Date: Mon, 11 Dec 2017 11:34:10 -0800 From: "Chris H" <portmaster@BSDforge.com> To: <portmaster@BSDforge.com> Cc: <freebsd-ports@freebsd.org>, <sgk@troutmask.apl.washington.edu>, "Adam Weinberger" <adamw@adamw.org>, "Matt Smith" <matt.xtaz@gmail.com> Subject: Re: Procmail Vulnerabilities check Message-ID: <00d53b391814cf11575da1e873839ae7@udns.ultimatedns.net> In-Reply-To: <32da0142ef01d545aff61de3a3946d62@udns.ultimatedns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Dec 2017 08:39:02 -0800 <portmaster@BSDforge=2Ecom> said > On Mon, 11 Dec 2017 11:10:32 +0000 "Matt Smith" <matt=2Extaz@gmail=2Ecom> sai= d >=20 > > On Dec 10 14:58, Chris H wrote: > >>OK I'm puzzled a bit=2E FreeBSD' motto has always been: > >>FreeBSD > >>The power to serve! > > > > >>but many of the proposed, and recent changes/removals end up more like: > >>FreeBSD > >>I's castrated! > >=20 > > The problem with software in the base is that it is *much* more=20 > > difficult to update to add new features or patch security issues=2E With = a=20 > > port the software will be updated relatively quickly=2E And users can get= =20 > > the benefits of that with a quick pkg upgrade=2E They might not update=20 > > their O/S for 6-12 months=2E > >=20 > > In my opinion any software which is accessible to the internet should b= e=20 > > patched and upgraded ASAP=2E It's for this reason that I've always=20 > > disabled things like OpenSSH/OpenSSL/ntpd etc in the base and used port= =20 > > versions instead=2E > I applaud that attitude=2E I couldn't agree more=2E For that same reason, I > (not unlike you) have always excluded software that history has proven > to pose security risks ( WITHOUT_BIND=3Dtrue ) for example=2E The same can = also > *easily* be said of OpenSSL=2E [ excessive "jag" removed=2E sorry ] > threat=2E > In closing, and more to the point regarding Sendmail; Sendmail has a near= ly > impeccable security record in at the last decade=2E It provides a *secure*, > more powerful, and more flexible MX on the cheap=2E I see little reason to > consider it an attack vector=2E Which makes *security*, and it's related > maintenance a pretty poor argument, for it's removal=2E >=20 > --Chris Let me attempt to make my point another way (and stay closer to topic)=2E A user is able to accomplish more from sendmail in base, than with any other MX port in base alone=2E Sendmail provides OOB: block by topic/portion of topic block forged MX block dynamic host(s) all with the addition of one stanza, and (in the case "topic") the addition of TOPIC_FILE it also provides for some other measures that trip up, or otherwise thwart spammer tactics; delay (E)HELO connection THROTTLING=2E As well as the ability to utilize block list services, offered by third parties, or your own personal block list=2E Many of the other MX software in the ports tree provide a subset of the shortlist I mentioned above=2E But none of them offer them all=2E Given that the biggest concern, both security-wise, as well nuisance-wise from anyone managing an internet facing MX service is SPAM, and related threats=2E Wouldn't one be best served, if they had the most options available to defend against such threats? FWIW in ~5 months only having (ever) having sendmail from base, without the addition of any additional "plugins"=2E I was able to collect (and subsequently block) ~9=2E9 million SPAM sources=2E Not likely, but *actual* spam sources=2E When I began life as a maintainer of ports=2E I was subsequently required to subscribe to additional FreeBSD mailing lists, and provide my/a email address along with the the ports I maintain=2E As a result, my [that] address had a greater exposure to spammers=2E In a short time, I found myself inundated with SPAM -- literally *thousands* per day=2E My initial reaction was to curse the FreeBSD ports/mailing-list management system, and those who were in charge=2E But I decided against a knee-jerk reaction, and decided to give the matter more thought, before making a decision=2E In the end, I decided I wasn't going to allow myself to be a victim, but rather make the whole matter a challenge, or puzzle that I would solve=2E In the end, and with my current base version of sendmail, I now only receive some 3-5 SPAM/week=2E That is a *remarkable* number, compared to my initial experience, as the number of *actual* SPAM sources I've been able to thwart=2E That 9=2E9 million number is not a *probable* number, it's an actual figure, and in the end, I *always* get the mail I want, and nearly *never* get the mail I don't=2E All with sendmail from base, and without any external/third party services=2E IMHO that makes a pretty strong argument for retaining Sendmail=2E If I were an MX administrator=2E Would I not want all the options/help I could get to defend myself against attack? This is the sort of thing that makes FreeBSD the best choice for a Server Grade install=2E It provides server grade applications in a Service oriented OS=2E Yes=2E But if it's removed=2E Nothing stops you from installing it from ports=2E True=2E But if I'm selling a Server targeted OS=2E Don't I want to advocate server grade services? Thanks for listening -- I know it was long=2E --Chris > >=20 > > --=20 > > Matt >=20 >=20 > _______________________________________________ > freebsd-ports@freebsd=2Eorg mailing list > https://lists=2Efreebsd=2Eorg/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscribe@freebsd=2Eorg"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d53b391814cf11575da1e873839ae7>