Procmail Vulnerabilities check

Chris H portmaster at BSDforge.com
Mon Dec 11 19:32:50 UTC 2017


On Mon, 11 Dec 2017 08:39:02 -0800 <portmaster at BSDforge.com> said

> On Mon, 11 Dec 2017 11:10:32 +0000 "Matt Smith" <matt.xtaz at gmail.com> said
> 
> > On Dec 10 14:58, Chris H wrote:
> >>OK I'm puzzled a bit. FreeBSD' motto has always been:
> >>FreeBSD
> >>The power to serve!
> > >
> >>but many of the proposed, and recent changes/removals end up more like:
> >>FreeBSD
> >>I's castrated!
> > 
> > The problem with software in the base is that it is *much* more 
> > difficult to update to add new features or patch security issues. With a 
> > port the software will be updated relatively quickly. And users can get 
> > the benefits of that with a quick pkg upgrade. They might not update 
> > their O/S for 6-12 months.
> > 
> > In my opinion any software which is accessible to the internet should be 
> > patched and upgraded ASAP. It's for this reason that I've always 
> > disabled things like OpenSSH/OpenSSL/ntpd etc in the base and used port 
> > versions instead.
> I applaud that attitude. I couldn't agree more. For that same reason, I
> (not unlike you) have always excluded software that history has proven
> to pose security risks ( WITHOUT_BIND=true ) for example. The same can also
> *easily* be said of OpenSSL.

[ excessive "jag" removed. sorry ]

> threat.
> In closing, and more to the point regarding Sendmail; Sendmail has a nearly
> impeccable security record in at the last decade. It provides a *secure*,
> more powerful, and more flexible MX on the cheap. I see little reason to
> consider it an attack vector. Which makes *security*, and it's related
> maintenance a pretty poor argument, for it's removal.
> 
> --Chris
Let me attempt to make my point another way (and stay closer to topic).
A user is able to accomplish more from sendmail in base, than with any
other MX port in base alone.
Sendmail provides OOB:
block by topic/portion of topic
block forged MX
block dynamic host(s)
all with the addition of one stanza, and (in the case "topic") the
addition of TOPIC_FILE
it also provides for some other measures that trip up, or otherwise
thwart spammer tactics;
delay (E)HELO
connection THROTTLING. As well as the ability to utilize block
list services, offered by third parties, or your own personal block
list.
Many of the other MX software in the ports tree provide a subset of
the shortlist I mentioned above. But none of them offer them all.
Given that the biggest concern, both security-wise, as well
nuisance-wise from anyone managing an internet facing MX service is
SPAM, and related threats. Wouldn't one be best served, if they had
the most options available to defend against such threats?
FWIW in ~5 months only having (ever) having sendmail from base,
without the addition of any additional "plugins".
I was able to collect (and subsequently block)  ~9.9 million SPAM
sources. Not likely, but *actual* spam sources.
When I began life as a maintainer of ports. I was subsequently
required to subscribe to additional FreeBSD mailing lists, and
provide my/a email address along with the the ports I maintain.
As a result, my [that] address had a greater exposure to spammers.
In a short time, I found myself inundated with SPAM -- literally
*thousands* per day. My initial reaction was to curse the FreeBSD
ports/mailing-list management system, and those who were in charge.
But I decided against a knee-jerk reaction, and decided to give the
matter more thought, before making a decision. In the end, I decided
I wasn't going to allow myself to be a victim, but rather make the
whole matter a challenge, or puzzle that I would solve. In the end,
and with my current base version of sendmail, I now only receive
some 3-5 SPAM/week. That is a *remarkable* number, compared to my
initial experience, as the number of *actual* SPAM sources I've
been able to thwart. That 9.9 million number is not a *probable*
number, it's an actual figure, and in the end, I *always* get the
mail I want, and nearly *never* get the mail I don't. All with
sendmail from base, and without any external/third party services.
IMHO that makes a pretty strong argument for retaining Sendmail. If
I were an MX administrator. Would I not want all the options/help
I could get to defend myself against attack? This is the sort of
thing that makes FreeBSD the best choice for a Server Grade install.
It provides server grade applications in a Service oriented OS.

Yes. But if it's removed. Nothing stops you from installing it
from ports.

True. But if I'm selling a Server targeted OS. Don't I want to
advocate server grade services?

Thanks for listening -- I know it was long.

--Chris

> > 
> > -- 
> > Matt
> 
> 
> _______________________________________________
> freebsd-ports at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ports
> To unsubscribe, send any mail to "freebsd-ports-unsubscribe at freebsd.org"




More information about the freebsd-ports mailing list