I wish only to point out an apparently major contradiction in what you
say and what you quote to support your claim:
[ On Monday, August 28, 2000 at 06:34:59 (+0600), Mustapha Mahfouz wrote: ]
> Subject: [Exim] Does Exim have security problems?
>
> 1. Exim has a monolithic design like sendmail (which is the root cause of
> all the security bugs we here about sendmail), unlike MTA's like qmail and
> postfix. Will this compromise the machine its run under.
>
>[[....]]
>
> Also I
> have read the post where DJ barnstien says
>
> "Motivation: Thomas Ptacek posted a summary of exim's security problems
> in April. Fixing those problems should have been the top priority of
> exim's author, Philip Hazel. Unfortunately, Hazel has chosen to spend
> his time in other ways---for example, in claiming that exim doesn't have
> much privileged code. He's cleaned up a few problems, but the changes
> still haven't made it out of testing."
>
> "Meanwhile, sysadmins seem to be unaware of how dangerous it is for them
> to run exim. The last straw for me was a posting by one of those
> sysadmins last Thursday. Wake up, people: there's nothing here that
> intruders don't know how to do."
>
> Although I suspect that the above problems are corrected in the latest
> exim, statements like the above and criticisms from my fellow collegues
> about exims security have made a bit worried I must admit.
Would your colleagues say the same thing about sendmail (or Smail)?
What about commercial mailers that are in effect also monolithic
designs?
Meanwhile despite the existance of Smail, Exim, Zmailer, Qmail, Postfix,
and perhaps others, each of which had security as a primary design goal,
most of the world still runs sendmail, and a large percentage of that
crowd still run versions of sendmail that have known vulnerabilities!
As Phil Pennock has already said, Exim, like Smail before it (from which
it borrows many design ideas), was written from the ground up with great
attention to the programming details that have caused sendmail to be
repeatedly compromised right from the very first demonstration of an
automated attack against it by the Internet worm in the late 1980's.
(Smail-3 was written partly in response to the perceptions of problems
in Sendmail's security and by the time the worm hit it was clear that
the designers had made the correct design decisions.)
Note also that security by compartmentalisation can be easily achieved
by other ways than just by splitting a large and complex program into
many intertwined daemons. For example you could run your external
mailer on a host that is not trusted by any other trusted host to do
anything but deliver e-mail and perform DNS queries. Provided that you
also have a secure logging host, some form of intrusion detection, and
a well tested recovery procedure this kind of setup will perhaps be even
more secure than you could achive by running a mailer like Postfix or
Qmail on an otherwise more trusted machine.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@???> <robohack!woods>
Planix, Inc. <woods@???>; Secrets of the Weird <woods@???>
