From owner-freebsd-hackers Mon Nov 25 09:43:06 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA24918 for hackers-outgoing; Mon, 25 Nov 1996 09:43:06 -0800 (PST) Received: from delphi.bsd.uchicago.edu (delphi.bsd.uchicago.edu [128.135.5.5]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA24903 for ; Mon, 25 Nov 1996 09:42:56 -0800 (PST) Received: from bio-5.bsd.uchicago.edu (bio-5.bsd.uchicago.edu [128.135.75.14]) by delphi.bsd.uchicago.edu (8.8.3/8.7.3/BSD-4.0) with SMTP id LAA20420; Mon, 25 Nov 1996 11:42:20 -0600 (CST) Received: by bio-5.bsd.uchicago.edu (5.0/SMI-SVR4) id AA10825; Mon, 25 Nov 1996 11:42:18 +0600 Date: Mon, 25 Nov 1996 11:42:18 +0600 Message-Id: <9611251742.AA10825@bio-5.bsd.uchicago.edu> To: nate@mt.sri.com Cc: peter@taronga.com, hackers@FreeBSD.org In-Reply-To: <199611250109.SAA27018@rocky.mt.sri.com> (message from Nate Williams on Sun, 24 Nov 1996 18:09:10 -0700 (MST)) Subject: Re: Replacing sendmail (Re: non-root users binding to ports < 1024 (was: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2 From: Tim Pierce Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Nate Williams said: > I'm with Michael. I trust sendmail much more than something I know > nothing about. This amounts to defending the devil you know over the devil you don't. While that's a sound principle, it's also something of a last line of defense: i.e., there's no reason you can't get to know the other devil a little better. Most of the defenses of sendmail I've seen thus far can be summed up: it's the industry standard, everyone else in the world runs it, any administrator will be instantly at home with it. Hmm -- and I thought that I *wasn't* running Windows! For the record, I currently run neither sendmail nor qmail (not having a net-connected machine). I am not intimately familiar with qmail and am not really in a position to defend it. What I know is that I spend a lot of time with security weenies, and have heard more about qmail in the last several months than about perhaps any other package I'm not personally working on. I'm inclined to believe that it deserves a closer look than the folks here have been willing to give it.