Archives

Categories

Mail Server Security

I predict that over the course of the next 10 years there will be more security problems discovered in Sendmail than in Postfix and Qmail combined. I predict that the Sendmail problems will be greater in number and severity.

I also predict that today’s versions of Postfix and Qmail will still be usable in 10 years time, there will be no remote security problems discovered other than DoS attacks.

I’ve been having arguments about MTA security with Sendmail fans for over 10 years. I would appreciate it if the Sendmail fans would publish their own predictions, then we can wait 10 years and see who is more accurate.

I don’t recommend using Qmail (Postfix is what I use). But I think he wrote code that is unlikely to be exploited.

6 comments to Mail Server Security

  • I know that postfix is the MTA that I rely on. The configuration is simple (especially compared with something as obtuse as sendmail) and the administration is $%!@loads easier than Qmail.

    Not that I have to, but I’d rather patch postfix regularly than run either of the others.

  • djb recently payed someone for a hole in djbdns (http://article.gmane.org/gmane.network.djbdns/13864).
    Maybe Qmail will be exploited someday too..

  • etbe

    Sotiris: Thanks for the link.

    But that still leaves djbdns way ahead of BIND. Only one bug in a long time is a good record, especially when the bug will not affect the majority of users. I’m not sure that I have ever run a DNS server with a configuration similar to the one needed to trigger that bug.

  • Jorge

    Hi!

    Is postfix part of the “targeted” policy in RHEL5? or just sendmail?

  • find mail server

    Are there any other reasons why Postfix is better other than better security?

  • etbe

    Jorge: Yes.

    find: Postfix is compatible with Sendmail in many ways (/etc/aliases, .forward, etc) and is easy to configure. Qmail is not very compatible with anything else. I find Sendmail to be difficult to configure but opinion varies in this regard.

    Security is the best objective criteria for recommending Postfix and Qmail. The ease of support is an objective criteria for recommending Postfix over Qmail.