Slashdot Mirror
Sendmail Removed From NetBSD
Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)
As you can see with above security concerns, Sendmail has had significant historical problems but they have been active in rectifying these problems. If you have the time to patch often, Sendmail most probably will provide you with one of the safest mail transfer agents out there.
The largest concern seems to be the possibility of being compromised via a remote connection. If you're not using it, simply turn off the Sendmail Daemon. And I think that's why they removed it from NetBSD. Some idiot like myself might install NetBSD and leave that sucker listening on port 25. Now, there are no problems immediately because I'll have the latest version but I'm lazy and I don't patch NetBSD regularly so a few security alerts come out and then
Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?
My work here is dung.
I just don't believe it...
Happiness is like peeing yourself. Everybody can see it but only you can feel its warmth.
And named it postfix.
On a default NetBSD installation where does the cron output go?
Postfix has been in the tree for a while, and will now be the default MTA.
The Internet Worm of 1988 -- Introduction by Francis Litterio
The below document tells the story of the Internet Worm of 1988 and how it effectively shut down the Internet. I didn't write it, but it's hard to find it on the net these days, so I offer it here on the theory that those who fail to learn from history are doomed to repeat it.
I remember when it happened. It was a big deal to computer people like me, but in 1988 the Internet was unknown even to the most sophisticated media reporters, and the World Wide Web had not been invented yet. I remember the NBC Evening News devoting less than 30 seconds to the topic. If an equally severe disruption of the Internet were to happen today, the President of the United States would probably hold a press conference to calm the nation.
Google Cache to the Article by Don Seeley, Univ. of Utah
Postfix is based on sendmails codebase, with much stronger security features and a lot of the more complex configuration hidden away. It is very fast and featureful.
Qmail is a fairly secure pretty fast MTA it is very modular and very suited to sites with multiple domains to handle.
There is others such as exim, james, etc but Sendmail, Postfix and Qmail are the 3 biggest I think next would be exim (it used to be the default in debian I don't know if it still is).
Personally I would recommend postfix if you are handling just your own email, I use postfix, courier-imapd, spamassassin, amavisd, clamav, maildrop, and procmail and I haven't had a single security incident on my system (knock on wood), additionally I have about a 99% success rate catching spam with almost no false positives.
GeekServ Unix Consulting Services (http://www.geekserv.com)
Then it's at least nine years new. The second edition of the bat-book dates to January 1997. (I don't think I've ever seen a copy of the first edition, so I don't know if the m4 config is as old as late 1993.) I've been using the m4 config since early 2000 when I first got fixed IP DSL.
Anyhow, in my experience, Sendmail also won't work right if your DNS is broken. Both the IP and MX records have to be right.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Personally, I use Postfix. It's Free, it's intelligently designed (by this guy, if you were wondering), it's much easier to set up to be secure, and it has a certain level of Sendmail compatibility, so that older programs that assume you're running Sendmail don't barf when you switch.
The biggest architectural difference between Sendmail and Postfix is that Postfix has many small executables (arguably, many not-so-small executables) while Sendmail is monolithic. From a user's perspective this is basically transparent: the biggest benefit to a sysadmin of running Postfix is the config files, which are as close to being self-explanatory as a MTA config file can be, in my opinion.
Sendmail always struck me as a bit of a challenge to set up securely/properly (i.e. "not an open relay"); Postfix is pretty simple to get going securely, and has well-chosen default parameters (at least as I've seen it installed, on Debian) that let you set up a server that won't be immediately spewing Russian penis-enlargement emails quickly. I've never tried to set up Sendmail with SSL support, but I'm going to go out on a limb and guess that it's easier to do this with Postfix as well.
I can't personally vouch for its speed, because I don't run a high-volume mailserver, nor do I have the hardware to really give the MTA that much of a workout (it just becomes disk-bound on my systems). Plus I use flat mbox files and the situation may be totally different with the more modern database-type mailstores. (Yeah, yeah, I know -- 1986 called and they want their file format back and all that. But it works for me.)
There are other choices out there for MTAs, and I'm sensitive to arguments in favor of them and I'm not trying to say that Postfix is necessarily the best possible thing out there for everyone, but at least in my experience it beats the hell out of Sendmail. If somebody wants to jump in here and discuss qmail or exim, and why they think they're great, please do.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Not sure what your are saying, English must be your second language.
/usr/pkgsrc/mail/sendmail
Anyway, if you mean you are going to install FreeBSD over your existing NetBSD installs on "All your servers" then you are a dumbass. Sendmail is still in pkgsrc. Try this.
cd
make install
Duh.
I sort of agree with you. I'd like Novell to put out something like an official SLICK which would be optimized for GUI-less implementations and built to run in the smallest footprint possible (ie. less than 50M). If it was included as an option in the stock SuSE, then wow. Now, as for spending 2-3 hours running rpm -ev / yast pulling packages from SLES to make it usable, somehting isn't right there. First off, you should have setup a test server to determine your needs. Once that's done, create an AutoYast install script (think RH KickStart) to do your production installs (eg. yast2 autoyast). Second, even if unneeded pacakges are installed, you can easily disable the cruft services you don't need in Yast->System->Services, I'd guess in under 5 minutes start to finish.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Postfix was made the default mailer.
The format of sendmail.cf made perfect sense when sendmail was written, however many years ago it was. In those days, people were smart and machines were stupid.
When you look at modern programs with their fancy-pants SQL and XML configurations, they may be easier for a human being to understand; but they're also a hell of a lot of work for the computer to understand, precisely because of all the human-readable cruft. Twenty or thirty years ago, there wasn't the computing power to waste on processing such a config file; it was simply less effort, and more productive, to get a human being to bond well enough with the computer to be able to create a sendmail.cf from scratch.
Je fume. Tu fumes. Nous fûmes!
Sendmail is pre-Internet. It was built to route mail between BITNET, UUCP, ARPAnet, JAnet, and so on, all of which had different e-mail syntax. That's why it has a big slow crufty macro engine that every message goes through, and that's why it rewrites the headers of e-mail passing through it. None of that is necessary or desirable these days. Most of sendmail's other problems, from lack of speed to poor security, flow from that initial design decision, so you really need to start again from scratch with a simple e-mail parser and build up from there.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
It is still the default MTA on OpenBSD, and the OBSD developers (up to now) have been resistent to the idea of replacing it. It has been stated that Sendmail's recent security record (on OpenBSD) has been acceptable, and that sendmail's authors are always reasonable when it comes to making changes (this is important!).
I'm curious, how many systems still ship sendmail as the default MTA?
The main reason an MTA is included is because of the daily (and weekly, monthly) cron jobs that email their output to root. As one of the daily jobs is /etc/security (which compares the checksum, permissions, and timestamps of a list of system files to known values, among other things), this is a good thing. (It's also a good idea to put audit-packages in security.local, and download-vulnerability-list in daily.)
::1 -- you have to manually configure it (insert sendmail.cf snark) to listen on physical interfaces.
Just an FYI, on both NetBSD and OpenBSD (and also FreeBSD, AFAIK), the out-of-the-box configuration has sendmail listening only on 127.0.0.1 and
While pkgsrc does make installation very easy, the stuff in base undergoes more throrough audits, and usually has {Net,Open,Free}BSD-specific patches to it. While pkgsrc includes patches as well, those are usually just what's sufficient to make it run on $platform.
"It's better to keep your mouth shut and be thought a fool than to open it and remove all doubt."
Then you are one of the very few folks using sendmail w/o pkgsrc. Everyone else who was asked admitted to already using the pkgsrc sendmail as it supported sasl and other important features that can't be supported in base.
Since the folks (well, all the ones asked before this was done) using sendmail weren't using the sendmail in base, it seems like litle will be lost by removing it.
> dnl means "delete new-lines". .cf file, so the dnl's are basically macros that remove extra new-line
>
> The M4 macro preprocessing tends to insert a lot of extra blank lines into the
> resulting
> characters.
>
> Yes, it is stupid.
Actually, you are, because you're wrong!
I don't know exactly what it stands for, but it's purpose is to "ignore rest of line", in other words, do exactly as '#' does in shell scripts etc.
"delete (to) newline"
or "disregard to newline" ?
Dunno.. Yeah, stupid name, but at least it does something more useful than you thought!
Sig out of date