From owner-freebsd-security Thu Feb 1 7:12:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20]) by hub.freebsd.org (Postfix) with ESMTP id 9BEFE37B491; Thu, 1 Feb 2001 07:12:08 -0800 (PST) Received: from [195.11.243.26] (helo=Debug) by post.mail.nl.demon.net with smtp (Exim 3.14 #2) id 14OLP2-0005FC-00; Thu, 01 Feb 2001 15:12:04 +0000 To: "Andre Hall" , "Dragos Ruiu" , "Christopher Farley" , "Fenix" , , From: Cliff Sarginson Subject: Re: sendmail vs. postfix question Date: Thu, 1 Feb 2001 15:12:04 GMT X-Mailer: www.webmail.nl.demon.net X-Sender: postmaster@btvs.demon.nl X-Originating-IP: 192.250.25.251 Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I want to endorse the comments below. The author of Postfix has produced a realy solid, fast and secure mail system. You may be interested to know he also authored tcp-wrappers and the (in)famous satan program. He also personally answers many of the questions on the postfix-users@postfix.org mailling list. browse the archives on deja if you are curious.. Cliff > I once was faced with the same dilemma as you were. I finally decide to the > Postfix way have not regretted my decision one bit. It was the easiest and > fastest configuration I had experienced, a definite plus over Sendmail. From > my first experience with Sendmail I always been displeased with how arcaic > it is, especially if you need to make changes. Postfix's configuration file > is very user-friendly- you don't have to be a rocket scientist to make > changes. Straight and to the point. You can also find an abundance of > support on the author's site. It's really based on personal preference. > I hope my two cents helps you > > ----- Original Message ----- > From: "Dragos Ruiu" > To: "Christopher Farley" ; "Fenix" > > Cc: ; > Sent: Thursday, February 01, 2001 3:22 AM > Subject: Re: sendmail vs. postfix question > > > > On Wed, 31 Jan 2001, Christopher Farley wrote: > > > Fenix (fenix@xs4some.net) wrote: > > > > > > > I have a little question about sendmail vs. postfix .... > > > > Are there any known recent problms with sendmail security ? > > > > what about postfix ? > > > > > > Sendmail is a large, monolithic, complicated program that runs as > > > root. Historically, it has been responsible for some of the most > > > notorious and widespread security holes on the Internet, but I > > > don't believe there are any (known) gaping holes in it today. > > > Sendmail configuration is complicated and arcane -- it is the > > > subject of one of the thickest books in the O'Reilly catalog. > > > Actually, configuring sendmail is not that bad once you understand > > > it -- you edit a human-readable config file which is processed by > > > the m4 macro processor to build the much less human-readable > > > sendmail.cf file. However, if you are like I am, and infrequently > > > make configuration changes to your mail server, it may take more than a > > > few minutes of grepping documentation to make even a tiny change. > > > > > > Postfix has a different architecture, but strictly conforms to the > > > 'sendmail api'. That is to say that Postfix is more or less designed > > > to be a drop-in replacement for Sendmail. Postfix is actually > > > several small, specialized daemons that do not run as root (!), > > > which has some positive security implications. Configuration of > > > Postfix is very easy; there is no m4 macro processing here! I have > > > always been able to make it do what I need it to do, although my > > > needs aren't very great. According to my ISP (visi.com), Postfix > > > outperforms Sendmail. > > > > > > > Postfix performance exceeds sendmail performance on equivalent boxes in > all my > > experiences in terms of just about any metric you care to use, and I use > it > > exclusively these days. As anecdotal evidence, once when I configured it > on a > > very fast machine and sent a lot of mail through it, I had a large ISP > call up > > and complain that I was DoSing their mail server.... It was just postfix > being > > its normal, speedy, efficient self, and they had some NT lameware mail > relay.... > > > > As far as security, given how much I rely on it, I recently(last year) > decided > > to re-audit its code, and after a couple of days spent looking for format > > strings and other stuff I decided to discontinue the audit... Mr. Venema's > code > > is so rigorous that it even passes _internal_ data between routines > through > > filtering and cleaning functions (how paranoid is that :-) if that's any > > indication of how it's built up. > > > > I personally think very highly of it. (Besides, I really would be fine > > if I never have to look at another arcane sendmail ruleset ever > > again... :-P ) > > > > cheers, > > --dr > > > > -- > > Dragos Ruiu dursec.com ltd. / kyx.net - we're from the > future > > gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc > > > http://cansecwest.com > > CanSecWest/core01: March 28-30, Vancouver B.C. ------------^ > > Speakers: Renaud Deraison/Nessus Attack Scanner, Martin > Roesch/Snort/Advanced IDS, > > Ron Gula/Enterasys/Strategic IDS, Dug Song/Arbor Networks/Monkey in the > Middle, > > RFP/Whisker2.0 and other fun, Mixter/2XS/Distributed Apps, Theo > DeRaadt/OpenBSD, > > K2/w00w00/ADMutate, HD Moore/Digital Defense/Making NT Bleed, Frank > Heidt/@Stake, > > Matthew Franz/Cisco/Trinux/Security Models, Fyodor/insecure.org/Packet > Reconaissance, > > Lance Spitzner/Sun/Honeynet Fun, Robert Graham/NetworkICE/IDS Technology > Demo, > > Kurt Seifried/SecurityPortal/Crypto: 2-Edged Sword, Dave > Dittrich/UW/Forensics, > > Sebastien Lacoste-Seris & Nicolas Fischbach/COLT > Telecom/Securite.Org/Kerberized > > SSH Deployment, Jay Beale/MandrakeSoft/Bastille-Linux/Securing Linux > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message