> On Tue, 29 Aug 2000, Malcolm Ray wrote:
>
> > An in-depth and independent security audit of exim would be a Good
> > Thing.
>
> Absolutely! I have said this before, but as far as I know, it hasn't been
> undertaken.
The trouble is, it's a lot of work to do properly. It also needs to be
done by someone (or a team) with a track record, if it's to have good
standing. I could audit the code in my Copious Free Time(TM) and give
it a clean bill of health, but who would listen to me?
For the record, I believe that exim does not have any significant
exploitable security problems, but (like most of us) that belief isn't
based on an in-depth study of the code, so I can see how it may not
carry much weight with others, particularly if they're already infused
with the quasi-religious fervour which often surrounds the choice of an
MTA.
--
Malcolm Ray University of London Computer Centre
