Speaking of mail etc

miah jjohnson at sunrise-linux.com
Sat Jul 26 12:18:35 EDT 2003


On Sat, Jul 26, 2003 at 03:22:50AM -0400, Paul Iadonisi wrote:
>   Dem's fightin' words, bud.  ;-)  Just kidding.  I agree that sendmail
> has quite the sordid security history, but for over four years there
> were no remotely exploitable security holes in it.  It wasn't until
> earlier this year that two more cropped up.  I'd say that's a pretty
> darned good *recent* track record given how many security
> vulnerabilities are reported for many Free Software packages these days.
>   That said, to each his own.  I've no real bias other than the fact
> that I know sendmail really well and know how to lock it down.  I've
> been running it for many years and, as far as I can tell, have never
> been owned.  Unless the one who's owned me is hiding really good (I
> check for problems often.)

There where no exploits that *you knew about* in those four years.  Security should never be a retrofit, but I know that 'redesigning sendmail properly' is something that will never happen.  Even the addon 'smrsh' which is supposed to help secure sendmail has had security issues.  Whats bad is it didn't have the issue at first, but it was later implemented on accident.  Sendmail's codebase is huge and complex, I really feel sorry for anybody that would attempt to audit it.  I'd rather just run something else.

>   I'd caution against courier for anyone who uses multiple IMAP
> clients.  The lead developer of courier has a penchant for not
> implementing standards according to RFCs he believes are broken.  Nor is
> he willing to participate in the standards process to fix the standards
> he believes are broken.  It's not a criticism, just a note to be aware
> that you will likely encounter some problems with email clients that
> follow the RFCs strictly in the areas where courier doesn't.
>   Of course, even if unintentional in other IMAP servers, you may run
> into a different set of problems regarding standards.  *sigh*

Hrm, I didn't know that.  I've only used courier a few times, and it was allways easy to setup and get running and seemed to work fine with mozilla.  

>   Well, I wouldn't exactly call Cyrus' database proprietary.  After all,
> the source code *is* available.  But I think understand your point.  It
> 'sorta' uses the maildir format.  Most cyrus users are not likely to run
> into the problem above because the typical way of running cyrus is as a
> sealed server: users don't have shell accounts (nor do they need them)
> on the mail server.  They must access mail via IMAP (or POP if it's
> enabled).

True, it is opensource, which helps with the db format, but its still a pain to deal with, if their tools don't work you'll have to write your own and not everybody is up to that. 

>   It does requires a bit of work to configure.  I highly recommend Simon
> Matter's rpms available at http://home.teleport.ch/simix/ as src rpms. 
> Grab the cyrus-imapd-2.1.14-4.src.rpm file and run 'rpmbuild --rebuild
> cyrus-imapd-2.1.14-4.src.rpm' on it.  (You'll need to run that as root
> unless you set up a .rpmmacros file in your home directory to change the
> location of various directories.)
>   Cyrus is a bit overkill if you are the only user, but it's worth
> setting it up for the learning process alone.  I'm using it for myself
> and my brother and haven't had any issues with it, even when switching
> between various mail clients (mozilla, evolution, kmail, mutt have all
> connected and listed all my mail messages and folder list fine).

CYRUS can be a pain to setup, I tried configuring it to run on fbsd years ago and never did get it working.. Same setup worked fine on linux though..

>   For the original poster, I think the components you listed are a good
> selection: postfix, cyrus-imapd, and squirrelmail.  I've set up STARTLS
> and SMTPAUTH with sendmail, but I believe it's possible with postfix as
> well.  My only gripe with squirrelmail is it's claim of modularity when
> every time I grab a module that I want to incorporate, it seems that
> some core (php) source file gets modified as well.  That ain't modular
> and causes grief when you need to update the core squirrelmail due to
> some security hole.  If you don't use any of the add on modules, you
> should be fine.  I was just a little annoyed because I started using it
> specifically for the sieve module and then I discovered how unmodular it
> really was.

Here are some links that might help:

http://sysadmin.cs.caltech.edu/docs/systems/postfix_ssl_sasl_ldap
http://www.cisns.net/daemon/postfix/authsmtp.shtml
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
http://www.ipnet6.org/postfix/
http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO.html#toc1


-miah



More information about the Discuss mailing list