How to SMTP (Email) Server Fedora 6?

Les Mikesell lesmikesell at gmail.com
Tue Feb 13 19:24:23 UTC 2007


James Wilkinson wrote:

>> Sendmail is no different in terms of security holes than named, sshd,
>> ftpd, or the kernel itself.  They've all had security holes and fixed
>> them.  Why single out sendmail in this respect?
> 
> Because a badly-configured e-mail server can easily be an open relay --
> enabling criminal activity and making a real pain of itself to the rest
> of the Internet.

[etc.,etc...]

You make some very good arguments about why distributions should ship 
expertly built working configuations instead of requiring every user who 
needs to receive email by smtp to muddle though fixing a broken one and 
probably doing it badly. Were you trying to say the opposite?

> I still don't think you've thought through the alternatives, too. A
> server *must* be secure by default. That means that there are only two
> other real alternatives -- an MTA which accepts e-mail from the world,
> but only sends e-mail that has originated on that computer (and relays
> nothing), and an MTA which accepts e-mail from the world, and relays
> e-mails if the sender has authenticated.

Yes, that would be a reasonable configuration.

> The first option, I would suggest, is relatively limited in its use --
> it still can't be a mail server for other computers.

The format of the access file isn't particularly obscure for some who 
wants to modify it to permit relaying from their controlled networks.

 > The other one is of
> more use, but given the state of public key cryptography, it would
> *still* need the admin to set up PKI to ensure that the passwords that
> were exchanged couldn't be eavesdropped (think man-in-the-middle
> attacks).

This is _exactly_ the same for ssh and https, but _oh look_, they come 
already set up for you...  They don't depend on the end user to get this 
tricky part of the configuration right.

> And no, relaying for computers on the local network by default is not
> acceptable, since Red Hat and Fedora cannot tell that a particular
> computer should relay for other computers on the local network, or that
> other computers on the local network are even part of the same
> organisation. (Think hosting companies -- a lot of them offer Red Hat
> and/or Fedora).

As I recall, your own reaction to the way RH/fedora distributes sendmail 
was to dump it completely and replace it with a different package.  I 
don't think that qualifies you as a cheerleader for the way it works now.

-- 
   Les Mikesell
     lesmikesell at gmail.com




More information about the fedora-list mailing list