Date: Wed, 16 Jun 2004 13:22:25 -0400 From: Chuck Swiger <cswiger@mac.com> To: mail25@bzerk.org Cc: freebsd-questions@freebsd.org Subject: Re: Mail Message-ID: <40D081D1.1060606@mac.com> In-Reply-To: <20040616145305.GB15913@ei.bzerk.org> References: <40D023A1.8090009@cs.uiowa.edu> <20040616140305.GD32001@millerlite.local.mark-and-erika.com> <20040616145305.GB15913@ei.bzerk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
mail25@bzerk.org wrote:
> On Wed, Jun 16, 2004 at 10:03:05AM -0400, Mark Frank typed:
>> Just curious. What sendmail bugs are you referring? Have you reported
>> them to sendmail.org?
>
> Probably just hear-say. There's so much bad-mouthing sendmail! Most of
> it by people who got lost in sendmail's many configuration options, but
> instead of reading some docs they drop it, telling everybody they should
> avoid sendmail at all cost.
There are many people who find it difficult to configure sendmail and thus
criticise sendmail as a result, agreed. Some of those complaints are
unjustified, agreed.
However....
> Too bad, 'cause to me and many others sendmail is one of the most
> reliable and compliant MTA's in existance today. And there hasn't been
> a major security problem in years.
The last major security hole in sendmail was 8 months ago:
8.12.10/8.12.10 2003/09/24 (Released: 2003/09/17)
SECURITY: Fix a buffer overflow in address parsing. Problem
detected by Michal Zalewski, patch from Todd C. Miller
of Courtesan Consulting.
There have been around 70 security issues mentioned since the beginning of
sendmail-8 circa 1993, or about six per year. Recently, things have gotten
better, but a dispassionate evaluation of the security history of sendmail
does not inspire any great confidence that one can set up sendmail, leave it
unpatched, and expect the software to still be free of known
remotely-exploitable security problems two years later.
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D081D1.1060606>