Re: [Exim] Does Exim have security problems?

Top Page
Delete this message
Reply to this message
Author: Nigel Metheringham
Date:  
To: Mustapha Mahfouz
CC: exim-users
Subject: Re: [Exim] Does Exim have security problems?
kalum@??? said:
> I know, which is what makes the whole thing alarming indeed. I mean
> any newbie hacker can get root acesss using sendmail. Why so many
> sysadmins don't upgrade sendmail or choose a safer MTA has puzzled me
> for a long time.


To be fair, sendmail has actually moved on quite a lot since the old
days of sendmail-root-exploit-of-the-week. Sendmail suffered severely
from being effectively unmaintained for years, whilst being a security
critical piece of software originally written very early in Unix
history. Hindsight works just great.

Qmail & Postfix are written much later in Unix history. They use a
very different model, which is rather less likely to give root exploits
but could give other security problems... BTW qmail's bounty excluded
DOS attacks.

In terms of inherent resistance to root exploits, if that is the
greatest driver for you then go for qmail or postfix. All software is
a compromise, you just need to work out what features you compromise
on. If its absolutely vital you get no security problems then your
path is easy - switch off the machine, remove the mains lead, encase
the machine in concrete, and bury it several hundred meters down.

The answer from Philip (who is on holiday this week) to Thomas H.
Ptacek's critique in 97 can be found at this URL
http://www.exim.org/pipermail/exim-users/Week-of-Mon-19970127/001289.h
tml

Exim has had some security bugs fixed during its five year life. It
has had no known exploited security problems.

    Nigel.
-- 
[ - Opinions expressed are personal and may not be shared by VData - ]
[ Nigel Metheringham                  Nigel.Metheringham@??? ]
[ Phone: +44 1423 850000                         Fax +44 1423 858866 ]