID: <E0vPJjD-0003aX-00@rover.village.org> In-Reply-To: Your message of "Sun, 17 Nov 1996 17:16:36 PST." <m0vPIKD-0008rpC@agora.rdrop.com> References: <m0vPIKD-0008rpC@agora.rdrop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <m0vPIKD-0008rpC@agora.rdrop.com> Alan Batie writes: : Yup, sendmail has a long track record of the "security hole of the month"; : I've yet to see one for smail. I would like to switch to sendmail, as I : hear it deals with mail queues a lot better these days, and smail : development seems to have gone into a black hole, but until sendmail can : make it a whole month or two without a CERT advisory on it... I've yet to see a CERT advisory on VMS, yet it has dozens of security holes that have been discussed in other lists. Just because smail hasn't had a CERT advisory doesn't make it secure. Sendmail is running on 10x or 100x more machines than smail. Since it is running on so many machines, it is more profitable to attack it. Also, CERT advisories generally cover things that the vendor puts out. If no one is the smail vendor, then it becomes harder to put out a CERT advisory on it. smail, exim, and qmail should be ports that people that are security minded can optionally use. exim, for example, breaks a number of things, but I use it anyway. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vPJjD-0003aX-00>