From owner-freebsd-security  Sun Nov 17 17:34:58 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA28484
          for security-outgoing; Sun, 17 Nov 1996 17:34:58 -0800 (PST)
Received: from salsa.gv.ssi1.com (salsa.gv.ssi1.com [146.252.44.194])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA28457
          for <freebsd-security@FreeBSD.org>; Sun, 17 Nov 1996 17:34:45 -0800 (PST)
Received: (from gdonl@localhost) by salsa.gv.ssi1.com (8.7.5/8.7.3) id RAA14418; Sun, 17 Nov 1996 17:34:25 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199611180134.RAA14418@salsa.gv.ssi1.com>
Date: Sun, 17 Nov 1996 17:34:25 -0800
In-Reply-To: Adam Shostack <adam@homeport.org>
       "Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)." (Nov 17,  7:05pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Adam Shostack <adam@homeport.org>, pgiffuni@fps.biblos.unal.edu.co
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Cc: freebsd-security@FreeBSD.org
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Nov 17,  7:05pm, Adam Shostack wrote:
} Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
} Pedro Giffuni S. wrote:
} [Charset iso-8859-1 unsupported, filtering to ASCII...]
} | Adam Shostack wrote:
} | > 
} | >         On another note, how about qmail replacing sendmail?
} 
} | qmail has a homee page some where, I have a copy on my ftp site..I can
} | look if you need it. 
} | It would be good to have a port.
} 
} www.qmail.org
} 
} 	My suggestion was a little further reaching than that; I'm
} planning to replace sendmail with qmail real soon, and that helps me a
} lot.  My suggestion was meant to imply the possibility of removing
} sendmail from the FreeBSD distribution, and only shipping qmail.

Qmail doesn't do all the ESMTP negotiation that sendmail does.  It keeps
qmail simpler and less likely to be buggy, but not as functional.  For
instance sendmail 8.7.x supports: 8BITMIME, SIZE, DSN, VERB, ONEX, but
whatever version of qmail I just checked only supports 8BITMIME and
PIPELINING.  Sendmail 8.8.x adds ETRN.

Qmail wants to look up the addresses of all the hosts listed in the
MX records for and address so that it can compare them with the addresses
of the host.  This fixes the problem of "mail loops back to myself" that
you get when you misconfigure DNS and/or sendmail, but I think it means
that if qmail can't get the address of the most preferred MX host, it can't
forward the message to any of the other mail exchangers because this could
cause the message to loop.

Sendmail's support of UUCP isn't wonderful (mostly a problem of
getting DNS totally disabled).  How well does qmail support UUCP?

If you sent a message to ten different people at the same machine,
qmail likes to send ten individual copies, even though this might
be a large message and the link expensive (I believe this feature
can be turned off).  If you send a message to two people at two
different addresses that have the same set of MX records, sendmail
will send one copy of the message and let the mail exchanger at the
other end duplicate the message (but this adds the latency of the
second DNS lookup to the delivery of the first message).

Other than the above, I think that qmail has a lot of advantages.

			---  Truck