Re: Postfix/Exim Security
From: Phil Brutsche (pbrutsch@tux.creighton.edu)Date: 12/12/01
- Previous message: Seth Arnold: "Re: Postfix/Exim Security"
- In reply to: Ryan M Harris: "Postfix/Exim Security"
- Next in thread: ksemat@sanyutel.com: "Re: Postfix/Exim Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Dec 2001 15:01:49 -0600 (CST) From: Phil Brutsche <pbrutsch@tux.creighton.edu> To: Ryan M Harris <rmharris-securityfocus@acdinc.net>
Note that, as you might be able to see in my email headers - provided that
the qmail server(s) @ securityfocus.com doesn't strip them out :), I use
Exim pretty heavily...
A long time ago, in a galaxy a far, far way, someone said...
> We are running Qmail currently, and I want to get away from its thousands of
> configuration files and unusual file system structure and its lack of
> integrated features (I'm sick of the thousands of patches).
I've basically snubbed my nose at qmail for the same reasons.
> I have seen people that have their reasons for loving postfix / exim.
>
> What are the specific problems with security on exim/postfix?
Some of the "security problems" with Exim - it's up to you to decide if
they're really a problem or not - are documented in the Exim Spec at
http://www.exim.org/exim-html-3.30/doc/html/spec.html.
The section you really want to look at right now is section 55, entitled
"Security considerations".
In short, the "security problems" with Exim that you need to worry about
are:
* Whether to run Exim as root or some other dedicated uid
* File permissions
* User access - users that are trusted by Exim with certain privileged
operations, such as queue management.
* "Unsafe" ESMTP commands such as VRFY and EXPN. All of these commands
can be toggled or limited to certain hosts by a line or two in the
config file.
> Our decision has come down to security, since I have looked at both.
> It seems that exim has more features, but that may mean that it has
> less security (typically). Is this the case? (you may also wish to
> give me your reasons for liking one or the other, or you may want to
> throw another name in the mix)
One of the reasons why *I* chose Exim over anything else is the breadth of
functionality that doesn't need a great many conflicting patches should I
want to use it (there are a small number of patched available to handle
"corner cases", such as SMTP AUTH with OE4).
With Exim, I have my SMTP AUTH, SSL/TLS, and LDAP & SQL lookups, just by
setting the compile time options appropriately and making sure I have the
needed headers and libraries on hand.
Postfix, in my limited experience with it, is very similar.
--Phil
- Previous message: Seth Arnold: "Re: Postfix/Exim Security"
- In reply to: Ryan M Harris: "Postfix/Exim Security"
- Next in thread: ksemat@sanyutel.com: "Re: Postfix/Exim Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
