[Esd-l] FYI critical sendmail vulnerability

Simon Matthews simon at paxonet.com
Tue Mar 4 09:13:23 PST 2003


On Tue, 4 Mar 2003, John D. Hardin wrote:

> On Tue, 4 Mar 2003, Brett Glass wrote:
> 
> > At 08:44 PM 3/3/2003, John D. Hardin wrote:
> >   
> > >...and if I had a sample I could sanitize it.
> > 
> > But by then it would be too late. Procmail doesn't get the message
> > until after Sendmail does.
> 
> Not necessarily. The sanitizer could conceivably be running on a
> qmail or postfix gateway in front of a vulnerable sendmail, or be
> sanitizing outbound messages the same way.

I have never understood why Postfix is not used more widely -- it is easy 
to configure, designed with security in mind and possibly gives 
better performance than Sendmail. Is it merely familiarity with Sendmail?




More information about the esd-l mailing list