[svlug] mailer versions (was; weirdness in Seattle)

Ian Kluft ikluft at cisco.com
Thu Apr 15 15:50:34 PDT 1999


> From: Ira Abramov <ira-svlug-lists at scso.com>
> > 2. There is no problem reporting versions with Exim, there has not
> > been a security problem with it. Reporting versions IS a problem with
> > sendmail because of all the security problems it has had.
> 
> now that is a pretty rediculous statement. read it again and tell me
> there is no bug in that logic :-)))

I can understand your point that history tells us to exercise caution when
revealing what version of what software your site on the Net runs.  But
caution doesn't mean "never."  It just means "know why."

So George has a point too.  Depending on the software you run, it may or
may not be as big an issue to reveal the version you use.  There isn't a
"one size fits all" appropriate reaction to it.

Sendmail has had some of the Net's biggest security advisories against
it.  In fact, it was legendary for the worst security track record until
Microsoft jumped onto the Net.  Many Internet users may not know these days
that sendmail was one of the main propagation methods of the Morris Internet
Worm of 1988.  That was the event that prompted CERT to be founded.

Though Sendmail's authors claim "the more it's used, the more bugs people
will find", there's still no excuse for their "wizard mode" backdoor
and other holes resulting from starting with no security policy.  Then
again, since sendmail was first, this is holding late-90's standards
against work from the early 80's, so I acknowledge it's not entirely fair.
You just can't afford to be "fair" when considering security.

Exim was a mid-90's ground-up-rewrite of smail.  So it had many years of
developer experience with problems to avoid.  While no useful software is
likely to be perfect due to its complexity, the design philosophy from its
beginning can tell you a lot about what you can expect from it.

For now, seeing version numbers on Exim mail headers is not a problem.
It may actually help sysadmins track down configuration problems when
users report them.  And that was the whole point.

--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
see http://www.svlug.org/mdstuff/lists.shtml for posting guidelines.



More information about the svlug mailing list