Surprised that this wasn't caught earlier.
Should be very simple to exploit.
Admins of Linux and Unix boxes running Exim would be well-advised to update the software following the disclosure of another critical security flaw. The Exim 4.92.3 patch, released on September 28th, includes a fix to close up the CVE-2019-16928 flaw. Discovered by bug-hunters with the QAX A-Team, the vulnerability is caused …
I was going to say why exim? Why not postfix? There must be a reason. I remembered the early hatred of sendmail and m4 files.. I started using postfix around 2001. On my personal mail server the config hasn't changed in well over a decade. Hell I'm still running most of the same regex header filters I wrote in 2002. Postfix is simple to configure so am curious any exim fans want to say what keeps them on exim? Maybe it's better than postfix I don't know either way.
I don't remember why i chose postfix over the other options at the time. I want to say it was likely reccomended to me perhaps by sophos to integrate an antivirus solution which I think was called amavis at the time which I jad deployed running both sophos and mcafee. Looks like amavis is still around and Wikipedia specifically mentions using it with postfix. So that was probably my reason at the time.
I had the same thought, so did a DDG search "postfix vs exim", the first match
When comparing Exim vs Postfix, the Slant community recommends Exim for most people. In the question“What are the best Linux mail transfer agents (MTAs)?” Exim is ranked 1st while Postfix is ranked 2nd. The most important reason people chose Exim is:Most Linux distributions that come with Exim, come with sane Exim default configurations. Changing default values and slightly adjusting configuration is relatively easy. On the other hand, building a completely new Exim configuration file from scratch might not.
More stuff on that page.
Yes, same config since '05. It just runs and runs. I've had it jailed on FreeBSD with no issues. An Atom N270 with 1.5GB RAM has been fine for over 10 years (shared with a bunch of apache/PHP web servers).
Maybe Exim was less compelling since I'm not using Linux. I'll be switching from Courier to Dovecot for the IMAP side next time the server gets rebuilt.
I've used postfix for many years, ever since migrating from qmail around the turn of the century.
But I think qmail deserves the credit for introducing secure-by-design to smtp with its thought-through separation of components and privileges. That was the first serious alternative to sendmail, right back in the mid-1990s. I switched away from sendmail for both simplicity and security, but it was the ease of introducing my own spam-fighting filters that motivated my own qmail->postfix change - at which time I also looked at and dismissed exim.