Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 0 subscribers
  • Views 2335 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Delays updating Postfix in PMX for Unix

Tracy

While I think it's great that Postfix is one of the MTAs bundled with PMX, I do think more work needs to be done on making the current versions visible in the documentation, and more particularly, that it gets updated more regularly as part of the usual updates for PMX.

Context is that we've had an external auditor review our gateway systems, and naturally they've found our Postfix version is only at 2.5.4. The current Postfix release is 2.8. I assumed that perhaps 6.1 has a new Postfix version, and we should be upgrading asap, but I could not locate anything in the documentation for 6.1 or on the Knowledgebase to give us what version of Postfix is running there.

So I logged a support enquiry, only to learn that it's still 2.5.4. While the latest release of Postfix is 2.8, the 2.5 stream is being actively maintained, and is currently at 2.5.12, which was released in March. While I don't necessarily expect PMX to be bleeding edge in terms of versions, previous releases of 2.5 updates were on 23 Nov 2010, 23 March, all the way back to the release of 2.5.5 in Sept 2008.

So I wonder if anyone else finds these issues of concern:

  • Insufficient information about the Postfix releases bundled in PMX in documentation/release notes etc
  • Infrequent updates - 3 1/2 years is pretty dire, especially since there have been major PMX releases since
  • Unpatched defects (including at least one affecting the milter function, and the SMTP over TLS injection exploit)

Sophos still continues to strongly recommend the use of the bundled Postfix with the product, and have created some lovely new reports in the latest PMX version. However, due to the fact the Postfix component seems effectively unmaintained, with the risks that that implies, I find the current recommendation to be more of a liability at this stage.

Personally, for our organisation, I'm going to recommend that we prepare to use a vendor-supplied version of Postfix when moving to PMX 6.1, or possibly a self-compiled one. While Red Hat aren't exactly up-to-date with their releases either, at least they do release dot-version patches sooner or later (for example, 2.6.6 is their latest update, released May 2010).

:12661


This thread was automatically locked due to age.
Unfiltered HTML