[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Postfix as default MTA?

In article <19990711103638.E1944@taz.net.au>, Craig Sanders
<cas@taz.net.au> wrote:

>with sendmail and exim and smail (and other monolithic setuid root
>mailers), you have to hope that there are no bugs or exploitable
>mistakes. the existence of any such bugs results in the software being a
>security hole.

Only up to the setuid call. The difference between setuid and seteuid is,
with setuid there is no way back, if the kernel is done right. And you
have to start from some assumptions, when writing software - if you don't
trust the linux kernel in it's setuid system, you can't trust it in
anything else, too - and so paranoia get's you in a dead lock, as you have
to start from _something_.

If you design your program right, you can have a monolithic executable
with a very short code path up to the setuid and no other path to the rest
of the application. And so you get the same as a modular design, only
folded back into one executable.

>with qmail and postfix or any mailer with a secure design, any such
>mistakes are not a security hole - they can not and will not give root

And you really believe this? There are much more things to worry about
than just plain root access hacks. Getting root is not the only concern in
security, although it is one of the ones that get's the biggest attention.
But I am dead sure that big emailing systems are concerned about DOS
attacks much in the same way as gaining-root attacks. Or take
circumventing the anti-relay mechanisms - this is a major concern with an
MTA. And it has absolutely _nothing_ to do with root access. But much with
access to the mail drop.

>postfix has been designed and written by a noted expert in the computer
>security field, has been subjected to intensive testing, and (because it
>came after qmail) had the benefit of learning from qmail's mistakes.

So? Exim is written by a noted expert in the emailing field. To say that
postfix is more secure because of it's authors reputation is the same as
to say that exim has the more correct email implementation because the
exim authors reputation. Don't forget that Wietse might be a standing name
in security land, but he is a newcomer in the field of MTAs.

>is certain that if there were any security holes in postfix that djb
>would have found them and loudly trumpted them to the world. he tried
>very hard to do so, but wasn't able to - the fact is that he can't find
>anything wrong with it because postfix's modular design is very similar
>to qmail, and that similarity is because it is the only way to write a
>properly secure mailer.

djb is not god. And there is no "only way to write a properly secure
mailer". This is the same nonsens as the only way to do editors or the
only right religion. And god uses vi.

>the best that djb could come up with was the choice between
>world-writable directory for injecting messages into the queue vs
>setgid executable to do the same. postfix initially had world-writable
>directory, which would allow any user with a shell account to create
>queue files at will. qmail had a group-writable directory with a setgid
>executable (which left the system open to exploitation if there were any
>bugs in the setgid binary).

Oh, a world-writable maildrop would not only give any shell user access to
the mail drop, but _any_ user that _anyhow_ can access the filesystem.
Think of other services that have a bug and give access outside their own
area in the file system (can you say IMAP? I thought you can.)

>There really isn't any way around this dilemma - at some point you
>have to have some mechanism for accepting mail from users and user
>programs...after all, that is the purpose of an MTA. Both methods have
>their advantages and disadvantages.

Excatly that. And one of them is a known constant, while the other is
something that still has to show if it really is that much better. I don't
say it isn't - I just say that it is far too short a time available to

>postfix has also been in wide use since the first "public" release in
>December last year.

That's how long for the relase to be available? 7 months? Laughable.
That's _nothing_. Even the mentioned two years aren't that much. There is
a reason why there still are people claiming that sendmail is more secure
_because_ of it's history. And actually they even might be right - it's
just the horrible configuration that drove me away from sendmail, because
a maybe-secure MTA helps nothing if you can't understand the config enough
to be sure you yourself didn't open up another hole. And it was relatively
quiet around sendmal in the last months, despite it still being the
most-used MTA.

>altogether, that's more than enough time for any bugs or security holes
>to be found.

No, thinking that way down is silly. Two years with beta software doesn't
show anything. 7 months with a release doesn't show much. You still forget
that those who attack MTAs have to concentrate on an MTA - that's why
there where found so many security bugs in sendmail, as it is "profitable"
for attackers to concentrate on this special MTA. Since postfix is around
with the attitude to be majorily secure, I am sure it will gain it's share
of attraction - but 7 month is by far not enough to make a judgement.
Please keep in mind that there is a lot more about MTA security than just
the tradeoff between the two designs - there is much more to keep in mind
with MTAs. I don't want to wake up some morning to discover that the
wonderfully secure MTA (root-gaining wise) can be turned into an open
relay by some clever dude.

> - use procmail as MDA? 

And _you_ talk about security? It's one of the real nice features that
Exim has builtin filters that run inside the MTA. This helps against DOS
attacks (as no second process has to be spawned) and helps security wise,
as the administrator can control in the central configuration, what
features of the filter system is allowed. This is of major concern for me
in my role as an ISP administrator! procmail is fine if you set it up on
your private box. Running it on a large email system at an ISP is hell
looming in your machines.

> - better docs

This one has been brought up from others, too. And since it is easy to
check, I will do that, as soon as I have some of this CFT thing.

> - much faster

This has to be proven by accompanying numbers, or it is a worthless claim.

> - posix or pcre regexp maps

Exim has pcre regexps as long as I know it. And due to it's orthogonal
design in the configuration, you can use them almost everywhere where you
can use other means of identifying the set-relation you need in
configurations. It's nice to be able to create a rule based on regexps, or
on lookups or on lists, just as you need it in that special situation.
Actually the orthogonal design of the exim configuration is the one major
feature that makes it a very powerfull MTA, I think. It brings some kind
of saneness back to the field of MTAs.

> - scalable from small systems up to the very largest mail loads

My smallest system was a 386/25 with 8 MB of RAM, and exim ran
wonderfully. Now I have a 486/100 and put large chunks of mailing lists
through that system (mostly because I still get all my mail as single
mails and not batched), and it still runs wonderfully. Heavy-load aspects
never were and issue with Exim for _me_.

> - secure by design

This is just a claim. It has to be proven.

>wrong. there are several points where postfix is better than exim but
>you choose not to acknowledge them.

Wrong. There wasn't anything that really showed some place where postfix
was better, there were only claims where it is _supposed_ to be better.
Give numbers and prove those claims.

>regexp in config files    N       N      N       N       N       Y

You don't know Exim really, right? And why do you make claims that postfix
is better than something you actually don't really know? Keep in mind that
I don't say that postfix isn't better in the named aspects - I don't know
postfix enough to say so - but that I only want to see proves for your

>copes with heavy load     N       N      N       Y       Y       Y

Exim definitely copes with heavy load. I do this every day several times,
and the system is still well-behaving. Exim is good enough in this
category to be not a negative concern when selecting the default MTA. I
don't claim that Exim is better in this role than any other MTA (actually
I did run on the very same system a smail installation before with much
the same result, only that the needed external filter made my system

>[2] unknown.  AFAIK, exim hasn't had any major security incidents.

Exactly. Despite it nowadays quite widespread use, I don't recall any
major security issue with Exim. That's quite good for an MTA that's a bit
longer around than postfix and should be in a bit wider use (this is an
assumption by me stimulated by the fact that people have to switch from
smail to something with saner anti-relay configuration than smail, and the
natural choice for this switch is Exim - it was the very reason that made
me switch). And that the author makes no claims he might not live up to
makes his attitudes more earth-connected. Phil Hazel doesn't claim he
suddenly became a security expert. But there are at least two security
experts (and they are this, there is no doubt) to be suddenly MTA and
email experts.

All I say is: give it some more time. There is no pressing need to switch,
so take the time and look how it evolves. If postfix really shows to be
better suited as default MTA, fine. I would be the first one to switch to
something that has proven to be better than my current system, if it
really is better. But to judge the superiority, one has to see numbers and
facts, and not promises, desings and claims.

bye, Georg


Reply to: