Hi, as far as security advisories from Redhat I only see the last update to Postfix being 9/2/04 2.0.16-14.RHEL3.
Centos3.3 however added a newer version that I am currently using which matches the last 2.0 version official release at postfix.org.
/pub/cAos/centos-3/3.3/contrib/i386/RPMS/ postfix-2.0.20-1.centos3.1
Since I am running this as my public smtp server it makes me wonder why Redhat has not moved to Postfix 2.1 which is the latest official release.
Anyone have a opinion whether it is safe to stick with Redhats Postfix's release on a public smtp server or should I move to 2.1?
thx
-- Mike
__________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail
On Wed, 2004-12-15 at 16:18 -0800, Michael Rock wrote:
Hi, as far as security advisories from Redhat I only see the last update to Postfix being 9/2/04 2.0.16-14.RHEL3.
That is what I am using.
Centos3.3 however added a newer version that I am currently using which matches the last 2.0 version official release at postfix.org.
/pub/cAos/centos-3/3.3/contrib/i386/RPMS/ postfix-2.0.20-1.centos3.1
That is a contrib package ... meaning someone other than the official CentOS maintainers provided it. It is NOT the official CentOS-3 version.
Since I am running this as my public smtp server it makes me wonder why Redhat has not moved to Postfix 2.1 which is the latest official release.
RedHat has a policy of backporting fixes ... see this link:
http://www.redhat.com/advice/speaks_backport.html
Anyone have a opinion whether it is safe to stick with Redhats Postfix's release on a public smtp server or should I move to 2.1?
RedHat's official versions are (in my opinion) the best from a security perspective.
thx
-- Mike
--- Johnny Hughes http://www.HughesJR.com/
On Wednesday, 15 December 2004, at 18:44:57 (-0600), Johnny Hughes wrote:
RedHat's official versions are (in my opinion) the best from a security perspective.
Depends on your needs. Those (like me) on the postfix announce list can whip up a new postfix package with mezzanine faster than RH can post updates (assuming everyone is notified at once).
Michael
On Wed, 15 Dec 2004 22:49:33 -0500 Michael Jennings mej@caosity.org disait:
On Wednesday, 15 December 2004, at 18:44:57 (-0600), Johnny Hughes wrote:
RedHat's official versions are (in my opinion) the best from a security perspective.
Depends on your needs. Those (like me) on the postfix announce list can whip up a new postfix package with mezzanine faster than RH can post updates (assuming everyone is notified at once).
On Thu, 16 Dec 2004 10:41:59 +0100 Martin Hamant mh@accelance.fr disait:
On Wed, 15 Dec 2004 22:49:33 -0500 Michael Jennings mej@caosity.org disait:
On Wednesday, 15 December 2004, at 18:44:57 (-0600), Johnny Hughes wrote:
RedHat's official versions are (in my opinion) the best from a security perspective.
Depends on your needs. Those (like me) on the postfix announce list can whip up a new postfix package with mezzanine faster than RH can post updates (assuming everyone is notified at once).
:P Sorry, for that empty mail. I just wanted to say that i remember a release of postfix on Centos which was by default an openrelay. It seems to not be the case with the last one.
On Wed, 2004-12-15 at 22:49 -0500, Michael Jennings wrote:
On Wednesday, 15 December 2004, at 18:44:57 (-0600), Johnny Hughes wrote:
RedHat's official versions are (in my opinion) the best from a security perspective.
Depends on your needs. Those (like me) on the postfix announce list can whip up a new postfix package with mezzanine faster than RH can post updates (assuming everyone is notified at once).
Michael
Absolutely Michael ... you can provide quality and fast updates. No doubt about it.
Simon Mudd's SRPMS for postfix are also very good. I compile them for people all the time.
I wasn't suggesting that either of those sources for packages are not good, or that there would be anything wrong with that approach.
But, especially for the major server functionality, I think that using the official RHEL versions is the smartest thing to do whenever possible ... specifically because of the backporting policy in my other e-mail (they will roll back security issues without breaking current installs).
In my view (again, this is just my opinion), the whole purpose for CentOS is to give you the stability of RHEL ... and changing server packages to newer versions defeats that purpose.
Don't get me wrong, I'm going to build a mysql 4.1.x server package so that I can use the new Administrator and Query tools by mysql ... so I understand why some packages might need to be upgraded.
But, worrying about security issues from RedHat based on version number is not necessary because of backporting. RedHat is very proactive about getting out security fixes.
- Johnny Hughes
Johnny Hughes wrote:
Don't get me wrong, I'm going to build a mysql 4.1.x server package so that I can use the new Administrator and Query tools by mysql ... so I understand why some packages might need to be upgraded.
Just a quick link to share with you, since you mentioned upgrading to mysql 4.1.x:
http://fedoranews.org/contributors/tony_smith/mysql/
I followed these instructions, and they are excellent. The benefit of doing it this way is that it is fully compatible with other RPMs that depend on the original mysql RPMs (like php, perl-DBD, etc). So you don't run into dependency issues. And this was one upgrade that was _definitely worth it.
Thanks, Ryan
From: Johnny Hughes mailing-lists@hughesjr.com To: CentOS Users centos@caosity.org Subject: Re: [Centos] Postfix on Centos3.3 Date: Thu, 16 Dec 2004 06:59:35 -0600
But, especially for the major server functionality, I think that using the official RHEL versions is the smartest thing to do whenever possible ... specifically because of the backporting policy in my other e-mail (they will roll back security issues without breaking current installs).
In my view (again, this is just my opinion), the whole purpose for CentOS is to give you the stability of RHEL ... and changing server packages to newer versions defeats that purpose.
Agree 100% otherwise I would be use GEntoo or Debian with backports or something like that. the whole point of RHEL is to have few changes as possible over release years so servers are maintainable. This is why Centos seems good...... more like RHEL. Please dont start adding new packages here and there just for sake of having new versions.
Max.
_________________________________________________________________ Take charge with a pop-up guard built on patented Microsoft® SmartScreen Technology. http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI... Start enjoying all the benefits of MSN® Premium right now and get the first two months FREE*.
Any idea about when this will be released? I have a client who has a server ready to be built. Should I wait for this or go 3?
-- <<JAV>>
On Thu, 16 Dec 2004, Joe Polk wrote:
Any idea about when this will be released? I have a client who has a server ready to be built. Should I wait for this or go 3?
We dont really know - some people say that rhel-4 is overdue .....
We have a beta of 4.0 in development test at the moment.
Anyway, it should be possible to upgrade from 3 -> 4 using yum ...
Regards Lance
Cool!
-- <<JAV>>
---------- Original Message ----------- From: Lance Davis lance@uklinux.net To: Joe Polk listuser@javelinux.com Cc: centos@caosity.org Sent: Thu, 16 Dec 2004 17:08:01 +0000 (GMT) Subject: Re: [Centos] CentOS 4
On Thu, 16 Dec 2004, Joe Polk wrote:
Any idea about when this will be released? I have a client who has a server ready to be built. Should I wait for this or go 3?
We dont really know - some people say that rhel-4 is overdue .....
We have a beta of 4.0 in development test at the moment.
Anyway, it should be possible to upgrade from 3 -> 4 using yum ...
Regards Lance
-- uklinux.net - The ISP of choice for the discerning Linux user.
------- End of Original Message -------
RHEL is a Redhat product. CentOS is built off the RedHat sources. Right now RHEL4 is in beta, so is CentOS4. So when RedHat releases RHEL4 to production then CentOS can complete the CentOS4 build.
On Thursday, 16 December 2004, at 06:59:35 (-0600), Johnny Hughes wrote:
Absolutely Michael ... you can provide quality and fast updates. No doubt about it.
Well, thanks for the compliment, but that wasn't exactly my point. :)
I'm just saying that if one so chooses, one can follow the releases and still use RPM's to do it. Of course one must know the risks to do this; keeping up with postfix (on which nothing really depends from an ABI perspective) is very different from keeping up with Apache (mmm...modules).
If one chooses not to do this, the fixes for your distribution are your best bet.
But, especially for the major server functionality, I think that using the official RHEL versions is the smartest thing to do whenever possible ... specifically because of the backporting policy in my other e-mail (they will roll back security issues without breaking current installs).
If you can't do the same thing, then yes, I agree. :)
Michael
Michael Rock wrote:
Anyone have a opinion whether it is safe to stick with Redhats Postfix's release on a public smtp server or should I move to 2.1?
I use Simon J. Mudd's postfix packages. I download the SRPM and then rebuild it with all the options that I need. It's the easiest way, IMO, to keep updated with postfix:
--Ajay
-
Ajay Sharma -
Joe Polk -
Johnny Hughes -
Lance Davis -
Martin Hamant -
Matt Shields -
Max Beerli -
Michael Jennings -
Michael Rock -
Ryan Lane