[OmniOS-discuss] OmniOS sendmail suitable for Internet mail hub?
Dale Ghent
daleg at omniti.com
Mon Feb 8 00:10:45 UTC 2016
> On Feb 7, 2016, at 5:48 PM, John D Groenveld <jdg117 at elvis.arl.psu.edu> wrote:
>
> I'm all in favor of OmniOS and other Illumos-based distros using
> smartly designed and implemented *BSD bits (Oracle is wisely migrating
> from Darren Reed's IPF to OpenBSD PF for Solaris), but how is DMA
> more secure than sendmail configured to only listen on localhost?
Sendmail itself never claims to be secure in any form, and thinking that it is "more secure" in any quantifiable way than any other given MTA is a fallacy, in my opinion. On any given day, there's the chance that one can wake up to find a fresh CVE for sendmail, DMA, or any other piece of software for that matter in their inbox. We even find that in pieces of software where security is a foremost principle - take OpenSSH for example. S*** happens, as they say. So while sendmail might be used widely enough to - in theory - afford it more scrutiny as to the efficacy of its code, the fact of the matter remains that it makes no such claims and it being the subject of a new CVE on a random, future day is still very much a possibility.
Regarding OmniOS, the goal with DMA is to provide not so much a "more secure" MTA in a out-of-the-box OmniOS installation, but rather a far more simple and staight-forward one to handle. For the vast majority of situations where OmniOS (or any other general-purpose service/server OS) is employed, these boxes don't act as email endpoints. They're web servers, storage servers, dev boxes, database servers... if they have anything to do with email, it's only to emit it, either into a local user's spool, or immediately passed on up to a smarthost or otherwise proper mail server. In these cases, even a sendmail that's running in Submission Agent mode is a tad too much, and (in my own opinion) it has always seemed like a role that it was shoehorned into rather than something it accomplishes elegantly by design.
That said, when the requirements surpass DMA's capabilities (as they do - personally, I run my own mail server with mailman lists, cyrus-imap, and a long list of various milters to host mail for various friends and family - a real menagerie of SMTP software), OmniOS *has* to make it easy/easier to replace DMA with a more capable MTA such as sendmail, postfix, or whathaveyou. This is where we take advantage of IPS's package mediation capabilities, and as such gives us the ability to also continue to ship (a better) sendmail so that it may be employed in those instances without making users gnash their teeth while attempting strange acrobatics around package uninstallation/reinstalls just to get what they need on-disk.
/dale
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://omniosce.org/ml-archive/attachments/20160207/f273ca74/attachment.bin>
More information about the OmniOS-discuss
mailing list