procmail (in)security
Herman Oosthuysen
Herman at WirelessNetworksInc.com
Fri Mar 7 19:19:02 CET 2003
Hmm, procmail has been around for a very long time. I don't think there
is much reason to worry about it. Speaking of the last 3 years, it has
never crashed or lost my mail.
Todd Underwood wrote:
> fred,
>
> On Fri, 7 Mar 2003, Fred Yankowski wrote:
>
>
>>On Fri, Mar 07, 2003 at 07:40:11AM -0500, Todd Underwood wrote:
>>
>>>2) use something like procmail that has these kinds of properties
>>>(procmail has historically been a security disaster, so i would stay away
>>>from it if possibly--consider maildrop).
>>
>>What's your basis for calling procmail a security disaster? I use
>>procmail all the time and, if you're right, I want to know what risks
>>I'm taking. I already know that procmail's "recipe" language is
>>confusing, but in what ways is it insecure?
>
>
> procmail has a relatively bad security record. the code is complex (and
> according to some of the better code auditors, virtually unauditable).
>
>
> http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=procmail+security+problems
> http://security-archive.merton.ox.ac.uk/security-audit-199902/0063.html
>
> just a couple of places to start.
>
> since i run qmail primarily for its security properties, introducing
> something as complex and with such a poor security record as procmail is
> definitely a no-no.
>
> and, as you said, the recipies are complex. very few people i know are
> able to get them right with any regularity (and testing always involves
> bouncing or losing mail).
>
> i'd take maildrop or just .qmail files any day.
>
> t.
>
More information about the Bogofilter
mailing list