Sendmail Removed From NetBSD 248
Derkjan de Haan writes "Christos Zoulas removed sendmail from the NetBSD source tree, after a lot of discussion about its security track-record. Sendmail will remain available from pkgsrc." But without sendmail.cf foo, how will we distinguish between the best admins and the mediocre? Sendmail was more useful as a litmus test than as an MTA ;)
sendmail.cf test (Score:5, Insightful)
In that the mediocre admins will bodge some hacks into sendmail.cf to make sendmail appear to perform the job they need it to, whilst the best admins will take the presence of sendmail.cf as an indication that they need to remove sendmail and replace it with something that's actually fit [qmail.org] for [exim.org] purpose [postfix.org]? :-P
Re:Good riddance (Score:4, Insightful)
I think it's high time we put Sendmail out to pasture.
Re:Sendmail is a pain in the ass (Score:5, Insightful)
sendmail.cf is a compiled file. If you configure sendmail with m4, the way it's supposed to be done, it's not that hard.
ttyl,
--buddy
Be serious (Score:2, Insightful)
I think that sendmail.cf is the worst written configuration file and a good SysAdmin has edited the SECOND part of it almost once, but never twice because the second time he removed sendmail and installed something better.
Re:The Security Concerns (Score:1, Insightful)
Generally because people don't brag about being hacked, and folks aren't always sure about the attack vector. I run Postfix these days primarily because of speed, there is no comparison between Sendmail and Postfix on this front. I looked at QMail, but since its creator of focused on forcing me to adopt his own INIT scheme (yes, patches are available but I'd prefer ro run unpatched).
Re:The Security Concerns (Score:5, Insightful)
I had. Several times back in 1996. Made me switch to qmail and after that to exim.
As far as sendmail is concerned it is a good MTA provided that:
Re:Why not overhaul sendmail? (Score:3, Insightful)
Litmus test (Score:3, Insightful)
Actually, that was UUCP. Back when you couldn't just search the web for documentation, if you wanted to get UUCP running you had to figure it out yourself. If you could do a full mesh of three machines into a UUCP network then you were a guru indeed.
A Good Sign (Score:2, Insightful)
Here's hoping that this move by NetBSD is a sign that even more Unix-like operating systems and distributions will take this approach. The time has come for sendmail to be an option, not the default.
Re:sendmail.cf test (Score:5, Insightful)
Exim is not a secure replacement for Sendmail. qmail and Postfix were both designed explicitly for security, and include:
Exim was designed as a modernized SMail. It's got the same monolithic architecture as Sendmail has, meaning security vulnerabilities in Exim are less survivable than they are in qmail or Postfix, where a buffer overflow (none of which have ever been found, unlike in Exim) only gets you a one-off UID.
I don't know how Exim has managed to brand itself as one of the "secure MTAs", but it's just a marketing trick.
define("Improved" sendmail configuration)dnl (Score:4, Insightful)
It's still garbage [maynidea.com]. Sample "improved" sendmail config:
Sample postfix config:
I know which I'd rather edit. I mean, without looking at the manual, I've no idea what that dnl crap is about.
Re:Eric Allman (Score:3, Insightful)
Exploits that are found and patched DO bring about a new version of the software. It's usually mixed in with a bunch of other patches, but it's there.
Maybe you should calm down and simply laugh at people that have no idea what they are saying, instead of pointlessly screaming at them. They don't CARE or they'd have made sure they had it right the first time.
Re:The Security Concerns (Score:4, Insightful)
An example off the top of my head and by the way a real one:
While it is possible to handle this in exim or postfix it will be quite painfull at this scale. In cases like this sendmail still remains ahead of the game for cases like this due to the better LDAP support and the inherently more flexible rewrite support.
If you look in the Hanging Bat you will see quite a few more examples like this which everyone but a large corp admin will consider to be extremely obscure corner cases. In a large company you are likely to be asked for at least one of them quite often and this is what sendmail has been targeting for a long time. They have surrendered the ISP, SMB and small EDU market very long ago as it does not bring them enough support revenue.
Recently exim is starting to step on sendmail's toes with the built in perl interpreter, built in SQL and filters it is still not there. Dunno about postfix, but I doubt it. Anything else aside some of the uses of sendmail rewrite rules out there are outright mad. Nobody in their sane mind should do things like this.
Re:The Security Concerns (Score:3, Insightful)
The manual is good, but some of the insanities in it will be hard to understand without reading the Hanging Bat at least once.
I have used the manual for many years before finally surrendering and buying the most recent Bat last year. Reading it definitely made a difference. After that quite a few of the seemingly absurd featurettes started making sense, because you can see why are they there in first place.
Overall, thanks for the correction. I still stand by my words. Sendmail is for the kbd+book sysadmin subspecies. You should always have the latest Bat and the manual for the release you use on the edge of your desk.
Re:Good (Score:3, Insightful)
I too love NetBSD, but shipping with both vi and ed is stupid. Personally, I don't think an editor should be included at all, since pkgsrc makes adding one trivial.
Re:Sendmail? Insecure? (Score:3, Insightful)