Re: Postfix/Exim Security

From: Phil Brutsche (
Date: 12/12/01

Date: Wed, 12 Dec 2001 15:01:49 -0600 (CST)
From: Phil Brutsche <>
To: Ryan M Harris <>

Note that, as you might be able to see in my email headers - provided that
the qmail server(s) @ doesn't strip them out :), I use
Exim pretty heavily...

A long time ago, in a galaxy a far, far way, someone said...

> We are running Qmail currently, and I want to get away from its thousands of
> configuration files and unusual file system structure and its lack of
> integrated features (I'm sick of the thousands of patches).

I've basically snubbed my nose at qmail for the same reasons.

> I have seen people that have their reasons for loving postfix / exim.
> What are the specific problems with security on exim/postfix?

Some of the "security problems" with Exim - it's up to you to decide if
they're really a problem or not - are documented in the Exim Spec at

The section you really want to look at right now is section 55, entitled
"Security considerations".

In short, the "security problems" with Exim that you need to worry about

* Whether to run Exim as root or some other dedicated uid
* File permissions
* User access - users that are trusted by Exim with certain privileged
  operations, such as queue management.
* "Unsafe" ESMTP commands such as VRFY and EXPN. All of these commands
  can be toggled or limited to certain hosts by a line or two in the
  config file.

> Our decision has come down to security, since I have looked at both.
> It seems that exim has more features, but that may mean that it has
> less security (typically). Is this the case? (you may also wish to
> give me your reasons for liking one or the other, or you may want to
> throw another name in the mix)

One of the reasons why *I* chose Exim over anything else is the breadth of
functionality that doesn't need a great many conflicting patches should I
want to use it (there are a small number of patched available to handle
"corner cases", such as SMTP AUTH with OE4).

With Exim, I have my SMTP AUTH, SSL/TLS, and LDAP & SQL lookups, just by
setting the compile time options appropriately and making sure I have the
needed headers and libraries on hand.

Postfix, in my limited experience with it, is very similar.