Re: Postfix as default MTA?
On Mon, Jun 28, 1999 at 03:16:59PM -0700, Steve Lamb wrote:
> On Mon, 28 Jun 1999 12:18:08 +0200, Wichert Akkerman wrote:
>
> >You are kidding, right? If not I suggest you get some good books on
> >secure programming and take some time to read them.
>
> No, I'm not kidding. I followed several threads about postfix security
> on Bugtraq and did not see any concerns there *or* anything from the
> pro-postfix people that would suggest to me that postfix is any more secure
> than any other MTA. What I did read was that it was a trade-off of a group
> readable directory versus a SUID binary. Needless to say that appears to me
> 1/2 of one, 6 of the other.
Just to continue the security issue. Yes - There was a discussion on
the Bugtraq and also on the Postfix list.
Comment: There are multiple ways of bringing down a machine as a shell-user
(I can do it in <2 Seconds with a bash function) and the local
Mail System is ALWAYS abusable. With sendmail you have to use a
suid binary. With any other MTA its nearly the same. SGID or SUID
or World Writeable Maildrop. Postfix currently even gives you
the choice for SGID or Public Maildrop.
Flo
--
Florian Lohoff flo@rfc822.org +49-5241-470566
Good, Fast, Cheap: Pick any two (you can't have all three). (RFC 1925)
Reply to: