[James Couzens]
Ok first of all, you can't only look in that area my friend. You must
examine the entire server...
...
1) Autoresponder has nothing to do with qmail.
I posted remote code execution exploits on port 25 because they are the
most dangerous.
But, wait a minute... Are we talking about the security of MTAs, or
whole server systems?
You can't have it both ways. Do we include things besides the MTA, or do
we not? Autoresponder is part of many (most?) distros and with qmail,
isn't it?
Windows is a complete flaming hunk of baby turds wrapped in a pretty
package.
Insightful debate, to be certain. In response, I will pull the dirtiest
of expostulatory tricks, and quote someone more eloquent than myself:
"To endeavor to work upon the vulgar with fine sense is like attempting
to hew blocks with a razor."
-Alexander Pope
WRONG. Please don't post blatant lies to the list, or better research
your information. There has never been a single REAL exploit against
qmail.
Because you choose your own standard for what is a "real" exploit.
Either exploits exist in common installations of qmail, or they don't.
MITRE seems to think they exist.
How can *you* count exploits of IE as exploits of Microsoft MTAs, for
Heaven's sake? What about OpenSSL, which has had bunches of remote
exploits? That's part of every Linux/BSD distro out there. Can I count
all of those, even if port 443 is firewalled?
To this day DJB is still offering the cash prize to anyone who
can defeat his challenge. I find this flagrant disregard for proper
research unnerving and exceptionally irritating coming from
an apparent
NT dolt with a penchant for ignoring important details.
I stand by my assertion... if you're going to include the rest of
Windows in an evaluation of Microsoft MTA security, you have to include
the "rest of the distro" when evaluating sendmail, qmail, postfix,
whatever.
But there are lies, damned lies, and statistics. One can skew the
criteria for "what holes are included" to support whatever claim he or
she is interested in. Just as I did, and just as you did.
My point is this: the whole argument is religious in nature, and
shouldn't be on this list. I am guilty of feeding a troll, and for that
I apologize to everyone.
As for being an "NT dolt"... Well, I've administered quite a few Windows
NT/2000/2003 servers over the past decade. We've even run a few *NIX
boxes on my watch. We buy whatever box would runs the best application
for our business needs, and are quite capable of running them reasonably
securely with careful administration.
*How* a box is run is far more important that what it runs. Microsoft
themselves seem to be capable of securing their own website, which is
probably the largest cracker target on the planet. And they do this with
the same software that runs on all the hacked, owned Windows boxes out
there. By your reasoning, this should be impossible. But nonetheless,
they do it.
As a reminder to you that are guilty of using an operating system that
is a ticking timebomb of exploitable poopie I've attached the
155 listed
"Janyary 01 - to date" exploits in your precious.
Would you like me to serve up the entire exploit list (remote, local,
and DoS) for every piece of say, a default install of Red Hat 6 from
1/1/2000 onwards? The list would run into the thousands, and take quite
a long time to compile.
I'm not saying Microsoft software (in general) is secure. I'm just
saying Microsoft's MTAs have a history of being reasonably secure, at
least as secure as the more popular open source MTAs when judged by my
chosen "port 25 remote exploit" criteria.
But anyway, I will let this thread die. If you want the last word, have
at it.
-Ryan-