I was reading this article[1] which was featured on LWN[2] some days
ago. The blog post is about the systemd sandboxing and a possible way to
prevent remote code execution as recently with the OpenSMTPD bug. In
order to secure a daemon one has to know about the required syscalls,
the capabilities which are needed and so son.
Would it be possible for the Exim project to provide some insights into
which syscalls, capabilities, access to directores and so on are
required? That would enable admins like me to restrict exim even more.
Although systemd is Linux specific, using this knowledge to restrict
exim could benefit installations on different systems.
[1]
https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html
[2]
https://lwn.net/Articles/812125/
