Re: [Exim] Question about exims security vs qmail?

> The only question I have to ask is how good is exims security? qmail as we
> all know has a reward for anyone cracking it, which has never being
> claimed, so it is secure. So how does exim compare with qmail in this
> respect? I ask this because in a article called "life with qmail" it's
> authour while comparing other packages said that "exim was not very
> secure"??

I suppose there is a reason that no security holes have been mailed to
this list, at least I didn't notice any. Exim is fairly modern code
and does not suffer from the usual problems of older software. It has
its own string handling library that avoids the common buffer overruns.
The author obviously spent time to think about when to revoke and gain
privileges and you have different options concerning that.

The qmail principle of coupled programs with different privileges is great
and a monolithic program is likely to be less secure. Several large
ISPs run Exim for their production systems, so I am sure people tried
to find security holes for attacking those systems. I trust Exim being
pretty secure if it is configured right.

Michael