Procmail Vulnerabilities check

Mon Dec 11 17:32:48 UTC 2017

On Mon, 11 Dec 2017 16:42:57 +0100 "Kurt Jaeger" <lists at opsec.eu> said

> Hi!
> 
> > > On Sun, Dec 10, 2017 at 02:58:29PM -0800, Chris H wrote:
> > > > OK I'm puzzled a bit. FreeBSD' motto has always been:
> > > > FreeBSD
> > > > The power to serve!
> > > > 
> > > > but many of the proposed, and recent changes/removals end up more like:
> > > > FreeBSD
> > > > I's castrated!
> 
> > > So, then we should add a web server into our base! Apache? NGINX? Both?
> > > But then, what about PHP? MySQL? PostgreSQL? We want to serve websites,
> > > after all! Let's talk about fileservers. Samba! I could go on...
> > OK. That's simply an irrelevant argument. I never advocated for the
> > *addition* of anything. Only against the *removal* of something most users
> > have come to expect with the installation of FreeBSD.
> 
> The argument was made to show the general idea, not to nit-pick 8-}
> 
> As packaging base is also on the horizon, see
> 
> https://www.youtube.com/watch?v=Br6izhH5P1I
> 
> and
> 
> https://www.youtube.com/watch?v=v7px6ktoDAI
> 
> the debate will pop up in any case.
> 
> > > FreeBSD's power to serve slogan is about delivering the platform to
> > > serve, not all possible server software. [...]
> 
> > In all fairness, that's just pure supposition. I would suggest that it is
> > more probable that more users use Sendmail 1) because it came with the
> > FreeBSD install, and 2) as such, makes it easier to implement.
> 
> Then it's time to start some research, if this hypothesis really holds.
Thanks for the links, and the thoughtful reply, Kurt!
In all fairness, your right. *actual* numbers *do* apply. :-)

> 
> I know that the folks at dovecot.fi did this in February for dovecot, see
> 
> openemailsurvey.org
> 
> It was made using shodan, maybe it's time to do the same for port 25
> via shodan ?
LOL, showdan.io! Hah! I'm *more* than a little irritated by this sort of thing.
*Sure* it can provide some useful data. But the part that really irritates
me, is that anyone think it's OK to probe my ports w/o asking. It's akin
to saying; we initiated a study to determine how many people were using the
LG model XYZ refrigerator. In that study, we peered into all the windows
of as many houses, in as many neighborhoods as possible. But please, do not
feel violated. We made every effort to look away, if we encountered anyone
naked, or in an otherwise compromising situation. If you still find this
method too intrusive. You need only tell us so. Simply come, and try to
find the link to request exclusion. Err... what?!?!
If you, as an administrator of a/your system(s), see no problem with
(port) scanners, and take no action to thwart such activity. You are
more than likely to encounter trouble(s) down the road. Even those that
take preemptive action ahead of time, to close all unused ports. History
already *proves* this fact, time, and time again. :-)
pf(4) has dropped any/all communication from the showdan "project" *long*
ago for all the systems I'm responsible for, and along with all the myriad
of other "like" projects. They all have the policy backward; ask *before*
not *after*.
In short; I see them all as "black hats". Honestly. Can you *really*
determine good intentions from bad intentions on an incoming port scan?

Still. Your point is well taken, and your point is not on the top of your
head. ;-) ;-)
We really *do* need corroborating evidence. :-)

Thanks again, all the best to you, Kurt!

--Chris
> 
> -- 
> pi at opsec.eu            +49 171 3101372                         3 years to go
> !