Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Removed From NetBSD

Posted by ryuzaki0 on from the end-of-an-era dept.

Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)

8 of 248 comments (clear)

  1. The Security Concerns by eldavojohn · · Score: 5, Informative
    Well, I don't think that a short note covered much at all on why they removed it so I did some investigative work. Disclaimer: I use sendmail although I am by no means an expert at it. I'm ignoring pre-2k security issues as that is older than five years ago.
    • A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
    • Another security alert from later that year.
    • A security alert also from 2003 regarding a remote buffer overflow.
    • A security alert from 2002 regarding a trojan horse horse sendmail distro.
    • Some freebsd specific Sendmail alerts.
    • A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
    • A plethera of similar or smaller security concerns can easily be found.
    • The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

    As you can see with above security concerns, Sendmail has had significant historical problems but they have been active in rectifying these problems. If you have the time to patch often, Sendmail most probably will provide you with one of the safest mail transfer agents out there.

    The largest concern seems to be the possibility of being compromised via a remote connection. If you're not using it, simply turn off the Sendmail Daemon. And I think that's why they removed it from NetBSD. Some idiot like myself might install NetBSD and leave that sucker listening on port 25. Now, there are no problems immediately because I'll have the latest version but I'm lazy and I don't patch NetBSD regularly so a few security alerts come out and then ... well, you know the rest.

    Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?
    --
    My work here is dung.
    1. Re:The Security Concerns by dodobh · · Score: 4, Informative

      http://www.postfix.org/postconf.5.html#canonical_m aps
      http://www.postfix.org/generic.5.html
      http://www.postfix.org/ADDRESS_REWRITING_README.ht ml
      http://www.postfix.org/transport.5.html

      Pretty trivial stuff.

      --
      I can throw myself at the ground, and miss.
  2. They did overhaul sendmail. by Trigun · · Score: 5, Informative

    And named it postfix.

  3. Re:What's the alternative? by jmcneill · · Score: 4, Informative

    On a default NetBSD installation where does the cron output go?

    Postfix has been in the tree for a while, and will now be the default MTA.

  4. 8 years after "The Worm" Snedmail is closed by sgent · · Score: 4, Informative
    You've never heard of a security issue with sendmail??!!!?? Time for a history lesson. Although obviously fixed now, Sendmail was the main culprit in the first internet worm ever found in the wild.

    The Internet Worm of 1988 -- Introduction by Francis Litterio

    The below document tells the story of the Internet Worm of 1988 and how it effectively shut down the Internet. I didn't write it, but it's hard to find it on the net these days, so I offer it here on the theory that those who fail to learn from history are doomed to repeat it.

    I remember when it happened. It was a big deal to computer people like me, but in 1988 the Internet was unknown even to the most sophisticated media reporters, and the World Wide Web had not been invented yet. I remember the NBC Evening News devoting less than 30 seconds to the topic. If an equally severe disruption of the Internet were to happen today, the President of the United States would probably hold a press conference to calm the nation.

    Google Cache to the Article by Don Seeley, Univ. of Utah

  5. Re:Sendmail is a pain in the ass by Megane · · Score: 4, Informative
    That's the new configuration process.

    Then it's at least nine years new. The second edition of the bat-book dates to January 1997. (I don't think I've ever seen a copy of the first edition, so I don't know if the m4 config is as old as late 1993.) I've been using the m4 config since early 2000 when I first got fixed IP DSL.

    Anyhow, in my experience, Sendmail also won't work right if your DNS is broken. Both the IP and MX records have to be right.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  6. Re:Provide examples by Kadin2048 · · Score: 4, Informative

    Personally, I use Postfix. It's Free, it's intelligently designed (by this guy, if you were wondering), it's much easier to set up to be secure, and it has a certain level of Sendmail compatibility, so that older programs that assume you're running Sendmail don't barf when you switch.

    The biggest architectural difference between Sendmail and Postfix is that Postfix has many small executables (arguably, many not-so-small executables) while Sendmail is monolithic. From a user's perspective this is basically transparent: the biggest benefit to a sysadmin of running Postfix is the config files, which are as close to being self-explanatory as a MTA config file can be, in my opinion.

    Sendmail always struck me as a bit of a challenge to set up securely/properly (i.e. "not an open relay"); Postfix is pretty simple to get going securely, and has well-chosen default parameters (at least as I've seen it installed, on Debian) that let you set up a server that won't be immediately spewing Russian penis-enlargement emails quickly. I've never tried to set up Sendmail with SSL support, but I'm going to go out on a limb and guess that it's easier to do this with Postfix as well.

    I can't personally vouch for its speed, because I don't run a high-volume mailserver, nor do I have the hardware to really give the MTA that much of a workout (it just becomes disk-bound on my systems). Plus I use flat mbox files and the situation may be totally different with the more modern database-type mailstores. (Yeah, yeah, I know -- 1986 called and they want their file format back and all that. But it works for me.)

    There are other choices out there for MTAs, and I'm sensitive to arguments in favor of them and I'm not trying to say that Postfix is necessarily the best possible thing out there for everyone, but at least in my experience it beats the hell out of Sendmail. If somebody wants to jump in here and discuss qmail or exim, and why they think they're great, please do.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  7. Re:Replacement? by perry · · Score: 4, Informative

    Postfix was made the default mailer.