The Postfix security model is based on keeping software simple and stupid.

In a previous life I wrote the software that controlled my physics experiments. That software had to deal with all kinds of possible failures in equipment. That is probably where I learned to rely on multiple safety nets inside and around my systems.

The challenge with Postfix, or with any piece of software, is to update software without introducing problems.

Writing software that's safe even in the presence of bugs makes the challenge even more interesting.

Sure, but competition is good for the user.

This will surprise some of your readers, but my primary interest is not with computer security. I am primarily interested in writing software that works as intended.

At the time the Sendmail program had a very poor reputation with respect to security, with four root vulnerabilities per year for two successive years.