OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Security on Sendmail vs Qmail
From: Gordon Messmer (yinyangEBURG.COM)
Date: Sat Sep 02 2000 - 12:49:13 CDT

On Sat, 2 Sep 2000, Luis Gonzaga wrote:

> I think that one of the most popular linux mail packages is Sendmail. But I
> heard that sendmail is not completely secure, may be due to some buffer
> overflows... I'm not sure. Someone told me Qmail is much more secure,
> compared to Sendmail. Honest, I've no idea ;-)

It's been quite a while since sendmail had a root exploit. However, it
has a LONG history of them. It's also difficult to configure, which means
you may not know that you're an open relay or some other such problem.

qmail is fast, easy to configure, and very secure. It's been at version
1.03 for a couple of years, and from a certain standpoint it hasn't really
_needed_ a new release.

I would recommend qmail over sendmail without any hesitation.

If I might slip in one other suggestion: Depending on your needs, Courier
may also be a good choice. Courier is a complete mail system, including
the MTA (smtp and delivery), mail filtering software, POP daemon, IMAP
daemon, mailing list software and web mail. It's very similar to qmail in
a lot of ways, but supports many features that qmail doesn't (like TLS/SSL
wherever appropriate), has a "better" license (courier is GPL vs. qmail
which is "source included" but not Open Source OR Free Software) and is
much better documented. I encourage you to install both and see which
feels best to you.

MSG