[Mailman-Users] Extremely High Membership lists
Nigel.Metheringham at VData.co.uk
Thu Jun 29 11:00:10 CEST 2000
chuqui at plaidworks.com said:
> Are the others considered secure because they're secure? or because
> all of the hackers spend their time on sendmail and haven't bothered
> to try to break them open? I know things like Postfix were designed
> with an ear to security, but have the hackers proven it right?
My belief is that qmail and postfix are more inherently secure than
sendmail - sendmail is one big chunk that does everything and has root
privileges, so a compromise tends to take the whole machine out.
Qmail and postfix are suites of small programs with limited trusts and
remits. If one of these components is compromised you might be able to
get into the mail handler but its *very* unlikely you can break the
whole machine (other than maybe DOS).
Exim has the severe disadvantage that it runs setuid root and is a big
lump of code. It has the advantage of sendmail that it was written
later and in a consistant style which should protect it against buffer
overruns. Downside is that it has not had as much testing as sendmail
in the wild, neither has it been formally audited to my knowledge. It
has had one security exploit to my knowledge (however never exploited
in the wild - again AFAIK). Exim *can* be run completely without root
on systems which have no local users.
My take is that I have been working with and on exim since even before
it was around (I previously maintained smail 3). Exim is wonderfully
flexible and extensible. If I were starting out now I would probably
go for postfix, but don't currently feel the need to move currently.
If I was designing a real high volume list handler I would certainly
evaluate postfix which I think would probably outperform exim in this
situation. [qmail is not an option - it uses more bandwidth and thats
costly in the EU]
claw at cp.net said:
> Note: I'm not aware of a single large scale high volume commercial
> service on the 'net that runs Sendmail. Not one. You can check this
> youself by telnetting to the SMTP port on their MXes and reading the
> HELO message.
Apparently according to the sendmail marketing dweeb I saw a few weeks
back they have something like 7 of the top 10 ISPs... which I don't
really believe since it depends how you define things. AOL was
mentioned... their MXes give back something rather customised.
IMHO sendmail installations fall into 2 camps - those that know what
they are doing and have good reasons for their choice. And those that
use it because its what shipped on the box and they know no better - I
avoid ISPs that do that latter, which makes up around 80% plus of all
ISPs and a very low percentage of those with a clue.
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham Nigel.Metheringham at VData.co.uk ]
[ Phone: +44 1423 850000 Fax +44 1423 858866 ]
More information about the Mailman-Users