Re: How to SMTP (Email) Server Fedora 6?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


James Wilkinson wrote:

Sendmail is no different in terms of security holes than named, sshd,
ftpd, or the kernel itself.  They've all had security holes and fixed
them.  Why single out sendmail in this respect?

Because a badly-configured e-mail server can easily be an open relay --
enabling criminal activity and making a real pain of itself to the rest
of the Internet.


You make some very good arguments about why distributions should ship expertly built working configuations instead of requiring every user who needs to receive email by smtp to muddle though fixing a broken one and probably doing it badly. Were you trying to say the opposite?

I still don't think you've thought through the alternatives, too. A
server *must* be secure by default. That means that there are only two
other real alternatives -- an MTA which accepts e-mail from the world,
but only sends e-mail that has originated on that computer (and relays
nothing), and an MTA which accepts e-mail from the world, and relays
e-mails if the sender has authenticated.

Yes, that would be a reasonable configuration.

The first option, I would suggest, is relatively limited in its use --
it still can't be a mail server for other computers.

The format of the access file isn't particularly obscure for some who wants to modify it to permit relaying from their controlled networks.

> The other one is of
more use, but given the state of public key cryptography, it would
*still* need the admin to set up PKI to ensure that the passwords that
were exchanged couldn't be eavesdropped (think man-in-the-middle

This is _exactly_ the same for ssh and https, but _oh look_, they come already set up for you... They don't depend on the end user to get this tricky part of the configuration right.

And no, relaying for computers on the local network by default is not
acceptable, since Red Hat and Fedora cannot tell that a particular
computer should relay for other computers on the local network, or that
other computers on the local network are even part of the same
organisation. (Think hosting companies -- a lot of them offer Red Hat
and/or Fedora).

As I recall, your own reaction to the way RH/fedora distributes sendmail was to dump it completely and replace it with a different package. I don't think that qualifies you as a cheerleader for the way it works now.

  Les Mikesell

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux