Smail security (was Re: Mailing list active?)
Louis Bertrand
list (at least until the moderator shut it down...). Although there are
some good points about security and program correctness from each camp,
the debate has dragged down to the level of a personal insult-fest between
the authors of each package. I now choose to ignore it.
On the topic of security and correctness, I was recently scolded for using
Smail on OpenBSD, by the nice folks on the OpenBSD misc list. Their
opinion was that Smail wasn't good enough for OpenBSD because it has not
been audited specifically for security (improper system calls, buffer
overruns, etc.) as did most of the core services for OpenBSD.
Is this a fair statement?
The issue came up when I (and others) complained that OpenBSD overwrites
sendmail(8) during an upgrade, and blows away any drop-in replacements
(Qmail, Smail notably).
Ciao!
--Louis
Louis Bertrand, Bowmanville, ON, Canada
<lo...@signalpath.on.ca>
OpenBSD: Security matters <www.OpenBSD.org>
On Thu, 14 Jan 1999, Dan Wilder wrote:
> On Thu, Jan 14, 1999 at 09:42:15PM -0500, Louis Bertrand wrote:
> > Excuse this test posting, but is the mailing list active?
> >
> > Thanks
> > --Louis
> >
> > Louis Bertrand, Bowmanville, ON, Canada
> > <lo...@signalpath.on.ca>
> > OpenBSD: Security matters <www.OpenBSD.org>
> >
>
> Apparently not very active. Or maybe I've been bouncing it,
> due to one or another misconfiguration or experiment of my own.
>
> Are there any faithful still out there?
>
> I'm still using smail3, having generated a number of patches to
> 3.2.0.104 to get it to compile and actually deliver mail in my
> environment (submitted to the smail3 bug list) ... really, it is
> a great mailer. I'll probably stick with it for our mail hub,
> and I've recently brought the same version up at a third party
> site.
>
> Though I am experimenting with postfix, previously called
> Vmailer.
>
> Have encountered a few annoying differences that make postfix
> a not-quite-drop-in replacement for sendmail. The .forward
> files, for example, don't do quite what you might expect with
> lines like
>
> user
>
> which aren't guaranteed at all to give you local delivery,
> even when "user" is indeed a local user, and there are no
> /etc/aliases entries, etc, to redirect mail to "user".
>
> Postfix to a small extent emulates sendmail's predisposition
> for header rewriting, though the most obnoxious of this is
> off by default. Apparently there's a bunch more header
> rewriting in the works.
>
> There's no "rsmtp" capability. Though it does handle
> traditional rmail-type uucp nicely. There aren't as many
> delivery options as Smail offers, though. Again, there
> apparently are some of these in the works.
>
> Configuration is, if anything, simpler than Smail, though partly
> because there are fewer options. I feel that postfix is at
> this point less well documented than Smail.
>
> There's an interesting war going on between qmail and postfix
> people on the postfix mailing list. The shots are mostly being
> fired by qmail folks, including somebody who claims to be Dan
> Bernstein, qmail author.
>
> Just released for public beta 12/30/98, postfix is quite a bit more
> mature than I'd expected, considering what a young package it
> appears to be. Maybe the non-public beta has been going on for
> quite a long time.
>
> URL http://www.postfix.org/
>
> --
> Dan Wilder <d...@gasboy.com>
>
>