Auteur: Mustapha Mahfouz Datum: Aan: exim-users Onderwerp: [Exim] Does Exim have security problems?
Dear Sir,
I have been hearing good things about exim of late such as its speed, and
ease of configurability, however I have also seen exim being criticised a
lot on various security forums about its low(?) security.
Could you please clarify the following problems wether they are
significant, I personally don't like sendmail, or that > 1000 page book
about configuring it and I would like to get away from it to a
another MTA ASAP.
1. Exim has a monolithic design like sendmail (which is the root cause of
all the security bugs we here about sendmail), unlike MTA's like qmail and
postfix. Will this compromise the machine its run under.
2. I have read the exim root exploit in version 1.62, which says in a
summary that exim 1.62 let any local user obtain root privileges. Also I
have read the post where DJ barnstien says
"Motivation: Thomas Ptacek posted a summary of exim's security problems
in April. Fixing those problems should have been the top priority of
exim's author, Philip Hazel. Unfortunately, Hazel has chosen to spend
his time in other ways---for example, in claiming that exim doesn't have
much privileged code. He's cleaned up a few problems, but the changes
still haven't made it out of testing."
"Meanwhile, sysadmins seem to be unaware of how dangerous it is for them
to run exim. The last straw for me was a posting by one of those
sysadmins last Thursday. Wake up, people: there's nothing here that
intruders don't know how to do."
Although I suspect that the above problems are corrected in the latest
exim, statements like the above and criticisms from my fellow collegues
about exims security have made a bit worried I must admit.
When at a gathering of admins a few days ago, I mentioned that I am
thinking of moving to exim (sendmail is getting very slow on my machine,
and I am worried about it's security) I got laughed at by almost everyone,
most of them are running Qmail, and they send that if I am more concerned
about security I'd better install qmail, or leave sendmail instead of
installing exim as "qmail is well designed, and has a superb security
design that addreses sendmails security issues blah blah", also some stuff
was mentioned about a 1000$ unclaimed reward for anyone that cracks qmail.
I would like it if you could take the time to clarify the above, as I
beleive that everyone should have a fair chance of explainign things.
Also I am sure that you and several exim users could place a reward for
security holes in Exim as proof of exims high security, so that we too
have a rejoinder when people mention about this so-called qmail reward.
Thank you,
And may the blessing of Allah be with you.
Mustapha Mahfouz