[TriLUG] Which is better?

bak bak at picklefactory.org
Wed Oct 10 22:10:50 EDT 2007

Hash: SHA1

I have only my anecdotal admin experience of patching or upgrading
again, and again, and again in response to security bulletins regarding
Sendmail.  In a heterogeneous environment this gets old fast, believe me.

But just for fun, I went and searched CVE (cve.mitre.org) for a strict
count of reported vulnerabilities.  I started at 2001, as that's when
the first Postfix vulnerability was reported.

Postfix: 4
Sendmail: 40

Of course Sendmail has a much wider usage, in that it's the default
mailer still in Solaris, AIX, etc. etc.  But still -- 10:1, FWIW.

I do agree with you that 15 years ago security was not much thought of.
 But Sendmail stagnated, for the most part, and Postfix, exim, & qmail
have filled in the Unix mailer gap.  qmail in particular, but also
Postfix, also take a pretty strict "never lose it" approach.  Barring
sudden loss of power I have never seen qmail lose a single message.

Like I said, no reason for a person who values his sanity to do a new
Sendmail install. :)

- --bak

Joseph Mack NA3T wrote:
> On Wed, 10 Oct 2007, bak wrote:
>> Sendmail has had a long and storied history of vulnerabilities, though
>> lately it's been far more robust.
> I don't like sendmail anymore than the next person (the m4 
> config file was for an era before IP dominated networking 
> and when an MTA was expected to handle all protocols), 
> however in the absence of a reference to hard data, your 
> statement here seems a little harsh. I don't have any data 
> either to rebut your statement, so I'm in no better position 
> than you to speak. I don't know what "lately" is, so I'll go 
> with this
> o sendmail was written in an era when people were glad for 
> anything that worked, and people were expected to write 
> clients which abided by the protocols, or else programs 
> would crash. Sendmail in this case has the disadvantage of 
> being first off the block.
> o at a Lisa/Sage conference about 10yrs ago, the sendmail 
> code was held up as an example of safe coding, in that it 
> was impossible to loose a piece of e-mail: it would either 
> be delivered or returned as undeliverable. The speaker 
> seemed to regard the code as all round well written.
> I agree that sendmail is horrible to configure (it should 
> have shed its non-IP capabilities long ago), and if it's not 
> secure, I'm sorry to hear it. I don't know why Allman didn't 
> rewrite it 10yrs ago but instead allowed postfix etc to take 
> over the niche.
> Joe
Version: GnuPG v1.4.6 (Darwin)


More information about the TriLUG mailing list