[Mailman-Users] optimizing mail delivery

J C Lawrence claw at cp.net
Thu Nov 18 03:28:46 CET 1999


On Wed, 17 Nov 1999 21:04:19 -0500 (EST) 
Barry A Warsaw <bwarsaw at cnri.reston.va.us> wrote:

> I liked what I saw about exim, but I had some concerns about it's
> security.  Maybe I am being overly paranoid (or ignorantly
> propagating unsubstantiated rumor :), but I didn't have time to
> start down that path to have to back out later.

To flesh out this statement a little, and hopefully not write
anything into your fingers (there's a slight imprecation there
against Exim which I'm sure you didn't intend):

  Postfix and QMail are both built on similar security models where
the service is provided by a slew of very small programs (small and
thus easy to debug and secure), none of which trust each other, and
all of which run with the very lowest possible privilege (ie never
as root unless absolutely necessary etc on down to running as nobody 
where possible).

  Exim is descended from Smail, best known for its excellent UUCP
mail capabilities, and shares SMail's (and factually Sendmail's)
security model: a single large monolithic application which is
trusted to "do the right thing".  Now Sendmail of course has a long
and hallowed history of "the exploit of the week".  This is more the
fault of Senmail's internal complexity and just crufty code than it
is of the security model.  It does however reveal a weakness in the
security model: It allows large collections of complex code to
survive.  The highly divided security model used by Postfix et al
mandate small concise chunks of code by insisting that any
individual program only do one thing, and nothing but that thing.
Thus there is the potential in Exim for complexity, and thus
security concerns, to breed.

As far as security histories go, few programs, almost encluding MS
Windows, have as bad a history as Sendmail.  However, that said,
unlike Senmail, Exim has a very good history in this regard with no
root exploits that I'm aware of, and only a few Denial of Service
attacks that were very promptly addressed by the author.

One should also note that neither QMail or Postfix has been totally
exploit of DoS attack free.  Dan Bernstein took great (and
unpleasant) delight in pointing out a number of weaknesses in
Wietse's original implementation of Postfix (which Wietse then
addressed).  More importantly they both, like Exim, have a long
recent history of not having any known exploits, and come with the
advantage of being built on a well known, well anmalysed, and very
security concious design model.

None of which says anything I think you (Barry) don't know, but hey.

-- 
J C Lawrence                              Internet: claw at kanga.nu
----------(*)                            Internet: coder at kanga.nu
...Honorary Member of Clan McFud -- Teamer's Avenging Monolith...




More information about the Mailman-Users mailing list