On Thu, 28 Feb 2002, dalek wrote: I have been thinking long and hard about the design of a secure MTA, preferably one that does SMTP and local (to the spool) as well as remote (SMTP) delivery. If you really want to understand a secure MTA you need to understand MMDF. It meets all of your requirements, by the way, and always has. It was created in 1976. To my knowledge it has only ever had 1 (let me repeat that, exactly *one*) security flaw that was discovered in its SMTP daemon in 2000. 25 years is a long time for any software to survive on the Internet without a security problem. MMDF was later commercialized as PMDF in 1990, which has since been bought by Sun for inclusion in iPlanet with PMDF's current installed based being passed on to Process Software (www.process.com) so they can continue the PMDF product. SCO also includes MMDF as its baseline MTA and has since the late 1980s. A search for "mmdf" at Google will get you some 28,000 links, including several different FAQs with more information. The MMDF distribution includes a few papers written years ago about it. There's been nothing recent of which I'm aware. Although freeware, MMDF was never a popular MTA if the statistic is number of installed sites. It was the MTA of choice in the early ARPANet, running at the two relay sites (Rand and UDel), and was the MTA for CSNet, for those who remember that. In my opinion its popularity suffered because of configuration anarchy. It has *THE* architecture of a secure email system but its configuration, use, and management is not for the faint of heart. If you ever got good at it though, there was not and has never been any substitute for it. The architecture of qmail is similar conceptually to MMDF, although Dan Bernstein chose a somewhat different implementation path. To be fair though, there is more to a secure MTA than secure software. Strictly speaking, many MTAs could be made to be secure. It's just that a small few are better suited to it than others, e.g., first MMDF, then PMDF, and now qmail, postfix, and a few others. It is my opinion the real problem is that most sites fail to acquire and maintain the expertise necessary to manage a secure email system. Worse is the fact that that is true of most complex software systems. qmail "wins" in this regard because it is pretty straightfoward to setup and it was designed with security in mind. For small to medium sites qmail or any of the other suggested email systems would be a good choice. For large sites what you use is important but more importantly you had better have the specialized expertise available to manage whatever you choose. I was first exposed to MMDF back in 1982, as a graduate student. I've never gone back. Today I use PMDF. I've been studying, using, and managing email systems ever since. I have no other direct association with any MTA. Enjoy, Jim -- James M. Galvin, Ph.D. President and CEO eList eXpress LLC +1 410.549.4619 607 Trixsam Road +1 410.795.7978 FAX Sykesville, MD 21784 http://www.elistx.com An email service provider hosting spam and virus free mailing lists and your permanent email address. Delivering your email your way!
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 14:04:26 PST