> sendmail these days should be about as secure as any other mailer and its
> still pretty much the email standard.
This may be true, but sendmail's design isn't very secure.
Before sending any flames, let me explain. Sendmail runs as a
single root process that performs all actions of an MTA. Postfix,
and especially qmail, break the functions of an MTA into separate
programs that each serve a special purpose. I'm not as familiar
with Postfix, but I know that the programs that make up qmail do
not trust one another. Each program performs it's own set of
"sanity" checks.
So, when a bug is found in sendmail, the chances of it being
exploited to gain root access is far greater than Postfix or qmail
because sendmail runs as root. With qmail, most of the
functionality is performed by processes that are not running as
root. Only qmail-lspawn runs as root and it needs to run as root in
order to spawn qmail-local as the user to whom the mail is being
delivered to locally.
When evaluating the security of a particular program, it's design
should be considered in addition to it's security track record.
History has shown that almost all software has bugs. So a design
that limits the effects of a bug is very important. This is true with
all software, not just MTAs. vsftp is good example of an ftp server
that was designed with security in mind. In fact, there are even
patches for OpenSSH that make it more modular so that some of
the protocol handling is performed by a process running as a non-
root user (these patches may already be included in development
versions, I'm not sure).
Steve
