Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 10 Dec 2017 13:21:13 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-ports@freebsd.org
Subject:   Re: Procmail Vulnerabilities check
Message-ID:  <fe88c5e6-155d-dd64-96d5-8f394c41d92f@FreeBSD.org>
In-Reply-To: <alpine.BSF.2.21.1712091451300.35694@aneurin.horsfall.org>
References:  <fb3d23c5-e32d-452a-a0c3-c3cb12340054@cloudzeeland.nl> <a66d1c33-e405-d9e8-d9c3-2738b5e66887@cloudzeeland.nl> <alpine.BSF.2.21.1712080956580.41281@wonkity.com> <20171208180905.GA96560@troutmask.apl.washington.edu> <alpine.BSF.2.21.1712091013310.35694@aneurin.horsfall.org> <20171209012522.GA42506@troutmask.apl.washington.edu> <alpine.BSF.2.21.1712091451300.35694@aneurin.horsfall.org>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--DfwP1X39huRuPFik7SagnHdHL6h36JBMM
Content-Type: multipart/mixed; boundary="6LvSSxsDT2nQa77DoVdt3FuoH4pluGXD4";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-ports@freebsd.org
Message-ID: <fe88c5e6-155d-dd64-96d5-8f394c41d92f@FreeBSD.org>
Subject: Re: Procmail Vulnerabilities check
References: <fb3d23c5-e32d-452a-a0c3-c3cb12340054@cloudzeeland.nl>
 <a66d1c33-e405-d9e8-d9c3-2738b5e66887@cloudzeeland.nl>
 <alpine.BSF.2.21.1712080956580.41281@wonkity.com>
 <20171208180905.GA96560@troutmask.apl.washington.edu>
 <alpine.BSF.2.21.1712091013310.35694@aneurin.horsfall.org>
 <20171209012522.GA42506@troutmask.apl.washington.edu>
 <alpine.BSF.2.21.1712091451300.35694@aneurin.horsfall.org>
In-Reply-To: <alpine.BSF.2.21.1712091451300.35694@aneurin.horsfall.org>

--6LvSSxsDT2nQa77DoVdt3FuoH4pluGXD4
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 09/12/2017 04:12, Dave Horsfall wrote:
> On Fri, 8 Dec 2017, Steve Kargl wrote:
>=20
>> https://lists.freebsd.org/pipermail/freebsd-arch/2017-December/018712.=
html
>>
>=20
> Well, I saw no reason to subscribe to freebsd-arch (I'm on enough lists=

> as it is)...=C2=A0 Are there any other lists that we should be followin=
g?
>=20
> I guess a suit and tie will be required soon :-(
>=20
> I'm bemused by Bapt's remark that "it does not support anything an
> entreprised [sic] grade mta setup would require: ldap support for
> example"; funny, as I had it working just fine with OpenLDAP with
> hundreds of users spread over many offices in my last job, with no
> trouble at all; there's even a schema for it, FFS:
>=20
> =C2=A0=C2=A0=C2=A0 aneurin% locate -i sendmail.schema
> =C2=A0=C2=A0=C2=A0 /usr/share/sendmail/cf/sendmail.schema
>=20
> with all the right gear in it:
>=20
> =C2=A0=C2=A0=C2=A0 # OID arcs for Sendmail
> =C2=A0=C2=A0=C2=A0 # enterprise:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0 1.3.6.1.4.1
> =C2=A0=C2=A0=C2=A0 # sendmail:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 enterprise.6152
>=20
> WTF?=C2=A0 Sure as hell looks like Sendmail supports LDAP to me...
>=20

Bapt's point here is that the version of sendmail in base is quite
limited since, for instance, it is not compiled with ldap client support
or various other optional features.  On the other hand, the version of
sendmail in ports can be compiled with all the different bells and
whistles enabled.

If your machine is configured as a smarthost MTA, then generally you'll
want to install one of the more fully capable MTA packages from ports --
sendmail, postfix, exim etc.

For most other setups, a machine does not need to do anything more with
e-mail than deliver locally generated mails (from cron or whatever)
either to a local mailbox or to a smarthost.

Hence the current sendmail in base is neither fish nor fowl: way
overpowered for almost all installations, but with significant
limitations for a machine providing a full-blown mail service.
Personally I agree with his reasoning: unless the primary function of
your FreeBSD machine is to be an MTA, you really don't need any more
capability than to either deliver to a local mailbox, or forward all
e-mails to a smart host.  Certainly you don't need anything capable of
receiving incoming e-mails.

	Cheers,

	Matthew





--6LvSSxsDT2nQa77DoVdt3FuoH4pluGXD4--

--DfwP1X39huRuPFik7SagnHdHL6h36JBMM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQKoBAEBCgCSFiEEGfFU7L8RLlBUTj8wAFE/EOCp5OcFAlotNMpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDE5
RjE1NEVDQkYxMTJFNTA1NDRFM0YzMDAwNTEzRjEwRTBBOUU0RTcUHG1hdHRoZXdA
ZnJlZWJzZC5vcmcACgkQAFE/EOCp5OfweQ/+MzqPvke5+U5u4p3rC6TUn5rmkmQI
NPezgZQSegWvRrZsD9ji/MRmxKJvKlvouRm6+YhAvM9OdzNxwkDralrILyviZ6d1
UD6xC7Gh0jCsgwS+qhklew67YsWeRq+SBTjzcvoMMvmJrV0KZGTP0DngotfUf4xA
TCxQOzWdQiIWKtxPCcx5EuFb1SYhEie7t+DCGgE0BNz4eZyTq5jnIKaktK/JkfIb
1rjFsyZxvKikXQ8euj4mla1ptL7iBTmWcz9TdzKp4GCNBp39H1HLvqHoAUwQrkqS
TLiv88PtRZf96iKPdsCAlHxigw1DBlPP6zmVlI/6i6uDNDvkqr9+7qAFnxOU9pNO
aCKbskFegDRE/ogjN0ZgpDyAzY1Vf8BO11FBlQoRUZGqOxkrhlHEXhCS9BARqsnH
WJx9rZr4FW8H+wsFNBaCVqbBHbEGVMm9MO1WhUZBtZisNSHOpvVanVrDjKCxKxnF
lHiVVAWgWNOtqkN+HVBe4Ail5ZlvyljNtNIeAVmVKSnasMO1xJm+qjPovZ0aeu2Y
SDkDzB3JPO1C0DGURKKYUkARR0NGtxMLdHTkzaBcLVuUgtmidbNf5c7lO0tmyjYg
HlWTr4HMs3Pkf6G37oilMW9WsqAB1q65vhhbXbL8DsVNRMvhTFRIIy5eSkAuHHRc
ugWwlCJycoFgprw=
=j3p2
-----END PGP SIGNATURE-----

--DfwP1X39huRuPFik7SagnHdHL6h36JBMM--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe88c5e6-155d-dd64-96d5-8f394c41d92f>