My current job involves reviewing code other people wrote, finding potential security holes, and producing reports describing those holes. I therefore find this post from Ed Felten somewhat disspirting. In it he describes a study that found that once a software product is released, security holes are found at a certain rate and that rate doesn’t seem to fall regardless of how many flaws are found. That sounds counterintuitive, but the numbers bear it out. What that says to me is that it’s impossible to overvalue simplicity. It seems like no matter how much work they do on Sendmail, Postfix will always be the more secure option. Even then, Postfix has its own problems.