D. J. Bernstein
Internet mail
Mail disasters

Postfix disasters

Anonymous local message destruction

IBM released Postfix with massive hype in mid-December 1998. ``IBM software to shield email from hackers,'' blared the Reuters headline. ``This will make IBM's and everyone's Internet activities more secure,'' IBM's network security research manager said in a prepared statement.

A few days later I glanced at the Postfix security documentation. ``No Postfix program is set-uid,'' the Postfix author wrote. ``Introducing the concept was the biggest mistake made in UNIX history. Set-uid (and its weaker cousin, set-gid) causes more trouble than it is worth.''

This set off alarm bells in my head. ``Does postfix really use a world-writable directory for people to drop off mail?'' I wrote in a 19981217 email message to another security expert. ``Is there anything that stops a user from making a hard link to another user's message, preventing postfix from delivering the message?''

In fact, when Postfix saw an extra hard link, not only would it fail to deliver the message, but it would actively remove the hard link, Any local attacker could trivially exploit this to anonymously destroy other users' incoming or outgoing messages. There was no way for the system administrator to find the culprit, and no way to recover the messages.

The Postfix author's reaction to my first public comments was outright denial. ``Bernstein is wrong on all points,'' he said in a public statement in response to a summary of the problems. ``Bogus. ... Bogus. ... Bogus. ... Bogus.'' He continued by giving an example of how an incompetent attacker might fail to destroy a file. Several people pointed out his mistake, but he continued to deny the problem. ``In my opinion, no-one has brought forward a vulnerability worth mentioning,'' he said in a bugtraq message titled ``Claimed Postfix Vulnerabilities.''

I sent a detailed description of the vulnerability to bugtraq. The Postfix author finally admitted that the attack would destroy mail. However, he didn't post a security alert on the Postfix web pages. Instead he added a brief note to the middle of the ``Postfix Errata'' page:

     A local user can hard link a maildrop queue file to another
     directory within the same file system, causing the mail to not be
     delivered. Workaround: chmod 1733 /var/spool/postfix/maildrop, and
     edit /etc/postfix/postfix-script, replacing 1777 by 1733.
When I saw this, I posted a note to comp.security.unix, explaining that this ``workaround'' simply didn't work. Any user could still anonymously destroy messages.

The Postfix author followed up, using the subject line of ``DAN BERNSTEIN'S CLAIM'' without admitting that my claims were correct, summarizing the problems as ``local users [can] play games with hard links'' without mentioning that these games would destroy mail, describing his non-solution as ``a short-term, interim solution,'' and concluding ``I see no reason for loss of confidence in the software.'' In a subsequent message he attacked me, claiming that I ``didn't find this horrible security hole'' and that my analysis was ``way off.''

The real problems here can't be fixed by changes to the Postfix code. The Postfix author never posted a security alert. He never apologized for exposing his users to selective mail destruction. He never apologized for his false and misleading statements. He never took responsibility for his mistakes. He still isn't offering cash rewards for security holes.

Can the Postfix security claims be taken seriously? Decide for yourself.