[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On 26-Jul-2001 at 11:18:06 Simon Waters wrote: > John Horne wrote: >> Sendmail is the most popularly used MTA (the software that sends your >> e-mail from one computer to another), and Exim is a drop-in replacement >> for it. > > Is it worth mentioning that the majority of sendmail installs "out there" > have known security issues (If we can believe the version strings, and I > think we can). > Well I didn't want to say that :-) However, security was another reason we didn't use sendmail - it was going through a really bad time when we were looking for a new MTA. > The one thing that put me off Exim was the approach to security - the > author basically admits he has tried his best, but that it wasn't a core > goal, unlike Postfix and qmail, and that he isn't a security guru (Unlike > the authors of Postfix and qmail). > What you have said is true. However, how many bugs has Exim had (e.g. via bugtraq)? How many have you heard of? As far as I know, over the past nearly 3 years, there has been only one bugtraq bug and, as far as I remember, a minor security bug about 2 years ago. Other than that it seems to be very secure simply because the guy has written it well. Philip has stated that he will be quite happy for anyone to security audit the code, as yet no-one has. I agree that security was not such a big issue when he started on the project. However, as he admits, over the years things have changed and as such he is far more conscious of security issues. In that respect, new code, bug fixes, etc *are* written with security as a consideration. HOWEVER, that does not of course mean that there is not a great big security hole in the middle of Exim :-) It's just that no-one has found it :-) With respect to qmail, the modular or non-modular approach to code as a security issue itself has been well bantered on the Exim list. There has been no evidence that exim would be 'better' (security or performance) in being modular. As such, and I agree with Philip here, it was written as a single monolithic piece of code since that is what he preferred. This was actually a reason why we did not go with qmail - too many damn fiddly little programs. I would also add, although it is not necessarily a reason for using Exim or whether it is good or not, is that more and more UK academic sites are using it - basically in preference to sendmail. Not only that but large sites such as the ISP Freeserve use it. In that respect its performance is well capable of anything we - as a mere 22,000+ user site compared to Freeserve - can throw at a couple of mailhubs. > How well does Exim drop in? The first time I dropped Postfix in I forgot > to change the start up scripts, so the machine started up Postfix when it > rebooted *8-) > Well, yes :-) As far as I am aware all the sendmail command line options are present in Exim, albeit that some of them (the weird ones no doubt) don't actually do anything. Exim understands user .forward files and the standard /etc/aliases file. There is no concept of the 'newalias' (?) program though since Exim reads just the text file. If this is all that is used then Exim will run pretty much out of the box. It will deliver mail for local users into the /var/spool/mail (or /var/mail) directory, but you may need to change the path to suit your system. Mail to other systems is done through DNS lookups and/or gethostbyname if you want. There are relaying controls, RBL lookups - I hope you are all aware of the impending charges for RBL at the end of this month by the way! - and various other types of file lookups for addresses. Virtual domains, address rewriting, retry times, etc, etc, blah, blah. Heck, by the book and read about it! :-) John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne@xxxxxxxxxxxxxx PGP key available from public key servers -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.