From owner-freebsd-questions Thu Nov 16 22:55:27 2000 Delivered-To: freebsd-questions@freebsd.org Received: from donkeykong.gpcc.itd.umich.edu (donkeykong.gpcc.itd.umich.edu [141.211.2.163]) by hub.freebsd.org (Postfix) with ESMTP id 5CF3437B479 for ; Thu, 16 Nov 2000 22:55:23 -0800 (PST) Received: from gorf.gpcc.itd.umich.edu (smtp@gorf.gpcc.itd.umich.edu [141.211.2.147]) by donkeykong.gpcc.itd.umich.edu (8.8.8/4.3-mailhub) with ESMTP id BAA07748; Fri, 17 Nov 2000 01:55:22 -0500 (EST) Received: from localhost (timcm@localhost) by gorf.gpcc.itd.umich.edu (8.8.8/5.1-client) with ESMTP id BAA07297; Fri, 17 Nov 2000 01:55:21 -0500 (EST) Date: Fri, 17 Nov 2000 01:55:21 -0500 (EST) From: Tim McMillen X-Sender: timcm@gorf.gpcc.itd.umich.edu To: Mike Meyer Cc: Boris =?iso-8859-1?Q?K=F6ster?= , questions@freebsd.org Subject: Re: Help: Is Sendmail secure? In-Reply-To: <14868.52437.824166.717745@guru.mired.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks, > You can read about one of them at http://web.infoave.net/~dsill/qmail-challenge.html >. I agree about > OpenBSD, but they're basically saying they haven't checked qmail, so > wouldn't trust it. But the same is true of later versions of sendmail, > or the version shipped with some other OS. Well I had thought it was because they looked at the code and found it too buggy, but here's a good link to a message from Theo de Raadt founder of the OpenBSD project. http://www.geocrawler.com/archives/3/256/1998/12/0/1388156/ Most of the references that I found were somewhat in line with that. They were against qmail and for sendmail mostly because of the larger feature set that sendmail had and that it could handle more strange cases. That was from the advanced users that needed that. Those opinions were more saying, qmail could be fine for you, but I can't use it because it doesn't do... I guess I just sent these for reference. Much of what I found also reiterated that it was the configuration that was more likely to matter. Tim Here's another that I found too. ---- On Sat, 24 Apr 1999, Erich Zigler wrote: // I used to run it on my Linux server. I never had one problem with // it. There was also that thing as a contest he setup if anyone could // find a security hole in in qmail that he would get $100,000 or // something like that. No one could do it. Give or take an order of magnitude or two. There's a *huge* difference between, ``No one could do it,'' and ``No one did it.'' Some challenges just aren't worth it. qmail is very obscure and limits what can be done with your mail (out of the box). There are a few places such limitations might be acceptable, but I've not found one yet. It did at least gain some popularity for the exact reason that you've stated above, ``Nobody has announced a vulnerability with it that djb didn't say was irrelevant, therefore, it's immutable!!!'' That gives a lot of people a sense of security, but a full code review would hold up to scrutiny a little better than, ``Nobody broke into it that we know about.'' Personally, I find the qmail code very difficult to read. ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message