[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Postfix as default MTA?



On Sat, Jul 10, 1999 at 02:55:50PM +0000,  Georg Bauer wrote:
> In article <19990704174122.C7969@wonderland.linux.it>, md@linux.it (Marco
> d'Itri) wrote:
> 
> >Read the docs. It is /designed/ to be secure and fast.
> >Exim is not.
> 
> So? Reality always shows those, who just rely on the design and
> not the experience of field testing, to be the fools in the field
> of security.  Just because something has the button "designed for
> security" attached to it doesn't say it doesn't have security flaws
> problems to it, too.

with sendmail and exim and smail (and other monolithic setuid root
mailers), you have to hope that there are no bugs or exploitable
mistakes. the existence of any such bugs results in the software being a
security hole.

with qmail and postfix or any mailer with a secure design, any such
mistakes are not a security hole - they can not and will not give root
access.

postfix has been designed and written by a noted expert in the computer
security field, has been subjected to intensive testing, and (because it
came after qmail) had the benefit of learning from qmail's mistakes.

in addition, given the bitter flamewars between djb and wietse
(conducted mostly on the qmail, postfix, and bugtraq mailing lists) it
is certain that if there were any security holes in postfix that djb
would have found them and loudly trumpted them to the world. he tried
very hard to do so, but wasn't able to - the fact is that he can't find
anything wrong with it because postfix's modular design is very similar
to qmail, and that similarity is because it is the only way to write a
properly secure mailer.

the best that djb could come up with was the choice between
world-writable directory for injecting messages into the queue vs
setgid executable to do the same. postfix initially had world-writable
directory, which would allow any user with a shell account to create
queue files at will. qmail had a group-writable directory with a setgid
executable (which left the system open to exploitation if there were any
bugs in the setgid binary).

There really isn't any way around this dilemma - at some point you
have to have some mechanism for accepting mail from users and user
programs...after all, that is the purpose of an MTA. Both methods have
their advantages and disadvantages.

Wietse responded by making it configurable - you can set it up either
way. make the choice that best suits your needs.


in summary, postfix has both a secure design and proven security in
field testing. exim does not have a secure design and has not been
subjected to the intensive security testing/auditing that postfix has.


> I don't question Wietses reputation - but postfix is just to new a kid
> on the block.

you're wrong here. postfix has been in heavy use on production machines
for over two years...first with a core group of beta testers - i.e.
anyone curious enough about "vmailer" (postfix' name before IBM's
lawyers decided it was too close to an existing trademark) to get
involved. this core group includes sites such as pobox.com and the
freebsd mailing lists (which move at least as much mail as the vger
linux lists)

postfix has also been in wide use since the first "public" release in
December last year.

altogether, that's more than enough time for any bugs or security holes
to be found.


> Give it some time to show it is up to the expectations is all I say.
> It's far to early in postfix's live to switch the default MTA because
> postfix beeing more secure.

postfix has had time to prove itself in the real world.    where time is
needed is in constructing a debian postfixconfig script similar to
sendmailconfig and eximconfig....i.e. ask a few questions and generate an 
appropriate config file.

what is there now in Lamont's package is more than adequate for most
setups, but it could be improved.  AFAICT, the only extra questions it
needs to ask are:

 - use procmail as MDA? 
 - use a smart-host relay?  if yes, what hostname?

> There might be other things that propose a switch of the default MTA,
> but up to now I didn't see that much of them - the only one beeing
> one who stated that the Postfix documentation is better than the
> Exim one. If that really is the case, that might be an argument pro
> switching.

 - better docs
 - much faster
 - posix or pcre regexp maps
 - scalable from small systems up to the very largest mail loads
 - secure by design

> Everything else I read was just argumenting that Postfix does this and
> that better than sendmail or qmail. Fine - but this is uninteresting
> in regards to switching the default MTA, as both are _not_ the
> default. Exim is the default, so show facts where Postfix is better
> suited than Exim for beeing default MTA.

wrong. there are several points where postfix is better than exim but
you choose not to acknowledge them.

security and speed are the areas where postfix is better than exim.
configuration is easy for both. postfix' documentation is better.

ease of configuration and backwards-compatibility with sendmail-style
setups (e.g. /etc/aliases, .forward, etc) and DFSG-free license are
where postfix is better than qmail.

ease of config, speed and security are where it is better than sendmail
and smail.
                      sendmail   exim  smail  zmailer  qmail  postfix
DFSG license              Y       Y      Y       Y       N       Y
sendmail compat           Y       Y      Y       N       N       Y
easy to configure         N       Y      N       N      [1]      Y
regexp in config files    N       N      N       N       N       Y
secure design             N       N      N       N       Y       Y
secure in practice        N      [2]    [3]     [4]      Y       Y
fast                      N       N      N       Y       Y       Y
copes with heavy load     N       N      N       Y       Y       Y

[1] some say yes, some say no.  i think qmail is clumsy to configure.
    it's certainly not as easy as either postfix or exim.
[2] unknown.  AFAIK, exim hasn't had any major security incidents.
[3] unknown.  probably not.  there have been problems in the past.
[4] i don't know enough about zmailer to comment, i only trialled it
    for a few days.

craig

--
craig sanders


Reply to: