Rob Tanner <[EMAIL PROTECTED]> writes:
[ re cyrus vs UW imap security ]
> The big issue, however, is sendmail. And ny effort to hack through
> your mail system via your email system (i.e., through port 25) goes
> through sendmail before Cyrus ever sees it, and most of those attacks
> are designed to get sendmail to execute some program with its root
> privileges. Since all the mailboxes are owned by the Cyrus user, what
> would be more secure of a system that just does mail delivery woulkd
> be a hack to sendmail so that once it attaches to port 25 it drops root
> and runs as the Cyrus user. Show me a hack like that, and Cyrus wins
> hands down (or two thumbs up)
So dump sendmail.
And your sendmail replacement shouldn't run as user cyrus; it doesn't
need to access the mailboxes directly, that's what LMTP is for.
AFAIK postfix works with cyrus, maybe qmail also.
