On Fri, 07 Jul 2000, Kalum Somaratna aka Grendel wrote:
> The only question I have to ask is how good is exims security? qmail as we
> all know has a reward for anyone cracking it, which has never being
> claimed, so it is secure. So how does exim compare with qmail in this
Hang on a moment - if I put up a website offering a reward to crack my code,
and only 1,000 people download it, nobody cracks it etc., does that mean it's
more secure than sendmail which is running on hundreds of thousands of machines
which has had holes found in it?
I think qmail hasn't had holes found in it yet because nobody is running a site
that on qmail that hackers are that interested in. But then, what do I know? :-)
> respect? I ask this because in a article called "life with qmail" it's
> authour while comparing other packages said that "exim was not very
> secure"??
Think of his stance and bias as a writer. He is trying to promote his views
that qmail is the bees knees when it comes to MTA technology, and he is trying
to find faults with those other MTAs around him. He can't really talk about
performance, functionality or reliability because it at least matches if not
beats qmail in all these areas. There was a suggested upgrade some time back,
but I'm not sure if that was security related or not - nothing in Bugtraq
archives that I can find.
So, Exim is probably just about as secure as qmail, and the fact there is a
prize up for hacking it is neither here nor there. Generally to claim the prize
you would have to disclose the hole, and most of the people out there who are
finding holes like that will be keeping it to themselves, for obvious reasons.
Basically, Exim's security model appears to be based around good code, and
qmail's model appears to be based around getting a free audit from the whitehat
community that wouldn't know how to exploit a buffer overflow if it came up and
bit them on the bum.
> Any help is much appreciated as exim seems to be quite good, from the
> manual I read, so I need the above doubts to be clarified.
Hope I've at least given a worthwhile opinion if not clarification. :-)
--
Paul Robinson - Internet Services @ Akita -
http://www.akita.co.uk
------------------------------------------------------------------
Sales:- T: 01869 337088 F: 01869 337488 E: sales@???
Techs:- T: 0161 228 6388 F: 0161 228 6389 E: root@???
------------------------------------------------------------------