Kevan Benson wrote: > On Wednesday 06 December 2006 19:18, Feizhou wrote: >> Other than that I do not see any other advantage. Disadvantages to >> either method...none besides the rpm not offering the other features >> available. postfix has not had a security problem since one issue in >> version 1.x which is perhaps not too surprising given that Wietse is >> also the author of tcp_wrappers so you do not need to keep track of >> security holes unlike sendmail. > > I'm going to play devil's advocate here and mention that just because the > postfix package itself hasn't had any security exploit, doesn't mean that > some of the required libraries it uses haven't allowed it to be exploited in > the past. I see that in some cases postfix builds against zlib, and there's > been exploits based on that in the past. > > I'm not trying to say that postfix is insecure, just that saying it IS secure > and will continue to be so just because it has a good track record doesn't > exactly promote the best behavior be new administrators that may not be as > security aware as they should be in this job (I understand your point > though). Let's promote more security conscious and paranoid system > administrators through saying that every process that allows public access be > strictly audited on a regular basis. It truly will make the world a better > place. > I don't see a problem here. Unless you make a static compile of postfix, upgrading the libraries that it uses will automatically fix the problem. If there is a version conflict due to the new libraries, that will give an automatic signal to rebuild when postfix refuses to run. I, therefore, stand by my previous statements. Unless postfix itself manages to get a security hole, there is nothing to worry about if building against system libraries that are covered by RHEL/Centos.