We went through 2 security audits where all our sendmail systems were shown to be running vulnerable versions.. the reason was that the vendor backported fixes to that version of sendmail and the vulnerability scanner only used a very simple regex to figure out what sendmail was running. Talking to other system administrators this seemed to be a common occurence, and from the head auditor it seemed that they had lots of sites giving in variance reports saying "Hey we are running a backported version.. update your scanning software."
This is not a recommendation for running sendmail. While I like the software having written rules since 1991 or so.. I also realize that I know enough about it to make sendmail perform better than an out of the box postfix or exim.. which of course makes me a very biased opinion. But I do think that reports about how many vulnerable systems out there need to be looked at a bit more sceptically.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds