Sendmail is one of the most venerable Internet software packages still in widespread use: it first appeared in 4.1c BSD Unix (April 1983), and to this day, it has remained the most relied-upon application of its kind. But Sendmail has both advantages and disadvantages.
On the plus side, Sendmail has a huge user community; as a result, it’s easy to find both free and commercial support for it, not to mention a wealth of electronic and print publications. It’s also stable and predictable, being one of the most mature applications of all time.
On the down side, Sendmail has acquired a certain amount of “cruft” (layers of old code) over its long history, resulting in a reputation of being insecure and bloated. Both charges are open to debate, however.
While it’s true that Sendmail has had a number of significant vulnerabilities over the years, these have been brought to light and fixed very rapidly. An argument can therefore be made that Sendmail security is a glass half-empty/half-full situation. Depending on your viewpoint, Sendmail’s various vulnerability reports and subsequent patches may prove that Sendmail is inherently insecure; or perhaps the fact that they come to light and are fixed quickly prove that Sendmail’s development team and user community are pretty much on top of things; or maybe you think the truth is somewhere in between. (I’m in this last camp.)
A more useful criticism is that Sendmail is monolithic: a vulnerability in one portion ...