Sendmail Removed From NetBSD

Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)

The Security Concerns

[eldavojohn]

Well, I don't think that a short note covered much at all on why they removed it so I did some investigative work. Disclaimer: I use sendmail although I am by no means an expert at it. I'm ignoring pre-2k security issues as that is older than five years ago.

• A security alert from March of 2003 in which Sendmail has been determined to contain a buffer overflow vulnerability.
• Another security alert from later that year.
• A security alert also from 2003 regarding a remote buffer overflow.
• A security alert from 2002 regarding a trojan horse horse sendmail distro.
• Some freebsd specific Sendmail alerts.
• A security alert from March of 2006 (this year) regarding a race condition that may allow remote code execution by an arbitrary user.
• A plethera of similar or smaller security concerns can easily be found.
• The most recent release of Sendmail involves things like fixing possible integer overflows & unsafe use of setjmp(3)/longjmp(3) or adding time outs.

As you can see with above security concerns, Sendmail has had significant historical problems but they have been active in rectifying these problems. If you have the time to patch often, Sendmail most probably will provide you with one of the safest mail transfer agents out there.

The largest concern seems to be the possibility of being compromised via a remote connection. If you're not using it, simply turn off the Sendmail Daemon. And I think that's why they removed it from NetBSD. Some idiot like myself might install NetBSD and leave that sucker listening on port 25. Now, there are no problems immediately because I'll have the latest version but I'm lazy and I don't patch NetBSD regularly so a few security alerts come out and then ... well, you know the rest.

Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?

Re:The Security Concerns

Funny thing is, I've never heard of anyone losing data or being hacked due to Sendmail. Perhaps it's because the last place I saw it used widely was college?

Some time ago there was a 'hacker' movie made here in Poland. And there was a rather funny scene, where two main characters were trying to break into some server. Best part below:

(from memory)
H1: Wow, this thing is a real fortress...
H2: Did you try to get through sendmail using emacs?

Let the qmail flamery begin!

[Gothmolly]

Now we will descend into a flamewar of qmail vs. courier vs. whateverMTAyouuse. Gentlement, choose one or more of your arguments:

Qmail is more secure.
Yes, the qmail author is a (code wizard|douchebag|weird academic) so I (will|will not) use qmail.
Courier is cooler because it includes an IMAP server in its distribution.
Sendmail is fine these days, its just the n00bs that admin it that make it broken.
Yeah but so is Windows.
So's your mother.
I run on so I'm not affected.
I outsourced my email to gmail and (couldn't be happier|hate it|Google rules|Google is teh evil).
BSD is dying.
BSD is alive.

They did overhaul sendmail.

[Trigun]

And named it postfix.

Well

I run Windows, so thankfully I don't have to worry about this kind of security issue.

Best way to measure Bat Book size?

1. number of pages.
   
2. thickness.
   
3. Schwarzchild radius.