thus Eero Volotinen spake: >> Probably not, or someone would have found them in the last five years. > > Probably yes, it's hard to security audit complex software packages. Yes; my bet would be that OpenBSD's smtpd will be the most secure MTA (when it hits the streets for production). That does NOT mean that it is scalable (well, yet to prove). >>> At least I don't want to run software with poor security track on my >>> public servers. >> So you don't run the Linux kernel? Wade through the changelog sometime. Or >> BIND? it is unrealistic to think large software packages don't have bugs or >> that they won't be found and fixed over time. > > I usually prefer softwares with good security track. Anyway kernel is > not usually exposed directly to internet, An IP stack which is part of the kernel *is* (more or less) directly exposed to the internet as long as there's the appropriate cable connected to that machine. > but some server software are > directly. > Eero Regards, Timo