Subject: Re: localhost security hole
To: David Porowski <>
From: Brett Lymn <>
List: tech-security
Date: 06/29/2003 15:42:15
On Sat, Jun 28, 2003 at 11:20:53PM -0400, David Porowski wrote:
> .  I can comment however on sendmail:  it
> is the grandfather of all mail programs, and carries
> some interesting (and arcane) baggage.

Let's qualify that - you can comment on sendmail for use with a small
set of users, probably all in the same domain.  The picture is very
different when you have a large user base that spans multiple domains
and you want to do rewrites/redirections/filtering - sendmail does all
this with ease, qmail and others like it make simplifying assumptions
which break down when the complexity levels rise.  Don't bag sendmail
because you don't understand it, it (still) has a purpose and the
history of security problems can, in part, be put down to it being one
of the single most widely deployed programs on the internet - this
makes any security hole in it a big problem immediately.  I do note
though that the number of security problems with sendmail has
decreased over the years.

>  Perhaps it is
> time to offer an alternative mail program, like qmail.

There is always pkgsrc...

Brett Lymn