From owner-freebsd-questions@FreeBSD.ORG Wed Jun 16 17:22:59 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13B1016A4CE for ; Wed, 16 Jun 2004 17:22:59 +0000 (GMT) Received: from out004.verizon.net (out004pub.verizon.net [206.46.170.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFDFA43D53 for ; Wed, 16 Jun 2004 17:22:58 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out004.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040616172233.PVPG1551.out004.verizon.net@[192.168.1.3]>; Wed, 16 Jun 2004 12:22:33 -0500 Message-ID: <40D081D1.1060606@mac.com> Date: Wed, 16 Jun 2004 13:22:25 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: mail25@bzerk.org References: <40D023A1.8090009@cs.uiowa.edu> <20040616140305.GD32001@millerlite.local.mark-and-erika.com> <20040616145305.GB15913@ei.bzerk.org> In-Reply-To: <20040616145305.GB15913@ei.bzerk.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out004.verizon.net from [68.161.84.3] at Wed, 16 Jun 2004 12:22:33 -0500 cc: freebsd-questions@freebsd.org Subject: Re: Mail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 17:22:59 -0000 mail25@bzerk.org wrote: > On Wed, Jun 16, 2004 at 10:03:05AM -0400, Mark Frank typed: >> Just curious. What sendmail bugs are you referring? Have you reported >> them to sendmail.org? > > Probably just hear-say. There's so much bad-mouthing sendmail! Most of > it by people who got lost in sendmail's many configuration options, but > instead of reading some docs they drop it, telling everybody they should > avoid sendmail at all cost. There are many people who find it difficult to configure sendmail and thus criticise sendmail as a result, agreed. Some of those complaints are unjustified, agreed. However.... > Too bad, 'cause to me and many others sendmail is one of the most > reliable and compliant MTA's in existance today. And there hasn't been > a major security problem in years. The last major security hole in sendmail was 8 months ago: 8.12.10/8.12.10 2003/09/24 (Released: 2003/09/17) SECURITY: Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting. There have been around 70 security issues mentioned since the beginning of sendmail-8 circa 1993, or about six per year. Recently, things have gotten better, but a dispassionate evaluation of the security history of sendmail does not inspire any great confidence that one can set up sendmail, leave it unpatched, and expect the software to still be free of known remotely-exploitable security problems two years later. -- -Chuck