Kevan Benson wrote:
On Wednesday 06 December 2006 19:18, Feizhou wrote:
Other than that I do not see any other advantage. Disadvantages to
either method...none besides the rpm not offering the other features
available. postfix has not had a security problem since one issue in
version 1.x which is perhaps not too surprising given that Wietse is
also the author of tcp_wrappers so you do not need to keep track of
security holes unlike sendmail.
I'm going to play devil's advocate here and mention that just because the
postfix package itself hasn't had any security exploit, doesn't mean that
some of the required libraries it uses haven't allowed it to be exploited in
the past. I see that in some cases postfix builds against zlib, and there's
been exploits based on that in the past.
I'm not trying to say that postfix is insecure, just that saying it IS secure
and will continue to be so just because it has a good track record doesn't
exactly promote the best behavior be new administrators that may not be as
security aware as they should be in this job (I understand your point
though). Let's promote more security conscious and paranoid system
administrators through saying that every process that allows public access be
strictly audited on a regular basis. It truly will make the world a better
place.
I don't see a problem here. Unless you make a static compile of postfix,
upgrading the libraries that it uses will automatically fix the problem.
If there is a version conflict due to the new libraries, that will give
an automatic signal to rebuild when postfix refuses to run.
I, therefore, stand by my previous statements. Unless postfix itself
manages to get a security hole, there is nothing to worry about if
building against system libraries that are covered by RHEL/Centos.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
