Re: [Exim] Does Exim have security problems?

On Tue, 29 Aug 2000, Mustapha Mahfouz wrote:
> > In April of 1998, when my mailserver was attacked with gusto and with
> > impressive resources and intelligence (because we ran the online
> > version of "La Consulta" -- a Zapatista, i.e., rebel-sponsored vote in
> > Mexico), I went looking for help in several technical email lists, I
> > can't remember which now. But I was *only* told to install exim for
> > security, no one suggested anything else.
>
> This is exactly the reason for my original posting, my primary need is the
> ease of configuring, but security is also vital as I am sure that all of
> you would agree.
>
> But unlike you when I discusses MTA's with my collegues all of them seemed
> to say that for 100% security there is only one MTA and thats Qmail blah
> blah, then they go to explain why modular designs are much better than
> monolithic designs like sendmail and exim, and how exim is much more worse
> than sendmail regarding security etc.qmails authour has a 1000$
> reward and etc etc..until I wonder what is truth and what is untruth.
>
> I unfortunately am getting laughed at unlike you with harsh comments like
> "exim has low secuirity, what are the major sites that run Exim blah
> balh", but I am quite serious about trying to install exim, I had a look
> at the single config file and it looks good, much more easier to configure
> than sendmail and very well documented too, also the installation appears
> to be very straightforward too.
>

One of the reasons for the explosion of the Web is that it allows _everyone_
to have their own opinion. If you poke n mail admins you will probably get at
least n opinions - each of us has had different experiences and all have come
to where we are now via a number of routes.

For myself: I started with sendmail, went thru two years of qmail and ended
up installing exim on all machines that do any active mailing. On 'normal'
[RedHat] user machines that have sendmail installed - I just leave that alone
but for all internet visible or transacting MTAs I use exim.

qmail is a perfectly fine product but I believe that exim is better both
because [my experience is] it seems to do its job better under extreme
conditions and it is much more obvious how to configure. The documentation is
_MUCH_ better and the whole configuration experience much less stressful than
qmail's (esp. if you want to do something clever). Again, based on
experience, the distributed [and largely hidden] configuration file model of
qmail, I find, can be confusing and annoying. YMMV. Also useful extentions
tend to be third party add-ons that don't integrate that well, again YMMV.

The comments that people make one to another with regards to the 'programming
model' is based largely on 'religious fervour' [with apologies in advance for
those that will choose to misconstrue that phrase - but it the correct one].
The fact of the matter is that if DJB had chosen to write a monolythic MTA
program with same care and attention he has qmail it would be just as secure
as it already is. His multi process model on top is really belt and braces
(although I acknowledge that he would disagree profoundly with my analysis) .

It seems a pity that there is such 'fervour' in this area - so much could be
learned from each other - but such is life.

The only way forward is for you to go and try them and then choose. It is my
belief that any of the mainstream MTAs _PROPERLY CONFIGURED_ will do a fine,
secure, job in most circumstances. It is entirely a matter of your particular
usage pattern and personal preference which you use.

In general terms, I would question an opinion given by anyone who ridicules a
particular product, my experience is that such an opinion is very, very
rarely based on any factual evidence or even experience one way or another.

In another message you ask: 'who uses it' well Planet and Demon to name two
'smaller' ISPs [:-)] or if you want a 'bigger' name how about bt.net?

Dirk Koopman