Sendmail runs as root and is a big monolithic piece of software. Postfix isn't.
For example recent (well several months old) bug in Linux kernel capabilities,
exploitable locally through sendmail (and a few other apps potentially, but
exploit code for sendmail was released publically). There wasn't a bug in
Sendmail per se (if you fixed sendmail the bug could still potentially be
exploited) but you could exploit it through sendmail due to it's design (whereas
people like me running postfix had a lot less immediate worry =).
While sendmail has significantly cleaned up in the last 2 years, if there is a
security bug it's usually serious since it's one huge piece of software going as
root, whereas Postfix is made up of several components, only one (small) of
which runs as root. I replace Postfix on general principles now, it's an easy
task and at least one major vendor now ships Postfix as the default MTA
(Mandrake).
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "philipp"
hello, i have followed the postfix sendmail discussions as much as my understanding of the matter allowed. this is trivial, but i wonder: are there security implications when using sendmail only to send messages, without having a sendmail daemon listening for incoming mail? thanks,liebi
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com