> I tend to disagree there. You need to trigger a buffer-overflow or > something similar to trigger a SQL injection. Is that possible when > there's a proxy in front? You'd have to break the proxy first, I > think.
The question is rather "what happens in case of buffer overflow" or "what happens when a rootkit is used" or "what happens if the server is not well-configured" or "what happens if Mallet is working in the datacenter where where DBMAIL is hosted". A proxy will not stop attacks, on the converse it will make them easier. A database proxy (= a database pool controller) manages several connections at once and keeps them alive to pipeline all queries. The superviser of the pool *may* inject SQL very easily. The proxy may be well-written, if the server is not well configured, it can be penetrated. Again, the problem lies in a single database for several users. Try to set-up a database with 1000 users and you understand my concern about security. With DBMAIL and schemas, you need to be root to penetrate the data (just like in a normal Postfix installation relying on Unix users). Only physical access will allow Mallet to penetrate your server. With DBMAIL in the present design, a user with no special privilege may read ALL emails. This is a question of design. The next question is how valuable is the data from DBMAIL users. The problem is that DBMAIL is used for large installations, store emails (secrets) and therefore, given the current database design, it is likely that you are a target. Besides, Schema can be emulated with table prefix in MySQL. Schema is only automatic prefixing. So nothing should stop us from using schema/table prefix. Kind regards, Kellogs _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev
