On Thu, 28 Feb 2002, dalek wrote:
I have been thinking long and hard about the design of a secure MTA,
preferably one that does SMTP and local (to the spool) as well as
remote (SMTP) delivery.
If you really want to understand a secure MTA you need to understand
MMDF. It meets all of your requirements, by the way, and always has.
It was created in 1976. To my knowledge it has only ever had 1 (let me
repeat that, exactly *one*) security flaw that was discovered in its
SMTP daemon in 2000. 25 years is a long time for any software to
survive on the Internet without a security problem.
MMDF was later commercialized as PMDF in 1990, which has since been
bought by Sun for inclusion in iPlanet with PMDF's current installed
based being passed on to Process Software (www.process.com) so they can
continue the PMDF product. SCO also includes MMDF as its baseline MTA
and has since the late 1980s.
A search for "mmdf" at Google will get you some 28,000 links, including
several different FAQs with more information. The MMDF distribution
includes a few papers written years ago about it. There's been nothing
recent of which I'm aware.
Although freeware, MMDF was never a popular MTA if the statistic is
number of installed sites. It was the MTA of choice in the early
ARPANet, running at the two relay sites (Rand and UDel), and was the MTA
for CSNet, for those who remember that.
In my opinion its popularity suffered because of configuration anarchy.
It has *THE* architecture of a secure email system but its
configuration, use, and management is not for the faint of heart. If
you ever got good at it though, there was not and has never been any
substitute for it.
The architecture of qmail is similar conceptually to MMDF, although Dan
Bernstein chose a somewhat different implementation path. To be fair
though, there is more to a secure MTA than secure software. Strictly
speaking, many MTAs could be made to be secure. It's just that a small
few are better suited to it than others, e.g., first MMDF, then PMDF,
and now qmail, postfix, and a few others.
It is my opinion the real problem is that most sites fail to acquire and
maintain the expertise necessary to manage a secure email system. Worse
is the fact that that is true of most complex software systems. qmail
"wins" in this regard because it is pretty straightfoward to setup and
it was designed with security in mind. For small to medium sites qmail
or any of the other suggested email systems would be a good choice. For
large sites what you use is important but more importantly you had
better have the specialized expertise available to manage whatever you
choose.
I was first exposed to MMDF back in 1982, as a graduate student. I've
never gone back. Today I use PMDF. I've been studying, using, and
managing email systems ever since. I have no other direct association
with any MTA.
Enjoy,
Jim
--
James M. Galvin, Ph.D. President and CEO
eList eXpress LLC +1 410.549.4619
607 Trixsam Road +1 410.795.7978 FAX
Sykesville, MD 21784 http://www.elistx.com
An email service provider hosting spam and virus free mailing lists
and your permanent email address. Delivering your email your way!
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 14:04:26 PST