From owner-freebsd-questions Thu Nov 16 23:22:41 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id AC06137B479 for ; Thu, 16 Nov 2000 23:22:38 -0800 (PST) Received: (qmail 82243 invoked by uid 100); 17 Nov 2000 07:22:33 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14868.56504.947618.393746@guru.mired.org> Date: Fri, 17 Nov 2000 01:22:32 -0600 (CST) To: Tim McMillen Cc: Boris =?iso-8859-1?Q?K=F6ster?= , questions@freebsd.org Subject: Re: Help: Is Sendmail secure? In-Reply-To: References: <14868.52437.824166.717745@guru.mired.org> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Tim McMillen types: > Well I had thought it was because they looked at the code and > found it too buggy, but here's a good link to a message from Theo de Raadt > founder of the OpenBSD project. > http://www.geocrawler.com/archives/3/256/1998/12/0/1388156/ > > Most of the references that I found were somewhat in line with > that. They were against qmail and for sendmail mostly because of the > larger feature set that sendmail had and that it could handle more strange > cases. That was from the advanced users that needed that. Those opinions > were more saying, qmail could be fine for you, but I can't use it because > it doesn't do... The upside of sendmails age is that it has run against many of the really strange cases, and now deals with them. Anything newer hasn't had time to run into as many, and may well break when sendmail wouldn't - I know I've run into that with qmail at least once. > On Sat, 24 Apr 1999, Erich Zigler wrote: > // I used to run it on my Linux server. I never had one problem with > // it. There was also that thing as a contest he setup if anyone could > // find a security hole in in qmail that he would get $100,000 or > // something like that. No one could do it. > Give or take an order of magnitude or two. There's a *huge* > difference between, ``No one could do it,'' and ``No one did it.'' Some > challenges just aren't worth it. qmail is very obscure and limits what > can be done with your mail (out of the box). There are a few places such > limitations might be acceptable, but I've not found one yet. It did at > least gain some popularity for the exact reason that you've stated above, > ``Nobody has announced a vulnerability with it that djb didn't say was > irrelevant, therefore, it's immutable!!!'' That gives a lot of people a > sense of security, but a full code review would hold up to scrutiny a > little better than, ``Nobody broke into it that we know about.'' > Personally, I find the qmail code very difficult to read. That is the downside of the contest - you don't know who went looking for bugs! With OpenBSD, you know it was the OpenBSD team that went looking for security bugs. But the OpenBSD rep doesn't automatically extend to other versions of sendmail. All of Bernstein's code is quirky. Part of that is because he wrote his own (differently-named) versions of many library functions to avoid bugs in vendor libraries. On the other hand - anyone who can fix sendmail config files shouldn't have any problem with the stuff. My take on it is that sendmail was *designed* when security wasn't an issue. While the people working on it now may have a much better handle on this, did they rewrite it from the ground up using that better handle? If not, then it's not clear what's still lurking in the thing. If they did, why didn't they replace sendmail.cf with something sane and a translation tool :-)? Which could well describe the newer MTAs, at least to a degree.