[PLUG] new guy with questions
Dan Young
danielmyoung at gmail.com
Wed Jun 28 23:04:58 UTC 2006
On 6/28/06, Wil Cooley <wcooley at nakedape.cc> wrote:
> On Wed, 2006-06-28 at 14:06 -0700, Dan Young wrote:
>
> > > I'm going to have to dispute your assertion of "very secure" though. My
> > > observation of the Debian security list has been that both Sendmail and
> > > Postfix get bulletins around once every 9 months (often at nearly the
> > > same time).
> >
> > Please cite the Postfix security bulletins.
>
> It doesn't help that QMail hasn't seen a release in nearly a decade.
> (IPv6? 64-bit? Updated standards?)
>
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=qmail
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postfix
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=exim
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sendmail
>
> You must be careful with these lists, since third-party apps are
> included that are not actually part of the MTA itself, like Postgrey or
> qmailadmin, and vendor-specific configuration problems, like Apple's
> SMTP AUTH bungling.
Thanks, Wil. That's what I was getting at. The postfix CVEs for the
last three years all reference either 3rd-party patches/addons (the
ipv6 open relay bug and postgrey) or vendor config problems.
When Elliot implies Sendmail is roughly as secure as Postfix, my
Spidey-Sense starts tingling.
--
Dan
More information about the PLUG
mailing list