Sendmail replacements? (correction)
Chuck Yerkes
chuck+baylisa at snew.com
Thu Feb 13 12:24:14 PST 2003
Quoting Chuck Yerkes (chuck+baylisa at snew.com):
> Quoting Roy Kim (rkim at networktology.com):
> > Postfix is an excelent choice for replacing sendmail.
> > http://www.postfix.org
> > Features:
> > It runs as a non-root user.
>
> Sendmail 8.12 doesn't run as root. Hell, without local
> deliveries and with a plug to make port25 connections go high
> (ipfilter), NO sendmail needed to run as root.
I've misstated... sendmail 8.12 DOES run as root. It doesn't
run as setUID any longer.
It needs to be root to bind to port 25.
It needs to be root to become a user to process .forward files and,
sometimes, to deliver locally.
If you have ipfilter or something, you can have it redirect port 25
up to, say, port 2525. Then it can runs as non root.
If you don't have .forward files (or local mail users), and you
deliver to a smart mailstore (cyrus, etc), you can talk to an
LMTPD socket and not be root.
Generally when using Cyrus or Sendmail Inc's IMAP, it runs as root
long enough to bind to 25 and then runs as a RunAs user.
Sendmail 8.10 on are also not sendmail of 1990. It suffers from
a long history. Ford Model T's were very dangerous in crashes.
That doesn't means that those dangers are still present in current
day Fords.
Despite Allan Pallers "top SANS vulnerabilities list", sendmail is
well audited and well understood.
It also supports SMTP/TLS and SMTP/Auth. QMail only supports them
with plug-ins with DJB decries as foul.
Postfix supports SMTP/TLS as well.
Weitse is easier to deal with than Dr Dan.
More information about the Baylisa
mailing list