Note that, as you might be able to see in my email headers - provided that the qmail server(s) @ securityfocus.com doesn't strip them out :), I use Exim pretty heavily...
A long time ago, in a galaxy a far, far way, someone said... > We are running Qmail currently, and I want to get away from its thousands of > configuration files and unusual file system structure and its lack of > integrated features (I'm sick of the thousands of patches). I've basically snubbed my nose at qmail for the same reasons. > I have seen people that have their reasons for loving postfix / exim. > > What are the specific problems with security on exim/postfix? Some of the "security problems" with Exim - it's up to you to decide if they're really a problem or not - are documented in the Exim Spec at http://www.exim.org/exim-html-3.30/doc/html/spec.html. The section you really want to look at right now is section 55, entitled "Security considerations". In short, the "security problems" with Exim that you need to worry about are: * Whether to run Exim as root or some other dedicated uid * File permissions * User access - users that are trusted by Exim with certain privileged operations, such as queue management. * "Unsafe" ESMTP commands such as VRFY and EXPN. All of these commands can be toggled or limited to certain hosts by a line or two in the config file. > Our decision has come down to security, since I have looked at both. > It seems that exim has more features, but that may mean that it has > less security (typically). Is this the case? (you may also wish to > give me your reasons for liking one or the other, or you may want to > throw another name in the mix) One of the reasons why *I* chose Exim over anything else is the breadth of functionality that doesn't need a great many conflicting patches should I want to use it (there are a small number of patched available to handle "corner cases", such as SMTP AUTH with OE4). With Exim, I have my SMTP AUTH, SSL/TLS, and LDAP & SQL lookups, just by setting the compile time options appropriately and making sure I have the needed headers and libraries on hand. Postfix, in my limited experience with it, is very similar. -- Phil
