From owner-freebsd-security Sun Feb 11 7:19:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36]) by hub.freebsd.org (Postfix) with SMTP id 5913337B491 for ; Sun, 11 Feb 2001 07:19:08 -0800 (PST) Received: (qmail 663 invoked from network); 11 Feb 2001 15:19:15 -0000 Received: from athena.faerunhome.com (HELO athena) (192.168.0.2) by cc762335-a.ebnsk1.nj.home.com with SMTP; 11 Feb 2001 15:19:15 -0000 Message-Id: <4.2.2.20010211100158.00c95840@netmail.home.com> X-Sender: damascus@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Sun, 11 Feb 2001 10:05:18 -0500 To: "Dominic Marks" From: Carroll Kong Subject: Re: Secure Servers (SMTP, POP3, FTP) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:39 AM 2/11/01 +0000, Dominic Marks wrote: >Hello, > >I'd really appreciate some opinions on the performance of some daemons. >I'm trying to assess which is the best choice to offer both security and >performance under FreeBSD 4.2. Apache seems like a pretty defacto choice >for HTTP which I'm very happy with but I'm a little less sure what choose >on others, in particular for ftp and mail servers. > >FTP Options: >1. proFTPd - Seems secure and has "enterprise" features >2. wu-Ftpd - Good security (bad History) excellent performance >3. ftpd - Dodgy security? Doesn't seem to be used very much > >Mail Options: >1. Qmail - Secure, written for FreeBSD (Qwest?), Fast, Configurable >2. Sendmail - Industry standard, works fine, big user base >3. Postfix - Secure, quite light on system resources, growing support > >I'd appreciate some feedback on any of these, any comments you might have >would be very helpful, or perhaps links to articles on this subject. > >Many thanks >Dominic Marks Try ncftpd for ftp options. I suppose being closed source it has "security" by obscurity, but the author is fairly responsive in fixing bugs so any security flaws are fixed very fast. His track record seems to be pretty good. ftpd is also good if configured properly, although I am not sure if you can use virtual users. (I never used ftpd extensively as you can tell.) For mail, I suggest either qmail or postfix. Sendmail just has a bad record, so if you can avoid it sure. If you cannot, fine, roll with it. As for apache, be careful of what language you allow for CGIs. That is really going to be the major factor in security. I used to think PHP was great stuff, but it has a fairly bad track record. I am thinking of rolling my PHP scripts to Perl since at least Perl in itself is secure. (not to say using Perl guarantees any level of security; you need good secure programming practices for that). -Carroll Kong To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message