Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sendmail Removed From NetBSD

Posted by ryuzaki0 on from the end-of-an-era dept.

Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)

2 of 248 comments (clear)

  1. The Security Concerns by eldavojohn · · Score: 5, Informative
    Well, I don't think that a short note covered much at all on why they removed it so I did some investigative work. Disclaimer: I use sendmail although I am by no means an expert at it. I'm ignoring pre-2k security issues as that is older than five years ago.
    • A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
    • Another security alert from later that year.
    • A security alert also from 2003 regarding a remote buffer overflow.
    • A security alert from 2002 regarding a trojan horse horse sendmail distro.
    • Some freebsd specific Sendmail alerts.
    • A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
    • A plethera of similar or smaller security concerns can easily be found.
    • The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

    As you can see with above security concerns, Sendmail has had significant historical problems but they have been active in rectifying these problems. If you have the time to patch often, Sendmail most probably will provide you with one of the safest mail transfer agents out there.

    The largest concern seems to be the possibility of being compromised via a remote connection. If you're not using it, simply turn off the Sendmail Daemon. And I think that's why they removed it from NetBSD. Some idiot like myself might install NetBSD and leave that sucker listening on port 25. Now, there are no problems immediately because I'll have the latest version but I'm lazy and I don't patch NetBSD regularly so a few security alerts come out and then ... well, you know the rest.

    Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?
    --
    My work here is dung.
  2. They did overhaul sendmail. by Trigun · · Score: 5, Informative

    And named it postfix.