From owner-freebsd-security Sun Jan 26 14:42:49 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA29389 for security-outgoing; Sun, 26 Jan 1997 14:42:49 -0800 (PST) Received: from www.trifecta.com (www.trifecta.com [206.245.150.3]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA29379 for ; Sun, 26 Jan 1997 14:42:43 -0800 (PST) Received: (from dev@localhost) by www.trifecta.com (8.7.5/8.6.12) id RAA20529; Sun, 26 Jan 1997 17:45:28 -0500 (EST) Date: Sun, 26 Jan 1997 17:45:28 -0500 (EST) From: Dev Chanchani To: Stephen Fisher cc: "Sean J. Schluntz" , freebsd-security@freebsd.org, Ollivier Robert Subject: Re: sendmail running non-root SUCCESS! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Sat, 18 Jan 1997, Stephen Fisher wrote: > > I would like to use a mailer which I feel is better designed and > programmed (security wise) but.... Since everyone uses Sendmail and > everyone is hacking away at it I feel I'm pretty safe. Security problems > are fixed quickly and without problems. And it's assumed you're using > sendmail: when people work on "anti-spam" things they have sendmail > rulesets to do it. > > Write a new mailer that has the power and functionality of Sendmail > without the problems and uses sendmail.cf's format and I'll use it. A powerful and functional, yet secure mailer seem to be way too much of an oxymoron these days. Until programmers learn the intricacies of unix multi-user program (a la stack overflows, race condtions, unvalidated user input, etc.) there will be security holes in complex programs like sendmail. In the meantime, you need to evaluate your security needs. Do you wish to prioritize security and run something like qmail or smap, smapd and sendmail not running as root.. Or is your priority functionality, in which case you may have to run sendmail. BTW: Does anyone know if you can use sendmail-like rewriting rules that allow you to accept mail for various virtual domains with qmail? --Dev