Spam problem

Madison Kelly linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Jun 14 20:18:41 UTC 2007


John Van Ostrand wrote:
> On Thu, 2007-06-14 at 10:40 -0400, Lennart Sorensen wrote:
>> sendmail has a long history of being a security disaster.  Why anyone
>> ever uses it anymore is beyond my imagination.  Why not postfix or exim?
>> Simpler to configure, way less security problems over the years.
> 
> Okay with flame bait like that I need to at least give a compelling
> counter argument.
> 
> Sendmail has a long list of vulnerabilities because it's been around
> since the early 80's (postfix is only 8 years old). It was tagged as
> insecure a long time ago and people just don't seem to want to give up
> on that. It's had it's share of security issues, but so have lots of
> other programs that we use every day (like Linux, OpenSSH, OpenSSL,
> etc.)
> 
> I've run Sendmail since I gave up trying to get MMDF working in 1994 and
> I have yet to fall victim to a vulnerability. That's on dozens of
> systems that I administer for my company and clients.
> 
> Sendmail has been distributed in Unix systems for over a decade and it
> may have achieved its notoriety because vendors back then did not ship
> with a secure configuration leaving many systems configured as open
> relays. It was also the predominant MTA for a very long time.
> 
> For some reason people also think its configuration is still difficult.
> Again this is out-dated. It certainly was difficult when I was using it
> back in 1995. However, its complex configuration allowed me to setup
> virtual domain hosting when all the larger ISPs still used aliases (e.g.
> so they couldn't have both sales-PV5Ro7/Mrj4 at public.gmane.org and sales-XauvlLoUTruG5qFZezUJ9A at public.gmane.org)
> That changed years ago when M4 macros were put to use. Now I can
> configure sendmail faster than Postfix and usually only a few lines of
> M4 config file need to be changed to support very advanced features.
> 
> I do like Postfix too. I find its method of configuration in some ways
> more flexible than sendmail and in others more constrictive.
> 
> sS for performance sendmail suits my needs. My heaviest email server
> processes about 15,000 messages a day and, in times of heavy spam, has
> peaked well above that and sendmail has been efficient. Now if I was
> doing a million messages a day I might shop around.
> 
> And in the end Madison's problem may not have been sendmail after all.
> 
> Sorry for the rant, but as a long time sendmail user I wanted to at
> least provide a more extensive viewpoint.

:)

I feel bad sometimes admitting that I still do like Sendmail. Call me 
old fashioned. :P

Also, since implementing SPF in DNS the bounces have stopped. It is 
starting to look like a clever header spoof or something. Not sure 
though why the firewall blocks helped, so maybe I'm wrong and there was 
a way into sendmail that I haven't fixed and the spam has stopped for 
other reasons...

Madi
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list