[ale] SMTP Servers

Matty matty91 at bellsouth.net
Tue Dec 31 20:15:11 EST 2002


Jonathan Rickman wrote:
> On Tue, 31 Dec 2002, Matty wrote:
> 
> 
>>Greg wrote:
>>
>>>If it is a relatively simple deal, OpenBSD's code audited and stable version
>>>of Sendmail might be ok, otherwise I am w/ John - Qmail or Postfix
>>
>>I am not so sure I trust their auditing practices. They audited SSH, and
>>look what happened ;) I prefer postfix myself.
> 
> 
> There's a little more to it than that. All the code audits in the world
> can't stop someone from compromising the server the package is hosted on
> and replacing it with another. Now, let's be clear on one thing, the
> server that was compromised was not running OpenBSD. I'm not saying the
> guys working on the OpenBSD project are perfect, but they do a pretty damn
> good job of making sure their code is tight. That being said, plain old
> sendmail works just fine. You just have to work a little harder at it.
>

I wasn't referring to the Trojaned code. I am not sure you can blame 
them for that. If you recall, the OpenBSD team tried to quietly
muffle the priv separation problems, and the following remote overflow:

http://online.securityfocus.com/advisories/4283

OpenBSD is a great OS, but it is prone to programatic errors (Theo 
probably wouldn't agree) like everyone else.


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list