[Esd-l] FYI critical sendmail vulnerability
Simon Matthews
simon at paxonet.com
Tue Mar 4 09:13:23 PST 2003
On Tue, 4 Mar 2003, John D. Hardin wrote:
> On Tue, 4 Mar 2003, Brett Glass wrote:
>
> > At 08:44 PM 3/3/2003, John D. Hardin wrote:
> >
> > >...and if I had a sample I could sanitize it.
> >
> > But by then it would be too late. Procmail doesn't get the message
> > until after Sendmail does.
>
> Not necessarily. The sanitizer could conceivably be running on a
> qmail or postfix gateway in front of a vulnerable sendmail, or be
> sanitizing outbound messages the same way.
I have never understood why Postfix is not used more widely -- it is easy
to configure, designed with security in mind and possibly gives
better performance than Sendmail. Is it merely familiarity with Sendmail?
More information about the esd-l
mailing list