I used to consider OpenSMTPD to be highly secure, until CVE-2020-8794 and CVE-2020-7247 came out. Both allow an attacker to execute arbitrary shell commands as root. Even though both of these attacks have been fixed, I am still not sure if it is possible for a compromised unprivileged OpenSMTPD process to escalate privileges by similar means. There is a workaround (setting a specific "mda wrapper" in the configuration file), but it is off by default, and disables delivery to commands and files.
It turns out that not only is Postfix not vulnerable to either attack, but it is still not vulnerable even if an attacker has a 0-day exploit in one of the unprivileged Postfix processes. Command injection via MDAs (CVE-2020-7247) would not be possible because Postfix does not use a shell for delivery by default, and even when it does use a shell, the sanitization done by the local service replaces all metacharacters with underscores. Command injection via envelope files (CVE-2020-8794) would not be possible either, because Postfix uses the "safe" (rather than "exact") model for delivery status management. This means that commands and files are not stored in the envelope file, but rather read from ~/.forward during delivery. Taken together, the above factors make me trust Postfix far more when it comes to security, especially when local deliveries are enabled. I don't need to worry that a future vulnerability in Postfix will potentially allow others to execute arbitrary code as my user, whereas OpenSMTPD needs special configuration before I can be anywhere near as confident. Postfix has other advantages, too. Its sendmail(1) works even if the mail system is stopped, whereas OpenSMTPD's does not. Postfix also supports other security features, such as DANE, which are lacking in OpenSMTPD. Finally, Postfix has far more flexible authentication and header processing. Wietse Venema, thank you for your years of hard work on Postfix. If any of the OpenSMTPD developers read this, I hope it provides some ideas for improvement. Sincerely, Demi M. Obenour
OpenPGP_0xB288B55FFF9C22C1.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
