D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Blatant plug - Exim book



On 26-Jul-2001 at 11:18:06 Simon Waters wrote:
> John Horne wrote:
>> Sendmail is the most popularly used MTA (the software that sends your
>> e-mail from one computer to another), and Exim is a drop-in replacement
>> for it.
> 
> Is it worth mentioning that the majority of sendmail installs "out there"
> have known security issues (If we can believe the version strings, and I
> think we can).
> 
Well I didn't want to say that :-) However, security was another reason we
didn't use sendmail - it was going through a really bad time when we were
looking for a new MTA.

> The one thing that put me off Exim was the approach to security - the
> author basically admits he has tried his best, but that it wasn't a core
> goal, unlike Postfix and qmail, and that he isn't a security guru (Unlike
> the authors of Postfix and qmail).
> 
What you have said is true. However, how many bugs has Exim had (e.g. via
bugtraq)? How many have you heard of? As far as I know, over the past nearly
3 years, there has been only one bugtraq bug and, as far as I remember, a
minor security bug about 2 years ago. Other than that it seems to be very
secure simply because the guy has written it well. Philip has stated that he
will be quite happy for anyone to security audit the code, as yet no-one
has.

I agree that security was not such a big issue when he started on the
project. However, as he admits, over the years things have changed and as
such he is far more conscious of security issues. In that respect, new code,
bug fixes, etc *are* written with security as a consideration.

HOWEVER, that does not of course mean that there is not a great big security
hole in the middle of Exim :-) It's just that no-one has found it :-)

With respect to qmail, the modular or non-modular approach to code as a
security issue itself has been well bantered on the Exim list. There has
been no evidence that exim would be 'better' (security or performance) in
being modular. As such, and I agree with Philip here, it was written as a
single monolithic piece of code since that is what he preferred.  This was
actually a reason why we did not go with qmail - too many damn fiddly little
programs.

I would also add, although it is not necessarily a reason for using Exim or
whether it is good or not, is that more and more UK academic sites are using
it - basically in preference to sendmail. Not only that but large sites such
as the ISP Freeserve use it. In that respect its performance is well capable
of anything we - as a mere 22,000+ user site compared to Freeserve - can
throw at a couple of mailhubs.

> How well does Exim drop in? The first time I dropped Postfix in I forgot
> to change the start up scripts, so the machine started up Postfix when it
> rebooted *8-)
> 
Well, yes :-) As far as I am aware all the sendmail command line options are
present in Exim, albeit that some of them (the weird ones no doubt) don't
actually do anything. Exim understands user .forward files and the standard
/etc/aliases file. There is no concept of the 'newalias' (?) program though
since Exim reads just the text file. If this is all that is used then Exim
will run pretty much out of the box. It will deliver mail for local users
into the /var/spool/mail (or /var/mail) directory, but you may need to
change the path to suit your system. Mail to other systems is done through
DNS lookups and/or gethostbyname if you want. There are relaying controls,
RBL lookups - I hope you are all aware of the impending charges for RBL at
the end of this month by the way! - and various other types of file lookups
for addresses. Virtual domains, address rewriting, retry times, etc, etc,
blah, blah. Heck, by the book and read about it! :-)



John.

------------------------------------------------------------------------
John Horne, University of Plymouth, UK           Tel: +44 (0)1752 233914
E-mail: jhorne@xxxxxxxxxxxxxx
PGP key available from public key servers
--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly