[Mailman-Users] Extremely High Membership lists

Nigel Metheringham Nigel.Metheringham at VData.co.uk
Thu Jun 29 11:00:10 CEST 2000 

chuqui at plaidworks.com said:
> Are the others considered secure because they're secure? or because
> all of the hackers spend their time on sendmail and haven't bothered
> to try to break them open? I know things like Postfix were designed
> with an ear to security, but have the hackers proven it right? 

My belief is that qmail and postfix are more inherently secure than 
sendmail - sendmail is one big chunk that does everything and has root 
privileges, so a compromise tends to take the whole machine out.

Qmail and postfix are suites of small  programs with limited trusts and 
remits.  If one of these components is compromised you might be able to 
get into the mail handler but its *very* unlikely you can break the 
whole machine (other than maybe DOS).

Exim has the severe disadvantage that it runs setuid root and is a big 
lump of code.  It has the advantage of sendmail that it was written 
later and in a consistant style which should protect it against buffer 
overruns.  Downside is that it has not had as much testing as sendmail 
in the wild, neither has it been formally audited to my knowledge.  It 
has had one security exploit to my knowledge (however never exploited 
in the wild - again AFAIK).  Exim *can* be run completely without root 
on systems which have no local users.

My take is that I have been working with and on exim since even before 
it was around (I previously maintained smail 3).  Exim is wonderfully 
flexible and extensible.  If I were starting out now I would probably 
go for postfix, but don't currently feel the need to move currently.  
If I was designing a real high volume list handler I would certainly 
evaluate postfix which I think would probably outperform exim in this 
situation.  [qmail is not an option - it uses more bandwidth and thats 
costly in the EU]

claw at cp.net said:
> Note: I'm not aware of a single large scale high volume commercial
> service on the 'net that runs Sendmail.  Not one.  You can check this
> youself by telnetting to the SMTP port on their MXes and reading the
> HELO message.   

Apparently according to the sendmail marketing dweeb I saw a few weeks 
back they have something like 7 of the top 10 ISPs... which I don't 
really believe since it depends how you define things.   AOL was 
mentioned... their MXes give back something rather customised.
IMHO sendmail installations fall into 2 camps - those that know what 
they are doing and have good reasons for their choice.  And those that 
use it because its what shipped on the box and they know no better - I 
avoid ISPs that do that latter, which makes up around 80% plus of all 
ISPs and a very low percentage of those with a clue.

	Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham at VData.co.uk ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]

More information about the Mailman-Users mailing list