Subject: Re: version of postfix in base system?
To: None <david@l8s.co.uk>
From: Takahiro Kambe <taca@back-street.net>
List: netbsd-users
Date: 08/05/2003 09:02:44
In message <20030804222312.O810@snowdrop.l8s.co.uk>
	on Mon, 4 Aug 2003 22:23:12 +0100,
	David Laight <david@l8s.co.uk> wrote:
> On Mon, Aug 04, 2003 at 04:26:26PM -0400, Steve Bellovin wrote:
> > What version of Postfix is in the base 1.6.1 system?  There have been a 
> > number of security advisories on Postfix 1.1.11 and 1.1.12.
> 
> Mmmm, who was it who wanted to use postfix instead of sendmail
> because of all the vulnerabilities that have been found in sendmail?
It is because of frequency of security problem.  (On the other hand,
upgrading sendmail is fairly simple since it is basically one executable.)

This security problem depends on the configuration.  From the announce
mail on postfix-announce,

    Postfix versions prior to 1.1.9:

	These become vulnerable only when the append_dot_mydomain
	feature is set to "no" (you can verify this with the command
	"postconf append_dot_mydomain"). Use the command "postconf -e
	append_dot_mydomain=yes" to update the setting if necessary.

The append_dot_mydomain's default is "yes".

-- 
Takahiro Kambe <taca@back-street.net>