Re: default MTA for sarge

[Craig Sanders <cas@taz.net.au>]

On Wed, Jul 16, 2003 at 12:35:41AM +1000, Martijn van Oosterhout wrote:
> On Wed, Jul 16, 2003 at 12:12:59AM +1000, Craig Sanders wrote:
> > On Tue, Jul 15, 2003 at 12:24:34PM +1200, Nick Phillips wrote:
> > > Hmmm. None of which are compelling advantages of postfix over exim; all of
> > > those also apply to exim.
> > 
> > except for secure, fast, and scales beautifully from small to large systems.
> > and i'm not so sure about "very easy to configure", either...."fairly easy",
> > yes.  "very easy", not really.
> > 
> > while (AFAIK) there are no current exploits for exim, that is more by accident
> > or luck than by design - the monolithic mail daemon running as root design is
> > inherently insecure.  
> 
> I'm not sure about that. Exim drops priviledges whenever it can. Mail
> servers must run as root at least some of the time because they need to
> change user for each delivery. 

and for smtpd listening too because only root can listen on ports <1024.  sure,
some *parts* of a mail system have to have root priviledges, at least some of
the time.  that's why modern MTAs (including postfix and qmail) are modular and
have small, easily auditable separate programs for tasks requiring elevated
privs.

my point was that while the exim code may be currently secure, the design is
inherently insecure.  it's a late 80s/early 90s design....things have changed a
lot since then, especially security requirements for MTAs on the 'net. 


craig