Proofpoint

hruodr said:
is terrible that
Click to expand...
It could have been worse if they bought something more relevant.

In /etc/rc.conf you can selfdefend by:
Code: 
# Disable Sendmail by default
sendmail_cert_create="NO"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
Or "live in a buildworld" by setting in /etc/src.conf
Code: 
WITHOUT_SENDMAIL=yes
which is a boycott that works.

The important hint is:
https://electronicintifada.net/content/why-israeli-intelligence-linked-company-filtering-us-journalists-emails/35581 said:
Email filtering ... also involves giving a third party access to your data. According to Daniel Kahn Gillmor, a technologist at the American Civil Liberties Union: “When you engage a security company to do filtering on your data, you are giving that security company access to your data … employing a security company means trusting that company to not leak information they have about your internal communication.”
Click to expand...

Which boils down to this imperative:

Always live in a way that you do not need to give anyone access to your internal communication and data.
 
getopt said:
It could have been worse if they bought something more relevant.
Click to expand...
sendmail is relevant, extensively deployed, was long the standard MTA in *BSD.

I hope there is enough auditing, and perhaps it is once again *BSD licensed.
The question of alternatives is a big discussion.

The free "successor" evolve too slow, here a comparison:


but exim, courier are not mentioned. qmail, that sounds interesting, is unfortunately not maintained.
 
hruodr said:
In is terrible that this company bought sendmail:

electronicintifada.net

Why is an Israeli intelligence-linked company filtering US journalists' emails?

Proofpoint cybersecurity firm has acquired three companies connected to the Israeli military.
electronicintifada.net electronicintifada.net
Click to expand...
Really - who cares and what's the problem with it? Sendmail does what you tell it to do; if it does strange things than it is your fault. It will not change just because there's this company behind it. Sendmail does its job for you and works well? So, no reason to abandon it.

Want a BSD licensed MTA? Take OpenSMTPD. Want something which has been around longer? Take Postfix. Or Exim, Haraka, Netqmail whatever, I don't care. There's enough choice available.
 
hardworkingnewbie said:
Sendmail does what you tell it to do; if it does strange things than it is your fault. It will not change just because there's this company behind it.
Click to expand...
Yes, configuring Sendmail properly is the responsibility of an admin.
If a software does strange things may not always be admins' responsibility. There are bugs, backdoors, vulnerabilities, zero-days etc. which all is beyond admins' responsibility.

Choosing a software maintained by the intelligence-military industrial complex may be seen as taking a risk.

VladiBG said:
It's from 2013
Click to expand...
Yeah! 2013 is the year Edmund Snowden provided relevant information on IT-security and beyond. Those who wanted to learn from his revealings got some lessons about trusting. Where trusting means believing (=not knowing/hoping/taking a risk) that you won't be fu**ed.

So just avoid/boycott products that can potentially bite you. It's just that simple if there were not a big BUT:

Regarding communications there is more than just a sender or a single receiver. Safe and secure communication is also about transport, man-in-the-middle and "service providers".

Just looking on one's own installation is just not enough.

It's from 2013 means: It's not outdated. It is still relevant. And thank you for remembering us.
 
getopt said:
Yes, configuring Sendmail properly is the responsibility of an admin.
If a software does strange things may not always be admins' responsibility. There are bugs, backdoors, vulnerabilities, zero-days etc. which all is beyond admins' responsibility.

Choosing a software maintained by the intelligence-military industrial complex may be seen as taking a ri
Click to expand...
You are partially wrong: it is entirely the admins' responsibility if exploits and vulnerabilities do become public knowledge to secure his own installation.

Aside that: tell me more about about these "risks" and what and where they are considering the fact that Sendmail is open source, so that you could review it for funny things and you can always create your own binary based on that using ports.

I don't see many valid "risks" here at all, if so. At the end of the day it's about trust, and whom do you trust. If you're entirely paranoid, you could also come up with the idea that binary based OSes like FreeBSD come with a little "something something" to gather data for $WHATEVERIA.
 
hardworkingnewbie said:
I don't see many valid "risks" here at all, if so. At the end of the day it's about trust, and whom do you trust.
Click to expand...
You don't see many valid "risks" here at all. At the end of the day it's about trust, and whom do you trust.
You are speaking about you, and ignoring the experience of millions of people.
 
hardworkingnewbie said:
considering the fact that <XXX> is open source, so that you could review it
Click to expand...
any "hard working newbie" just cannot do this: review millions of lines of source code from all software installed. Even if the required knowledge were available on the personal level by a hard working professional, that individual would not even have the time for doing anything else. Remember the 100+ bugs/vulnerabilities i.e. in Xorg that just resided in the code for more than a decade?

The possibility of reading OSS is not an argument that is valid in admin's life experience. Except for some few bug bounty hunters there is no systematic review done for multiple reasons. One of them is even the lack of understanding code. And some just sell discovered vulnerabilities as zero-days to various actors providing special services.
 
You don't need millions of people which use a software and have zero knowledge of understanding the actual source code. What you need is group of code review developers with deep understanding of that particular program which can approve the code changes otherwise you will risk to have open source software which you trust only because it's used by millions of people assuming that some of those millions of people actually does the code review and spot some bug or malicious code which will be too late as it will be already committed.

Sendmail is still open source which provide you the option to inspect the actual code and it's entirely up to you if you want to use this software or not. You can't blame the company which still support development of this software without having any actual proof and speak against it just because it bought that software.

Read paragraph 6 from the license
 
VladiBG said:
You can't blame the company which still support development of this software without having any actual proof and speak against it just because it bought that software.
Click to expand...
Blame of what? I only said: "it is terrible that this company bought sendmail".
 
It will be terrible if they don't provide the source code and make it entirely closed source and start asking money for it. Now they provide additional software and also support the development of sendmail so i don't see anything wrong with this.
 
VladiBG said:
It will be terrible if they don't provide the source code and make it entirely closed source and start asking money for it. Now they provide additional software and also support the development of sendmail so i don't see anything wrong with this.
Click to expand...
That would have been worse. The reason that your arguments are limited was given by getopt.

getopt said:
Choosing a software maintained by the intelligence-military industrial complex may be seen as taking a risk.
Click to expand...
And I said: "it is terrible that this company bought sendmail". sendmail was property of sendmail inc and it
was sold. I, and sure not only I, would have preferred that other company would have bought it and
maintains it. That is all.
 
Just a thought experiment. Let's say "/bin/sh" is sold to Microsoft. I don't care because the shell of my root account is "zsh".
What is important is that FreeBSD is safe. As is beasty as done by Kirk.
 
Alain De Vos said:
Let's say "/bin/sh" is sold to Microsoft. I don't care because the shell of my root account is "zsh".
Click to expand...
The problem is in my opinion that programs like sh and in part sendmail are parts of BSD.
I (and I think others) use *BSD because I am used to the programs in it, used to this OS
as traditionally it is. The reason in my case is definitively not that it is safe.
 
You must log in or register to reply here.
Back
Top