On 2005-08-30, A. van Leeuwen wrote:
> I've read that Sendmail is better not used because of security
> issues.

http://www.openbsd.org/faq/faq1.html#HowAbout

When was the last time you heard of someone having security problems
with sendmail on openbsd?

--
Antti Nykänen || aon@iki.fi || http://aon.iki.fi

A. van Leeuwen wrote:

> I've just started to setup a OpenBSD server on an old laptop. I want to
> use it as webserver and as mailserver. I already managed to setup a
> webserver with MySQL and PHP, and can reach it from the internet (with
> help of the services from www.dyndns.org ). Now I want to setup my own
> mailserver with spamfilter (and where my three PC's can get there mail
> from (via Outlook). I've read that Sendmail is better not used because of
> security issues.

The OBSD version of Sendmail is fairly safe, but it is not the easiest of
programs to configure, especially if you want to do anything beyond a very
basic setup. If you've not got any experience of mail servers then I
advise chosing something else (unless you really want to tackle a seriously
steep learning curve that is). OTOH a real Sendmail guru can make it do
things that no other MTA is capable of, but reaching guru status takes a
lot of work.

>I've read that there are other progams like Postfix and
> qmail (and proberly many others). My questions:

Not many people would recommend qmail these days, largely because the author
insists on a rather strange licence. Also it is no longer maintained by the
original author and several features now regarded as vital are only
available by 3rd-part patches which may not be coded to the same standard.

The more popular alternatives to Sendmail are postfix and exim. Both are
still under active development with very active support communities.

> - which program's best to use?

How long is a piece of string. Both are good, both have good security
records, both are used by some seriously heavy traffic sites, they are
configured in very different ways. One of those ways may be incompatible
with the way your mind works.

> - are there some good howto's on the web for those program's?
>

www.postfix.org has a lot of info as has www.exim.org.

My feeling is that postfix has the better introductory documentation while
exim has the better reference documentation. As ever YMMV.

There are several books on Postfix, some of which are very good. Not sure
about Exim.

On Tue, 30 Aug 2005 18:44:07 +0000, Antti Nykänen wrote:

> On 2005-08-30, A. van Leeuwen wrote:
>> I've read that Sendmail is better not used because of security
>> issues.
>
> http://www.openbsd.org/faq/faq1.html#HowAbout
>
> When was the last time you heard of someone having security problems
> with sendmail on openbsd?

Or to look at it another way, the site says "8 yrs without a remote
exploit in the default install".

Sendmail is part of the default install.
--
mark south: world citizen, net denizen
echo znexfbhgu2000@lnubb.pb.hx | tr [a-z] [n-za-m]

On 2005-08-30, A. van Leeuwen wrote:
> I've just started to setup a OpenBSD server on an old laptop. I want to use
> it as webserver and as mailserver. I already managed to setup a webserver
> with MySQL and PHP, and can reach it from the internet (with help of the
> services from www.dyndns.org ). Now I want to setup my own mailserver
> with spamfilter (and where my three PC's can get there mail from (via
> Outlook). I've read that Sendmail is better not used because of security
> issues. I've read that there are other progams like Postfix and qmail (and
> proberly many others). My questions:
> - which program's best to use?
> - are there some good howto's on the web for those program's?

Try these:

http://www.pingwales.co.uk/tutorials...n-openbsd.html
http://www.pingwales.co.uk/tutorials...er-config.html

I think there's another one on there about a spamfilter. Check the
links in the articles and at the bottom of the page.

nb

>
> Or to look at it another way, the site says "8 yrs without a remote
> exploit in the default install".
>
> Sendmail is part of the default install.
The issue was SSHD not sendmail :]

ML

Keith Matthews wrote:
> A. van Leeuwen wrote:
>
>
>>I've just started to setup a OpenBSD server on an old laptop. I want to
>>use it as webserver and as mailserver. I already managed to setup a
>>webserver with MySQL and PHP, and can reach it from the internet (with
>>help of the services from www.dyndns.org ). Now I want to setup my own
>>mailserver with spamfilter (and where my three PC's can get there mail
>>from (via Outlook). I've read that Sendmail is better not used because of
>>security issues.
>
>
> The OBSD version of Sendmail is fairly safe, but it is not the easiest of
> programs to configure, especially if you want to do anything beyond a very
> basic setup. If you've not got any experience of mail servers then I
> advise chosing something else (unless you really want to tackle a seriously
> steep learning curve that is). OTOH a real Sendmail guru can make it do
> things that no other MTA is capable of, but reaching guru status takes a
> lot of work.
>
>
>>I've read that there are other progams like Postfix and
>>qmail (and proberly many others). My questions:
>
>
> Not many people would recommend qmail these days, largely because the author
> insists on a rather strange licence. Also it is no longer maintained by the
> original author and several features now regarded as vital are only
> available by 3rd-part patches which may not be coded to the same standard.
>
> The more popular alternatives to Sendmail are postfix and exim. Both are
> still under active development with very active support communities.
>
>
>>- which program's best to use?
>
>
> How long is a piece of string. Both are good, both have good security
> records, both are used by some seriously heavy traffic sites, they are
> configured in very different ways. One of those ways may be incompatible
> with the way your mind works.
>
>
>>- are there some good howto's on the web for those program's?
>>
>
>
> www.postfix.org has a lot of info as has www.exim.org.
>
> My feeling is that postfix has the better introductory documentation while
> exim has the better reference documentation. As ever YMMV.
>
> There are several books on Postfix, some of which are very good. Not sure
> about Exim.

I would still recommend sendmail ... it is a standard for MTA isn't it ?
It's in default installation for a reason.

I agree with you as far as qmail is concerned plus it's virtually
incomprehensible for someone who's been in sendmail and postfix all his
life. (Tho I have a working install)

Postfix + amavis works great (with clamav and spamassassin)


ML

On Wed, 31 Aug 2005 11:07:23 +0200, Martin Latos wrote:

>>
>> Or to look at it another way, the site says "8 yrs without a remote
>> exploit in the default install".
>>
>> Sendmail is part of the default install.
> The issue was SSHD not sendmail :]

Yes, but the OP seemed to be under the impression that sendmail is a
security problem at the present, whereas the statement on the website
provides a simple to demonstrate lower bound of 8 years of safety.

A free and useful lower bound beats a rigorous calculation most times.
--
mark south: world citizen, net denizen
echo znexfbhgu2000@lnubb.pb.hx | tr [a-z] [n-za-m]

Martin Latos wrote:


>
> I would still recommend sendmail ... it is a standard for MTA isn't it ?
> It's in default installation for a reason.
>
>

I've seen two reasons given -

1 Theo does not like the license, he considers it to be free (the way the
qmail one was not) but it has some limitations he does not like. I've seen
posts from the man himself to this effect. How this will be affected by the
licence rationalisation being carried out by the OSI remains to be seen.

2. Reputedly Theo will not accept anything that is incompatible with
sendmail.cf. And sendmail.cf is the biggest part of the learning curve.



There is also the issue that changing the default is a major problem for
existing installations due to changes in config files. This is probably at
the root of 2 above. New installations are another matter though.

Some Linux distributions are now using postfix as the default (SuSE
certainly and I suspect Mandriva do so too) so changes may happen. A lot
depends on whether we get a new rash of security incidents with Sendmail,
there've been none for nearly 2 years now, but any really nasty ones may
well prompt a review of the situation with many FLOSS packagers (after all
quite a few dumped WU-ftpd for proftpd after the last rash of security
incidents).

"Keith Matthews" wrote in message
news:VsKdnZ2dnZ1qi4munZ2dna0sid6dnZ2dRVny3Z2dnZ0@e clipse.net.uk...
>
> The more popular alternatives to Sendmail are postfix and exim. Both are
> still under active development with very active support communities.

I've succumbed to peer pressure and am seriously looking at Exim. First
impressions: I think I'd be far more in control than I ever was with
Sendmail, but I'm not there yet. Likely a more attainable, and configurable,
summit than Sendmail.

Steve
http://www.fivetrees.com

According to Mark South :
> On Wed, 31 Aug 2005 11:07:23 +0200, Martin Latos wrote:
>
> >>
> >> Or to look at it another way, the site says "8 yrs without a remote
> >> exploit in the default install".
> >>
> >> Sendmail is part of the default install.
> > The issue was SSHD not sendmail :]
>
> Yes, but the OP seemed to be under the impression that sendmail is a
> security problem at the present, whereas the statement on the website
> provides a simple to demonstrate lower bound of 8 years of safety.

Note that OpenBSD puts sendmail in a chroot jail, so I think
that it is not particularly trusted. Just put where it can be run with
minimal risk to the system itself.

> A free and useful lower bound beats a rigorous calculation most times.

But I'm not sure that this counts as a true lower bound, given
the distrust that the writers of OpenBSD seem to feel towards sendmail.
(I don't trust it either -- and have been using qmail for some time
now. :-)

> --
> mark south: world citizen, net denizen
> echo znexfbhgu2000@lnubb.pb.hx | tr [a-z] [n-za-m]

Hmm ... a not-so-portable implementation of rot13. :-)
On Solaris, I have to replace the square brackets with single quotes,
and on OpenBSD I have to escape each square bracket. (This is running
in tcsh on both systems, FWIW.)

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On Tue, 06 Sep 2005 04:35:15 +0000, DoN. Nichols wrote:

> According to Mark South :
>> On Wed, 31 Aug 2005 11:07:23 +0200, Martin Latos wrote:
>>
>> >> Or to look at it another way, the site says "8 yrs without a remote
>> >> exploit in the default install".
>> >>
>> >> Sendmail is part of the default install.
>> > The issue was SSHD not sendmail :]
>>
>> Yes, but the OP seemed to be under the impression that sendmail is a
>> security problem at the present, whereas the statement on the website
>> provides a simple to demonstrate lower bound of 8 years of safety.
>
> Note that OpenBSD puts sendmail in a chroot jail, so I think
> that it is not particularly trusted. Just put where it can be run with
> minimal risk to the system itself.

Mechanism does not change conclusion.

>> A free and useful lower bound beats a rigorous calculation most times.
>
> But I'm not sure that this counts as a true lower bound, given
> the distrust that the writers of OpenBSD seem to feel towards sendmail.
> (I don't trust it either -- and have been using qmail for some time
> now. :-)

I'd still like to meet a fully functional MTA that didn't use Victorian
design and baroque configuration, but I'm badly prejudiced.

>> --
>> mark south: world citizen, net denizen echo znexfbhgu2000@lnubb.pb.hx |
>> tr [a-z] [n-za-m]
>
> Hmm ... a not-so-portable implementation of rot13. :-)

It's a highly effective one, especially for...

> On Solaris, I have to replace the square brackets with single quotes,
> and on OpenBSD I have to escape each square bracket. (This is running
> in tcsh on both systems, FWIW.)

....flushing people using broken shells :-)

Since it's obviously rot13, if one wanted to mail me it's quicker to use
the rot13 function in their news client than the shell.
--
mark south: world citizen, net denizen
echo znexfbhgu2000@lnubb.pb.hx | tr [a-z] [n-za-m]

According to Mark South :
> On Tue, 06 Sep 2005 04:35:15 +0000, DoN. Nichols wrote:
>
> > According to Mark South :

[ ... ]

> >> Yes, but the OP seemed to be under the impression that sendmail is a
> >> security problem at the present, whereas the statement on the website
> >> provides a simple to demonstrate lower bound of 8 years of safety.
> >
> > Note that OpenBSD puts sendmail in a chroot jail, so I think
> > that it is not particularly trusted. Just put where it can be run with
> > minimal risk to the system itself.
>
> Mechanism does not change conclusion.

It supports the conclusion that sendmail (*without* the chroot
jail) is not to be considered fully trustworthy.

[ ... ]

> >> mark south: world citizen, net denizen echo znexfbhgu2000@lnubb.pb.hx |
> >> tr [a-z] [n-za-m]
> >
> > Hmm ... a not-so-portable implementation of rot13. :-)
>
> It's a highly effective one, especially for...
>
> > On Solaris, I have to replace the square brackets with single quotes,
> > and on OpenBSD I have to escape each square bracket. (This is running
> > in tcsh on both systems, FWIW.)
>
> ...flushing people using broken shells :-)

And which shell would you consider not broken? This is a
difference in syntax between BSD and SysV versions of tr, not a shell
problem. I've just tested it (on a Solaris 10 system) with:

sh, zsh, ksh, bash, and csh, and it did not work as posted in
any of them. In particular, the un-escaped and un-quoted '[' invokes
the "test" program on Solaris-10 -- and even on BSD-flavored SunOs
4.1.4. And -- I see that it is still so on the latest OpenBSD machine
which I currently have running. (Yes, I know that this is an OpenBSD
group, and I run several OpenBSD machines, but my chairside machine for
normal interacting with the world happens to be running Solaris 10.)

> Since it's obviously rot13, if one wanted to mail me it's quicker to use
> the rot13 function in their news client than the shell.

Agreed -- or a standalone rot13 -- which leads to the question
of why bother with the shell implementation? Just showing off?

Enjoy,
DoN.

--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---

On Tue, 06 Sep 2005 23:43:33 +0000, DoN. Nichols wrote:

> According to Mark South :
>> On Tue, 06 Sep 2005 04:35:15 +0000, DoN. Nichols wrote:
>>
>> > According to Mark South :
>
> [ ... ]
>
>> >> Yes, but the OP seemed to be under the impression that sendmail is a
>> >> security problem at the present, whereas the statement on the website
>> >> provides a simple to demonstrate lower bound of 8 years of safety.
>> >
>> > Note that OpenBSD puts sendmail in a chroot jail, so I think
>> > that it is not particularly trusted. Just put where it can be run with
>> > minimal risk to the system itself.
>>
>> Mechanism does not change conclusion.
>
> It supports the conclusion that sendmail (*without* the chroot
> jail) is not to be considered fully trustworthy.
>
> [ ... ]
>
>> >> mark south: world citizen, net denizen echo znexfbhgu2000@lnubb.pb.hx |
>> >> tr [a-z] [n-za-m]
>> >
>> > Hmm ... a not-so-portable implementation of rot13. :-)
>>
>> It's a highly effective one, especially for...
>>
>> > On Solaris, I have to replace the square brackets with single quotes,
>> > and on OpenBSD I have to escape each square bracket. (This is running
>> > in tcsh on both systems, FWIW.)
>>
>> ...flushing people using broken shells :-)
>
> And which shell would you consider not broken? This is a
> difference in syntax between BSD and SysV versions of tr, not a shell
> problem. I've just tested it (on a Solaris 10 system) with:
>
> sh, zsh, ksh, bash, and csh, and it did not work as posted in
> any of them. In particular, the un-escaped and un-quoted '[' invokes
> the "test" program on Solaris-10 -- and even on BSD-flavored SunOs
> 4.1.4. And -- I see that it is still so on the latest OpenBSD machine
> which I currently have running. (Yes, I know that this is an OpenBSD
> group, and I run several OpenBSD machines, but my chairside machine for
> normal interacting with the world happens to be running Solaris 10.)
>
>> Since it's obviously rot13, if one wanted to mail me it's quicker to use
>> the rot13 function in their news client than the shell.
>
> Agreed -- or a standalone rot13 -- which leads to the question
> of why bother with the shell implementation? Just showing off?

Usenet is a deadly serious matter to some people, wouldn't you agree?
--
mark south: world citizen, net denizen
echo znexfbhgu2000@lnubb.pb.hx | tr [a-z] [n-za-m]

On 31/08/2005 11:21 PM, Steve at fivetrees wrote:
> "Keith Matthews" wrote in message
> news:VsKdnZ2dnZ1qi4munZ2dna0sid6dnZ2dRVny3Z2dnZ0@e clipse.net.uk...
>
>>The more popular alternatives to Sendmail are postfix and exim. Both are
>>still under active development with very active support communities.
>
>
> I've succumbed to peer pressure and am seriously looking at Exim. First
> impressions: I think I'd be far more in control than I ever was with
> Sendmail, but I'm not there yet. Likely a more attainable, and configurable,
> summit than Sendmail.
>

I'd have to vote for Postfix. We run a pretty serious multi-server SMTP
system with spam protection here at the office using all Postfix, and it
has never let us down. I run it locally at home, but that is a pretty
minimal install.

AFAIAC, "Postfix" is synonymous with "ease of use", "easy to make
secure" and "high-availability."

Begin
On 2005-09-06, DoN. Nichols wrote:
> Hmm ... a not-so-portable implementation of rot13. :-)
> On Solaris, I have to replace the square brackets with single quotes,
> and on OpenBSD I have to escape each square bracket. (This is running
> in tcsh on both systems, FWIW.)

Using the FreeBSD project site manpage cgi to look at OpenBSD and system
seven manpages of tr, I can't help but notice that the synopsis calls
for ``strings'', not regexp-style character classes. Meaning that the
square brackets just get translated into themselves. You can safely leave
them out because they just get translated to themselves again.


--
j p d (at) d s b (dot) t u d e l f t (dot) n l .

According to jpd :
> Begin
> On 2005-09-06, DoN. Nichols wrote:
> > Hmm ... a not-so-portable implementation of rot13. :-)
> > On Solaris, I have to replace the square brackets with single quotes,
> > and on OpenBSD I have to escape each square bracket. (This is running
> > in tcsh on both systems, FWIW.)
>
> Using the FreeBSD project site manpage cgi to look at OpenBSD and system
> seven manpages of tr, I can't help but notice that the synopsis calls
> for ``strings'', not regexp-style character classes. Meaning that the
> square brackets just get translated into themselves. You can safely leave
> them out because they just get translated to themselves again.

On Solaris 10:

================================================== ====================
Fuego:dnichols 13:48 > echo furrfu | /usr/ucb/tr 'a-z' 'n-za-m'
sheesh
Fuego:dnichols 13:48 > echo furrfu | tr 'a-z' 'n-za-m'
furrfu
Fuego:dnichols 13:49 > echo furrfu | tr '[a-z]' '[n-za-m]'
-urr-u
Fuego:dnichols 13:50 > echo furrfu | tr '[a-z]' '[n-z][a-m]'
sheesh
================================================== ====================

Note that the /usr/ucb/tr is the same one which was found on the old
BSD based SunOS 4.1.4 and similar.

On OpenBSD:

================================================== ====================
curlmakr:csu 12:27 # echo furrfu | tr 'a-z' 'n-za-m'
sheesh
curlmakr:csu 13:53 # echo furrfu | tr '[a-z]' '[n-za-m]'
sheesh
curlmakr:csu 13:54 # echo furrfu | tr '[a-z]' '[n-z][a-m]'
sfccsf
================================================== ====================

So -- it is obvious that the same syntax does not work equally
well on both versions of tr.

Enjoy,
DoN.
--
Email: | Voice (all times): (703) 938-4564
(too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html
--- Black Holes are where God is dividing by zero ---