I used to consider OpenSMTPD to be highly secure, until CVE-2020-8794
and CVE-2020-7247 came out. Both allow an attacker to execute
arbitrary shell commands as root. Even though both of these
attacks have been fixed, I am still not sure if it is possible for
a compromised unprivileged OpenSMTPD process to escalate privileges
by similar means. There is a workaround (setting a specific "mda
wrapper" in the configuration file), but it is off by default, and
disables delivery to commands and files.
It turns out that not only is Postfix not vulnerable to either attack,
but it is still not vulnerable even if an attacker has a 0-day exploit
in one of the unprivileged Postfix processes. Command injection
via MDAs (CVE-2020-7247) would not be possible because Postfix does
not use a shell for delivery by default, and even when it does use
a shell, the sanitization done by the local service replaces all
metacharacters with underscores. Command injection via envelope files
(CVE-2020-8794) would not be possible either, because Postfix uses the
"safe" (rather than "exact") model for delivery status management.
This means that commands and files are not stored in the envelope file,
but rather read from ~/.forward during delivery.
Taken together, the above factors make me trust Postfix far more when
it comes to security, especially when local deliveries are enabled.
I don't need to worry that a future vulnerability in Postfix will
potentially allow others to execute arbitrary code as my user, whereas
OpenSMTPD needs special configuration before I can be anywhere near
Postfix has other advantages, too. Its sendmail(1) works even if the
mail system is stopped, whereas OpenSMTPD's does not. Postfix also
supports other security features, such as DANE, which are lacking
in OpenSMTPD. Finally, Postfix has far more flexible authentication
and header processing.
Wietse Venema, thank you for your years of hard work on Postfix.
If any of the OpenSMTPD developers read this, I hope it provides some
ideas for improvement.