AW: [suse-security] Security by mail...
Hi ! Kurt Seifried [mailto:listuser@seifried.org] wrote:
Show me a root hack in sendmail recently (and no, the Linux kernel capabilities bug doesn't count, you can use programs other then sendmail to exploit it). Sendmail has a nasty track record, but has made a lot of effort in the last 2 years to clean up (because they are selling it commercially now, heh). I would use it if I had to, but since Postfix is out I don't =).
It's not that I know any recent root hacks in sendmail. I just experienced that it's not that easy to set up. I have been using sendmail from SuSE 4.4 to 6.3 and was satisfied with it, but as I tried to do some setup without the use of YaST I found qmail much better to look over. Sendmail has all these m4-Script which you have to get deep into to be able to understand. I don't want to accuse sendmail of being not secure, I just thought that qmail was so easily to setup for me - I wondered why there was no possibility of installing qmail by SuSE. Just thought that such a complex configuration could easily get you a security-hole, just because you did not have an overview of all the options.
Qmail has a terrible license, basically you cannot distribute binaries of it to easily. I have talked ad nauseum about this with people like Vincent (Mandrake security guy who had to package it, it caused him a huge amount of grief). This means vendors prolly won't be backing it to strongly (personally? I wouldn't back it at all). I'd put my money on Postfix (which BTW I haven been using for 2 years). The IBM license is MUCH saner and postfix has many advantages over Qmail (regex filtering of headers, database as the back for config files, etc).
I did not study the license of qmail. At least not from the distributor's point of view, I just wondered.. ;-) -- MfG, Christian
participants (1)
-
Bockermann, Christian