Procmail Vulnerabilities check

Mon Dec 11 21:04:40 UTC 2017

On Mon, 11 Dec 2017 20:45:11 +0100 "Kurt Jaeger" <lists at opsec.eu> said

> Hi!
> 
> > Let me attempt to make my point another way (and stay closer to topic).
> > A user is able to accomplish more from sendmail in base, than with any
> > other MX port in base alone.
> [list of sendmail features shortend for brevity]
> 
> > Many of the other MX software in the ports tree provide a subset of
> > the shortlist I mentioned above. But none of them offer them all.
> 
> So if sendmail is a pkg/port, it would still have those features ?
> 
> Is a
> 
> pkg install sendmail
> 
> such a huge step ? And btw, even if sendmail has all those features,
> I can tell you that even when I first attend my first sendmail workshop,
> approx. 27 years ago, I still would not know how to implement them
> with sendmail.
> 
> > I were an MX administrator. Would I not want all the options/help
> > I could get to defend myself against attack?
> 
> I still don't get the difference if sendmail would be a port/pkg.
> 
> Oh, btw, if sendmail can do all this, wouldn't it be useful to
> have a suitable config that does all this right out of the box ?
> 
> Because, honestly, I would not know how to enable all those features...
> 
> > True. But if I'm selling a Server targeted OS. Don't I want to
> > advocate server grade services?
> 
> But the distribution channel of the software for that service
> (base or port) does not sound as the relevant factor for the
> end-user, or does it ?
OK. So if I'm understanding this all correctly; All the (FreeBSD) worlds
a package. So what am I arguing for Sendmail in base for? It makes no
sense -- everything's a package. Am I getting warmer? :-)
If so. Then where does it end? How many packages must I install to get a
"standard" Server install? I'm going to want cp(1), fsck(8), mkdir(1),
gpart(8),...
Wow! filling /bin/, and /sbin/ will take an awful lot of packages, and I
haven't had time to consider /usr/bin/, and /usr/sbin/ ! ;-)
As I understand it, the $BASE package is going to amount to what one
would expect, and need to get (at least) a usable system. IMHO *mail*
is an important part of *any* system. Oh wait. This is intended as part
of a simple *desktop* system? Because that's the audience FreeBSD is
currently targeting? OK than no *real* need for a robust MX there. As
they'll likely just be using their ISP for an MX, and only *really* need
a MX *client*. OK that makes more sense. :P
I'm only advocating that if $BASE is intended for a reasonable/minimal
Server base install. That an MX *is* an important part of that definition,
and that Sendmail be *that* MX. :-)

Thanks for playing along, Kurt. :-)

--Chris

P.S. Indeed. Sendmail, *can* be installed as a package, and still work,
as I think, can *anything* else. But *where* does it all end -- It's
*mad* I tell ya!
> 
> -- 
> pi at opsec.eu            +49 171 3101372                         3 years to go
> !