From owner-freebsd-security  Mon Nov 18 07:15:26 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA21065
          for security-outgoing; Mon, 18 Nov 1996 07:15:26 -0800 (PST)
Received: from kdat.calpoly.edu (kdat.csc.calpoly.edu [129.65.54.101])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA21058
          for <freebsd-security@freebsd.org>; Mon, 18 Nov 1996 07:15:22 -0800 (PST)
Received: (from nlawson@localhost) by kdat.calpoly.edu (8.6.12/N8) id HAA03705; Mon, 18 Nov 1996 07:15:18 -0800
From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu>
Message-Id: <199611181515.HAA03705@kdat.calpoly.edu>
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
To: batie@agora.rdrop.com (Alan Batie)
Date: Mon, 18 Nov 1996 07:15:18 -0800 (PST)
Cc: freebsd-security@freebsd.org
In-Reply-To: <m0vPIKD-0008rpC@agora.rdrop.com> from "Alan Batie" at Nov 17, 96 05:16:36 pm
X-Mailer: ELM [version 2.4 PL23]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > Sendmail is well understood and well maintained with a very long track
> > record.  Other mailers, no matter how much better, don't match this
> > track record.
> 
> Yup, sendmail has a long track record of the "security hole of the month";
> I've yet to see one for smail.  I would like to switch to sendmail, as I
> hear it deals with mail queues a lot better these days, and smail
> development seems to have gone into a black hole, but until sendmail can
> make it a whole month or two without a CERT advisory on it...

I've had the displeasure of reviewing the Smail code and found it just as
convoluted as sendmail, and in fact, just as insecure.  Last year, a colleague
posted three Smail bugs to Bugtraq.  There were many other potential holes,
but I stopped the review process and decided to go with a SMAP hybrid.

Note that I am not recommending sendmail, but I think your exultation with
smail is a bit premature.

-- 
Nate Lawson                  "There are a thousand hacking at the branches of
CPE Senior                    evil to one who is striking at the root."
CSL Admin                              -- Henry David Thoreau, 'Walden', 1854