Re: Procmail Vulnerabilities check

Sun, 10 Dec 2017 05:22:28 -0800 

On 09/12/2017 04:12, Dave Horsfall wrote:
> On Fri, 8 Dec 2017, Steve Kargl wrote:
> 
>> https://lists.freebsd.org/pipermail/freebsd-arch/2017-December/018712.html
>>
> 
> Well, I saw no reason to subscribe to freebsd-arch (I'm on enough lists
> as it is)...  Are there any other lists that we should be following?
> 
> I guess a suit and tie will be required soon :-(
> 
> I'm bemused by Bapt's remark that "it does not support anything an
> entreprised [sic] grade mta setup would require: ldap support for
> example"; funny, as I had it working just fine with OpenLDAP with
> hundreds of users spread over many offices in my last job, with no
> trouble at all; there's even a schema for it, FFS:
> 
>     aneurin% locate -i sendmail.schema
>     /usr/share/sendmail/cf/sendmail.schema
> 
> with all the right gear in it:
> 
>     # OID arcs for Sendmail
>     # enterprise:           1.3.6.1.4.1
>     # sendmail:             enterprise.6152
> 
> WTF?  Sure as hell looks like Sendmail supports LDAP to me...
> 

Bapt's point here is that the version of sendmail in base is quite
limited since, for instance, it is not compiled with ldap client support
or various other optional features.  On the other hand, the version of
sendmail in ports can be compiled with all the different bells and
whistles enabled.

If your machine is configured as a smarthost MTA, then generally you'll
want to install one of the more fully capable MTA packages from ports --
sendmail, postfix, exim etc.

For most other setups, a machine does not need to do anything more with
e-mail than deliver locally generated mails (from cron or whatever)
either to a local mailbox or to a smarthost.

Hence the current sendmail in base is neither fish nor fowl: way
overpowered for almost all installations, but with significant
limitations for a machine providing a full-blown mail service.
Personally I agree with his reasoning: unless the primary function of
your FreeBSD machine is to be an MTA, you really don't need any more
capability than to either deliver to a local mailbox, or forward all
e-mails to a smart host.  Certainly you don't need anything capable of
receiving incoming e-mails.

        Cheers,

        Matthew

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to