Re: Postfix/Exim Security

From: Phil Brutsche (pbrutsch@tux.creighton.edu)
Date: 12/12/01


Date: Wed, 12 Dec 2001 15:01:49 -0600 (CST)
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
To: Ryan M Harris <rmharris-securityfocus@acdinc.net>

Note that, as you might be able to see in my email headers - provided that
the qmail server(s) @ securityfocus.com doesn't strip them out :), I use
Exim pretty heavily...

A long time ago, in a galaxy a far, far way, someone said...

> We are running Qmail currently, and I want to get away from its thousands of
> configuration files and unusual file system structure and its lack of
> integrated features (I'm sick of the thousands of patches).

I've basically snubbed my nose at qmail for the same reasons.

> I have seen people that have their reasons for loving postfix / exim.
>
> What are the specific problems with security on exim/postfix?

Some of the "security problems" with Exim - it's up to you to decide if
they're really a problem or not - are documented in the Exim Spec at
http://www.exim.org/exim-html-3.30/doc/html/spec.html.

The section you really want to look at right now is section 55, entitled
"Security considerations".

In short, the "security problems" with Exim that you need to worry about
are:

* Whether to run Exim as root or some other dedicated uid
* File permissions
* User access - users that are trusted by Exim with certain privileged
  operations, such as queue management.
* "Unsafe" ESMTP commands such as VRFY and EXPN. All of these commands
  can be toggled or limited to certain hosts by a line or two in the
  config file.

> Our decision has come down to security, since I have looked at both.
> It seems that exim has more features, but that may mean that it has
> less security (typically). Is this the case? (you may also wish to
> give me your reasons for liking one or the other, or you may want to
> throw another name in the mix)

One of the reasons why *I* chose Exim over anything else is the breadth of
functionality that doesn't need a great many conflicting patches should I
want to use it (there are a small number of patched available to handle
"corner cases", such as SMTP AUTH with OE4).

With Exim, I have my SMTP AUTH, SSL/TLS, and LDAP & SQL lookups, just by
setting the compile time options appropriately and making sure I have the
needed headers and libraries on hand.

Postfix, in my limited experience with it, is very similar.

-- 

Phil



Relevant Pages