Re: Postfix/Exim Security

From: David Chin (dwchin@umich.edu)
Date: 12/13/01 

To: focus-linux@securityfocus.com
From: David Chin <dwchin@umich.edu>
Date: Wed, 12 Dec 2001 18:12:18 -0500

In message <1008184144.19560.2.camel@devotchka.sonicopia.com>, jon schatz write
s:
> On Tue, 2001-12-11 at 13:17, Ryan M Harris wrote:
> > What are the specific problems with security on exim/postfix?
>
> the big problem that djb rants about is the world writable mail drop
> directory. djb's take can be found here:
>
> http://cr.yp.to/maildisasters/postfix.html
>
> wietse's take is here:
>
> http://www.postfix.org/security.html
>

This can be overcome by using a local MTA, such as Courier Maildrop, that
uses DJB's Maildir. This should take care of DJB's objections.

I have mostly duplicated Robin Whittle's setup:

  http://www.firstpr.com.au/web-mail/RH71-Postfix-Courier-Maildrop-IMAP/

and I suggest you read this through if you want to use Postfix, and also
Ralf Hildebrandt's Postfix stuff (don't be put off by the HP-UX stuff -- the
configs are platform-independent):

  http://www.stahl.bau.tu-bs.de/~hildeb/postfix/

I've set up Sendmail, qmail, and Postfix, all from scratch, and let me tell
ya, they all involve about the same time to get off the ground, but Postfix
is so much easier to reconfigure once you do have it running.

Postfix, with Courier Maildrop, and Courier IMAP/POP3 on RedHat 7.2 is what
I'm running right now, with great success. In the last couple of weeks,
there were patches to Postfix released that fixed a DoS vulnerability.

Cheers,
--Dave

Quantcast