From owner-freebsd-security Sun Nov 17 18:47:53 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA03047 for security-outgoing; Sun, 17 Nov 1996 18:47:53 -0800 (PST) Received: from rover.village.org (rover.village.org [204.144.255.49]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id SAA03039 for ; Sun, 17 Nov 1996 18:47:46 -0800 (PST) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 0.56 #1) id E0vPJjD-0003aX-00; Sun, 17 Nov 1996 19:46:31 -0700 To: batie@agora.rdrop.com (Alan Batie) Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Cc: adam@homeport.org, pgiffuni@fps.biblos.unal.edu.co, freebsd-security@freebsd.org In-reply-to: Your message of "Sun, 17 Nov 1996 17:16:36 PST." References: Date: Sun, 17 Nov 1996 19:46:30 -0700 From: Warner Losh Message-Id: Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message Alan Batie writes: : Yup, sendmail has a long track record of the "security hole of the month"; : I've yet to see one for smail. I would like to switch to sendmail, as I : hear it deals with mail queues a lot better these days, and smail : development seems to have gone into a black hole, but until sendmail can : make it a whole month or two without a CERT advisory on it... I've yet to see a CERT advisory on VMS, yet it has dozens of security holes that have been discussed in other lists. Just because smail hasn't had a CERT advisory doesn't make it secure. Sendmail is running on 10x or 100x more machines than smail. Since it is running on so many machines, it is more profitable to attack it. Also, CERT advisories generally cover things that the vendor puts out. If no one is the smail vendor, then it becomes harder to put out a CERT advisory on it. smail, exim, and qmail should be ports that people that are security minded can optionally use. exim, for example, breaks a number of things, but I use it anyway. Warner