Vendor Versus Compiling

Old versions of operating systems tended to be shipped with old versions of sendmail. Old versions should be replaced because they are insecure.

Current versions of operating systems tend to ship with V8.7 sendmail. To find out which version you are running, issue the following command:

% /usr/lib/sendmail -d0.1 -bt < /dev/null

The first line (of possibly many) printed should contain the version number. If no version is displayed, you may be running a very old version of sendmail indeed, or some other program masquerading as sendmail. In either instance, you should upgrade. If version 8.6.13 or earlier is displayed, you should also plan to upgrade. If version 8.7.5 or earlier is displayed, you should also plan to upgrade. Version 8.7.6 was the last (as of this writing) secure version of the 8.7 series.

A more difficult decision is whether or not to upgrade if you are already running 8.8 sendmail. Potential reasons for upgrading are the following:

• Security
• The sendmail program has always been a prime target of attack by crackers (probably because it is distributed as source code). One reason to always run the latest version of sendmail is because earlier versions may have been compromised. Even if your current version is secure, a C library may not be. If you have been notified of a security hole in your library, you should consider recompiling sendmail, using a new, secure library.
• Bug fixes
• After widespread use and abuse, any program will begin to show its bugs. The sendmail program, although superbly written, is no exception. One reason new versions are periodically released is to fix reported bugs. At the very least, download the latest source and look at the release notes to see whether a bug may be biting you.
• Uniformity
• At a heterogeneous site (as most sites are these days) it is often more convenient to run a common version of sendmail and clone configuration files. Only by compiling and installing from the source can you achieve a controllable level of uniformity.
• Tuning
• A precompiled version of sendmail may lack certain features that you find desirable, or it may have features that you would prefer to exclude. Table 18.3 (in "Alphabetized Reference") lists the debugging switches that you can use to determine what kind of features your sendmail has available. If debugging switches are unavailable, the individual sections at the end of this chapter discuss other methods to determine feature support or the lack of it.

But beware: Before rushing out and replacing your vendor's version of sendmail, find out whether it uses any special vendor-specific features. If so, and if those features are more valuable to you than the security and uniformity that we mentioned, convince your vendor to upgrade for you.