> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Damien Hull > Sent: Wednesday, May 25, 2005 3:31 PM > To: [EMAIL PROTECTED] > Cc: misc > Subject: Re: Email Server > > [EMAIL PROTECTED] wrote: > > >On Tue, May 24, 2005 at 09:18:58AM -0700, Bruno Delbono wrote: > > > > > >>[EMAIL PROTECTED] wrote: > >> > >> > >> > >>>Ports aren't generally checked for much other than "Does it build?" and > >>>"Does it work?". > >>> > >>> > >>So, secure by default means that you should only run OpenBSD as it comes > >>and do not touch anything on it. Or else, it won't be secure by default; > >>your warranty is voided and Theo will spank you. > >> > >> > > > >"in the base install" is a very important phrase. Ports don't get > >audited much, if at all. This isn't any sort of slap to the porters; > >it's just there's a *lot* of code in the port and examing that code > >for correctness isn't their intent. Ports are a convenience, not a > >promise. Postfix and cyrus aren't base install, and therefore aren't > >covered. Ain't life terrible? > > > > > > > Thanks for the info. My concern is that OpenBSD is "secure by default" > when you do a base install but when you start adding things like Postfix > etc... are you still secure? > > I know you can configure the system so that most files are read only. I > also know that you can run Postfix in a sandbox ( jail ). It all depends > on how much work I want to put into securing the system. If the answer > to the above question is "no!", then I'll have to lock down Postfix > etc... If the answer to the above question is "Yes!" then I can leave > things the way they are and just install Postfix. > > There are trade offs between security and management over head. Putting > Postfix in a sandbox is a nice idea but my understanding is that you > have to take Postfix off-line to add any users and then putt it back in > the sandbox and then bring it back on-line. Leaving Postfix outside of a > sandbox means you just add users when you need to. I did this once on a > FreeBSD email server a few years back. I decided that a sandbox was to > much work. > > I'm still a long ways away from designing a system. I haven't even > decided which OS I want to use. If enough people on the list can > convince me that OpenBSD is the way to go I'll install it on a system, > ship it down to Seattle and collect my mail. This will be on a test > domain of course.
Any operating system will end up using third party applications, and any operating system can be secure by default if it ships with no services running. When evaluating a third party application like postfix, you have two security realms. The actual application, and the operating systems that supports it. With OpenBSD, you have a very nice foundation that can help enhance the security of the third party service. For example, OpenBSD randomizes PID number creation, which made some exploits against insecure temp file creation that much more difficult. OpenBSD includes a lot of other protection mechanism that help applications without any real effort by you. OpenBSD also includes some nice tools like systrace that you can use to actively harden a service. While other operating systems may include similar protections, OpenBSD provides simple and effective mechanisms. Simplicity is very important. Compare OpenBSD/NetBSD systrace to the SELinux mechanism for an example. If I had to run an insecure service on any platform, it would be OpenBSD. It is better to assume that everything is insecure, and design to reduce the effectiveness of those failures. I think this is why the OpenBSD folks are moving as much as possible towards privilege separation. It is better to assume that your application is insecure.
