On Fri, Feb 20, 2004 at 11:49:48PM +0100 or thereabouts, Theo v. Werkhoven wrote:
Thu, 19 Feb 2004, by gv-dated-7098286.cckeb@mygirlfriday.info:
The ease of configuration and use of the above MTAs are based on your needs. Of course security is a main issue... qmail is the most secure, postfix second, sendmail last..
You're obviously (conveniently?) forgetting a couple of minor points.
Theo, I'm not going to get into a p-- contest here, I don't have the time, but .. well, lets see.... I don't think so.. you seem to be adding some distortion here..
- It's the admin's work that's the main issue wrt security, not what software he/she runs.
security is an absolute requirement. Quality software helps.. or maybe he should just use an older version of Sendmail ... or formmail?
- Qmail hasn't been updated in 10 years or so, the basic package is secure, yes, but all the patches you need to use it in the 21st century are *not* proven to be just as secure (and djb won't vouch for those either).
I believe the first beta was in 1996, version 1.3 in 1998, and it has not been upgraded because it never has had to. The author's cash reward for security guarentee is still in effect. http://cr.yp.to/qmail/guarantee.html patches? qmail works right out of the box.. I have several servers out there running v1.03 right out of the box.. nothing added. qmail quarentees that once mail is accepted, it will never be lost. It is also code-wise, a lot smaller than Sendmail or Postfix.
- Postfix's security record is at least as good as Qmail's, with *no* remote vulnerability, and only 1 local DoS vuln. that was solved a long time ago with the transition from 1.x to 2.x
I disagree here, but will not belabor the point.. IIRC, there were 2 security advisories, maybe not... I just don't remember.. and Postfix is secure, again, I am not going to get into a p--- contest here, it is subjective. .
- Postfix doesn't need to be anal about what user runs what daemon, and doesn't need 4 or 5 new users and groups and the complexity of the initial setup.
again, a security feature. Minimization of setuid code Minimization of root code Five-way trust partitioning--security in depth Postfix does not have security partitions between individual, mutually distrustful, elements of the mail system as qmail does. Most daemons run under the same, single, global UID (specified by the mail_owner keyword in main.cf). A compromise of one of those daemons immediately compromises all of the others, . I submit you to http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/ for a comparison, and review of Postfix here, (in part where the above paragraph came from). http://homepages.tesco.net/~J.deBoynePollard/Reviews/UnixMTSes/postfix.html As far as setup, using netqmail 1.05, this is all taken care of for you during the install. Or installing from tarballs to a complete system takes about 15 minutes. It uses it's own system library replacements to avoid buffer overflow exploits.
- Postfix is simple to grok, but it can also be used in complex situations.
Yes, like reg-exing all the headers and body of each email to block worms/viruses.. ?
- Postfix's licence permits it to be distributed in either binary or source form. No need to go hunting for the correct patches, tricks&tips etc., it runs out-the-box on a x86 Linux box (and even under Cygwin/Windows I heard), but also on a 64 CPU Sun box or a PPC Mac under OS-X (they use it as default MTA aswell).
once again, qmail runs out of the box on any *nux or OS-X system,, no patches are needed, no hunting. If you want "extras" they are available all in one place. No big hunting here... You can use qmail for any purpose, you can redistribute unmodified qmail source distributions and qualifying var-qmail binary distributions, and you can distribute patches to qmail if you wish. You can't distribute modified qmail source code or non-var-qmail binary distributions.
Sorry, couldn't resist.
What is there to resist <g> qmail is the second most popular MTA on the net, sendmail being first because it has been there the longest. Theo, I have nothing against Postfix, as I indicated earlier, it is secure, and I used to use it for several years... - Gary