Olivier DuclosOct 11, 2025
#Exim still requires setuid to be able deliver mail? That is a HUGE red flag! Especially with all the alternatives available on #Linux nowadays. I guess these guys like to live dangerously: https://changelog.complete.org/archives/13814-a-mail-delivery-mystery-exim-systemd-setuid-and-docker-oh-my #smtp #infosec
A Mail Delivery Mystery: Exim, systemd, setuid, and Docker, oh my! | The Changelog

Show threadBruce Walzer 🇨🇦

@odc Local deliveries are problematic in general. The details of how #Exim deals with root privilege can be found here:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html

#smtp #infosec

56. Security considerations

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet.

Oct 11, 2025 at 7:56pmWeb
Show threadOlivier DuclosOct 11, 2025
@upofadown Thanks for the link. Yeah local delivery seems tricky. Does Exim not have a dedicated process for that?
Show threadBruce Walzer 🇨🇦Oct 11, 2025
@odc From the docs: "A delivery process retains root privilege throughout most of its execution, but any actual deliveries (that is, the transports themselves) are run in subprocesses which always change to a non-root uid and gid."