imaginary family values presents

yesh omrim

a blog that reclines to the left

Logo

Three words no sysadmin wants to hear

22 March 2006

I’m in the middle of moving ropine.com services from the old G4 in our basement to a virtual server at OpenHosting. (Virtual hosting is cheap enough these days that a cheap virtual server plus a cheap DSL line costs less than the static-IP DSL line that we have now.)

The first thing I moved over was the email. In the past, I’ve turned up my nose at sendmail, because although it’s the traditional Unix MTA, it’s been a poster child for insecure code. But OpenHosting comes with sendmail already set up, and I was tired of all the effort it took to get my MTA and my spam filter and my IMAP server to make nice to one another, and I decided to take advantage of whatever my ISP and its Linux distribution had done to make my life easier. (I am coming to the realization, in my old age, that every hour spent administering my computer is an hour I don’t spend using it.) And besides, sendmail hadn’t had any embarrassing security holes in a while.

So imagine my delight to see an article on LWN.net that begins: “It’s been a while since we had a good sendmail vulnerability…but we need wait no longer. Sendmail 8.13.6 has just been released in response to a security issue which could lead to a remote root exploit.”

(“Remote root exploit” is security-geek shorthand for “a way for someone who doesn’t even have an account on your machine to connect to it and take it over”.)

Hopefully, if anyone has actually figured out a way to take advantage of this security hole, nobody has yet bothered to use it against me (and if they try now, it’s too late). But maybe I should go to the trouble of setting up qmail or postfix after all.