Postfix: A Secure and Easy-to-Use MTA 374
BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."
heh. (Score:4, Insightful)
I wonder if they'll start trolling on bugtraq.
-blak
Re:heh. (Score:5, Funny)
Do they do anything else?
Re:heh. (Score:5, Insightful)
http://slashdot.org/article.pl?sid=03/07/16/163
On the other hand, maybe they'll train their sights on BIND next.
Re:heh. (Score:4, Funny)
This is all just FUD (Score:5, Insightful)
Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.
Re:This is all just FUD (Score:4, Informative)
Sendmail isn't awful - but some of its code is old, it's complicated, and it's richly-featured. All of these things contribute to an increased risk of bugs and vulnerabilities. In those respects, it's similar to some of those products by "that corporation," except that sendmail issues timely patches and the current developers, at least, care about security from the outset versus considering it as an afterthought.
Milters? (Score:5, Insightful)
Re:Milters? (Score:4, Informative)
Milter is one of the things that's keeping me with sendmail.
What's lost in postfix? (Score:2, Interesting)
Re:Milters? (Score:5, Informative)
This is quite powerful. For example, you can have some regular expression (around header or body), that sent to the content_filter.
If you want to switch and have milter in mind, please consult the documentation about content_filter...
Re:Milters? (Score:5, Informative)
In fact, most of the things you can do with sendmail through external additions are already in postfix. I'm pretty sure that Postfix is also overall "faster" than Sendmail, and it upgrades easier, and the config system is useful, etc...
Re:Milters? (Score:5, Funny)
Probably because nobody can be bothered to respond to such an imbecilic remark. Sendmail and postfix are Mail Transport Agents, not Groupware. If you wanted to compare Exchange with a Linux equivalent, then there have been umpteen threads here in the past on the topic. This one [slashdot.org], for example. Personally, I like this one [suse.com] but it isn't free. (At least not free as in beer. It's built on top of similar software to the free ones though.)
But do go on comparing apples with oranges if you wish. It doesn't hurt anyone, and it gives many of us a sense of smug superiority.
I can not complain about having to patch sendmail for the same
I'm so sorry, but you seem to be reading an imaginary slashdot thread in your own head, as opposed to this one, which is about the security holes in Sendmail and how using Postfix may be a better approach because of what a pain it is to keep it updated?
Perhaps you'd like to share your imaginary one with the rest of us and entertain us all some more?
Or try qmail - unbroken since v1.03 (1998) (Score:5, Informative)
There is also an enormous amount of support for the product available. Check out qmail.org and cr.yp.to/qmail.html
Re:Or try qmail - unbroken since v1.03 (1998) (Score:2, Informative)
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Insightful)
On the point of qmail being cumbersome: I disagree - what could be simpler than adding a single line to your rcpthosts file? Maintaining qmail is trivial. However, I'll agree that the author's terse documentation makes it seem quite foreign but compared to sendmail it is positively didactic. There are also many other resources available which supplement the original docs.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Insightful)
Re:Or try qmail - unbroken since v1.03 (1998) (Score:4, Insightful)
Because of qmail's design, it is very resistent to compromise, even if one of the components is modified.
I believe that the strict partitioning of function in qmail lends itself better to extension than a constantly evolving package such as sendmail.
I'm not in a position to compare it to Postfix.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Insightful)
However, you get the "unsupported majority" who run a modified/patched/extended version that might well have security flaws that no one knows about. Worse, when an exploit is found in one of those changes, the maintainer of the central package usually makes a point of saying, "look, see! My software was secure, it was just those icky add-ons that were broken!" (as OpenBSD did with apache).
Bottom line: if you run OpenBSD or qmail or any other like service, don't patch it, or add unsupported features.
If that's not a good enough feature-set for you, choose a platform that embraces the feature-set that you need.
Now, on to the myths of sendmail:
Recent sendmail holes have been found because careful security auditing by programmers who have no goal other than to find such problems is being PAID for on sendmail. Companies like Red Hat have found such bugs in the Linux kernel, sendmail, apache, samba, etc, etc because they are looking for them, fixing them, and patching their user-base proactively.
I'm not saying that this is a first. Many companies that can afford it perform such audits, and it's still not as helpful, IMHO, as the benefit of being open source in the first place. However, saying that software is "insecure" because paid auditors have discovered and fixed the problems is... questionable.
I like sendmail. It has its quirks and problems, but I've yet to see a replacement that doesn't insist on proving that it's "better than sendmail" by imposing some strange restriction on the users (e.g. exim's B&D approach to RFC-compliance; postfix's convoluted incoming vs outgoing filtering; qmail's B&D approach to software distribution).
I like these other packages too, but I don't see a role for them as-is in my environments. Perhaps someday someone will write a simple sendmail replacement that is feature-for-feature compatible, but simply has simpler code and a more straight-forward config syntax (the only two real failings of sendmail).
Re:Or try qmail - unbroken since v1.03 (1998) (Score:4, Insightful)
qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?
I agree partly with you, it bothers me to have to patch my vanilla qmail to get all the functionality that I need. But on the other hand you only install the patchs that you need, so you're still more secure than if all the features/patchs we're allready bundled with qmail.
The idea is to keep your installation as small as possible and to install only well-known patchs.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:2, Informative)
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Insightful)
other points about qmail aside... (Score:3, Insightful)
This one does it for me. I currently use Exim, which also drops in for sendmail and is reasonably secure. If/when I want more security, I'll probably go Postfix because of the simple drop-in.
Security is never unimportant, but for an internal-only MTA for a family of four that accepts no external connections, it's secondary. I will however agree that had I been running Sendmail, the March problem w
Re:Or try qmail - unbroken since v1.03 (1998) (Score:3, Insightful)
You show 'em! Maybe those bartards'll think next time they do something that you don't agree with. Ya know, they're not selling commercial products, so they're not taking on any financial losses from your boycott. Chances
Re:Or try qmail - unbroken since v1.03 (1998) (Score:3, Interesting)
Big deal. DJB offers $500 for finding a security hole in qmail EXCEPT DOS attacks.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:4, Interesting)
>One big package to do it all.
I guess if you define "one big package" to be modularized like this [porcupine.org] and "do it all" to mean "be an MTA" then you're right. Are you saying that qmail does less, with more than 36 different executables (which is how many postfix uses), and that that's better?
>Even Wietse doesn't trust his own software.
>http://marc.theaimsgroup.com/?l=bugtr
Riiight. So you're saying that when Dan ships a bug fix, all qmail installations are magically updated, and all distributions out there on FTP servers and CDs are updated too. No? That's all that Wietse was lamenting - read the message again. He's saying that you can fix a bug in the current code but you can't make it go away retroactively. He doesn't say he doesn't use or trust his own software.
>Postfix on the other hand is still underdevelopment,
I guess you would prefer an abandoned product? Or are you saying it's not ready for production use yet? IBM released it FIVE YEARS AGO as the IBM Secure Mailer. It does get updated, though. Horrors! Do you use an OS that is "done" too, because not ever being updated is a good thing?
>suffers from a poor design,
According to you. How exactly is the design poor in your opinion? Hint: You can't just say "it's like Windows". What are some specific design choices and examples of why that's bad? Or are you just hand-waving?
>and probably will include the kitchen sink by next year.
Based on what, exactly? Please explain why you think Postfix is adding all sorts of non-MTA features lately, and preferrably show a link to a message by Wietse where he says he's going to do so in the future.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Insightful)
1) It is a collection of small daemons. In the UNIX spirit. This cuts on the bugs and allows injection of emails into various stages, and developing addons much easier.
2) It has a structured config file system. Again thats truly like UNIX. You just go to one file, open it in an editor, usually has less than a screenfull of lines, edit it, close and reHUP the daemon. Imagine the same for sendmail. At the least you have to run make for it.
To be fair, I havent tried postfix, but after qmail, Ive kinda lost motivation to try anything else.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:3, Interesting)
But have you noticed the qualifiers? Sendmail works around bugs in the OS (and most of the CERT warnings involving sendmail are because of OS related issues and other delivery programs, not the sendmail core).
How many of the race conditions fixed in sendmail and apache exist today in qmail? Does qmail work around any linux kernal problems?
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Informative)
I ran qmail for a year or so, then ended up switching to Postfix. At this point, you couldn't pay me to switch back to qmail.
It's not that qmail's a "bad" program. It's certainly not! Dave B. did a heck of a job with it, and I know it's in service as a Sendmail replacement at thousands of sites.
My gripes with qmail are that you practically need to be a programmer to implement it "properly" (at least that's my impression), and that, in order to have an ideal working environment for it, you have to replace the inetd daemon, and add in other tools that are far from simple for non-programmers to implement and use.
My biggest gripe with qmail was how it implemented spam blocking. Complex and clumsy (to my view), with no way that I found to "whitelist" a given domain name or IP, and no way to block on domain name lookup either.
Postfix solved all the problems listed above, and it came pre-installed with NetBSD [netbsd.org] (my Internet server OS of choice). As for its blocking/whitelist syntax, it couldn't be simpler. Examples...
For blocking: some.host 554 Access denied.
For whiteliesting: some.host OK
You simply replace 'some.host' with an IP address or host name, and the three-digit error code with anything you want. qmail was limited to two error codes. The best part is that you can, if you wish, block entire countries that have become spam sewers simply by doing things like this in the blocklist:
.cn 554 Access denied. China's a spammer paradise.
With qmail, you'd have to go through and enter every single IP range assigned to China, manually. I know -- I did this at one time for qmail, and it was two hours plus worth of work! What's even worse is that you have no control over what error message text is sent back. Postfix lets you put in anything you want.
While I will admit that Postfix's default blocking file cannot directly accomodate CIDR notation or IP ranges, Rahul Dhesi, one of the nice folks who inhabits news.admin.net-abuse.email, wrote a handy script [rahul.net] to take a source blockfile, complete with said CIDR notations and specific syntax to indicate a range, and convert it into a form usable with Postfix. He also has a bunch of other handy tools [rahul.net] for use with Postfix on his site.
I may not know what a "milter" is, but I do know that postfix can block or pass mail on just about anything you want. It supports regular expressions, hashes, etc.
I guess I do sound like a testimonial... Well, the heck with it! I like Postfix.
Keep the peace(es).
Re:Or try qmail - unbroken since v1.03 (1998) (Score:3, Insightful)
Sorry, but I'd perfer a mail program that puts stuff in the right place. I want my configuration files in
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Informative)
I've had qmail experience the behavior you are talking about using Solaris/ufs/noasync (single scsi disk) but using ext3/async,noatime (single scsi) under Linux X86 has proven to be very nice.
Reiser would probably do a good job here too.
Setting up mailservers is more science then just telling what sucks and what does not.
Re:Or try qmail - unbroken since v1.03 (1998) (Score:5, Informative)
If you are using ucspi-tcp already, then it is probably as simple as modifying the contents of
ucspi-tcp is not *required* but much of the qmail documentation assumes that you are using it. ucspi-tcp is also written by Dan Berstein (cr.yp.to/ucspi-tcp.html)
Re:Or try qmail - unbroken since v1.03 (1998) (Score:3, Insightful)
Which is exactly why I won't use it. Dr Berstein is brilliant, and writes good code, but he wants me to replace half my system with his stuff. But until someone delivers DJB Linux, where everything runs under his model, I'll be sticking with the existing stuff. I DO NOT want to have two init programs running, two ways of controlling daemons, two
Use Qmail (Score:5, Informative)
Re:Use Qmail (Score:5, Informative)
Of course, since I use DJBDNS and qmail-pop3, I have 3 services I can mostly ignore. And it only took me 8 hours curled up with lifewithqmail.org to do it.
Re:Use Qmail (Score:3, Informative)
If you had looked at the license for qmail, you would already know this.
What's wrong with sendmail? (Score:2, Interesting)
Of course now I get al the exim, qmail and postfix fanboys blasting at me, but sendmail works well. Works good enough for most. Heck, if sendmail were so insecure, why is OpenBSD still including it in it's base?
Don't get me wrong, postfix is a nice MTA. Yes, it is easier to set up depending on what you think is "easy", but still, it's a nice MTA, but no reason to not use Sendmail if you can help it.
Re:What's wrong with sendmail? (Score:2, Insightful)
After using qmail for 4 years, I can't see why anyone would touch sendmail.
Re:What's wrong with sendmail? (Score:3, Informative)
False:
Well well well, ancient huh? Whatever. Yes, that's openbsd's default sendmail as of version 3.3
Re:What's wrong with sendmail? (Score:5, Interesting)
I ditched SendMail because it made me uncomfortable as an administrator. Yes, I could get it working "good enough" that I wasn't a relay, but because of the arcane command file structure I wasn't satisfied that it was tuned the way I wanted it. (BTW, I had hand-coded a sendmail.cf from scratch before, and made it work, but that was when I had a whole day to spend on the project.)
Back in the days when there weren't a hoard of people trying to crack your system, SendMail was OK. Nowadays, you want to make absolutely sure there are zero holes in your system -- arguably you want to PROVE there are no holes, which is an impossibility -- and SendMail makes that very hard to do.
With PostFix, I can get a configuration file, sort it, and check each parameter against the manual. In fact, PostFix can get me EVERY setting (using postconf) so that I can verify I like the defaults, too.
In the current Internet environment, "good enough" isn't good enough.
Re:What's wrong with sendmail? (Score:3, Interesting)
Like some other poster says, postfix is actually pretty fussy when it comes to virtual domains. In sendmail you use a sendmail.cw, plonk all your recieving domains in there an be done wi
The Sendmail Book Is a Crime Against Humanity (Score:2)
I agree, sendmail has a steep learning curve, and I don't have to change mail settings often enough for it to sink in and become
Re:What's wrong with sendmail? (Score:5, Informative)
This is something that really pisses me off. People bitch and moan about Sendmail being so hard to configure when really they haven't done the tiniest bit of research or RTFM. If they had they would have known not to edit the CF. "Don't touch the CF" is the most common answer on comp.mail.sendmail. Yet these novices still feel knowledgeable enough to make claims about how hard it is to configure Sendmail. I swear the quality of sysadm nowadays is somewhere in the crapper. I've been using Sendmail since 8.8.7. I have never had an unusual configuration I couldn't quickly create with a minimal amount of online research. It's not rocket science folks.
Re:What's wrong with sendmail? (Score:3, Interesting)
Moderate this up. It cuts straight through the FUD from the qmail/postfix/exim fanboys.
I _NEVER_ touch the .cf. Never never never. Creating a sendmail.cf on e.g. FreeBSD requires no more knowlegde than how to run 'make' in /etc/mail. You don't even _need_ to mess with m4. NetBSD does the same. OpenBSD however requires you to make your own .mc, but that's not really hard, since theres lots of .mc files you can use in /usr/share/sendmail.
Also, it strikes me that lots of the anti-
Re:What's wrong with sendmail? (Score:5, Insightful)
I understand sendmail is just fine for people who are used to it, I used it for four years and got by with few problems. I also understand why people shy away from sendmail and the attraction to alternative mailers like postfix and qmail. For the past year I've used postfix and feel infinitely more comfortable with its configuration, design philosphy, and inner working than I ever did with sendmail.
Maybe I should spend my time RTFMing and doing online research into sendmail to make myself feel more comfortable with it. Nah, I'd rather just install Postfix and get on with my life.
Re:What's wrong with sendmail? (Score:5, Insightful)
If your config language is Turing-complete, and needs a parsing tool to be useful even to "gurus", something is very, very wrong.
Re:What's wrong with sendmail? (Score:2, Informative)
Re:What's wrong with sendmail? (Score:2)
Re:What's wrong with sendmail? (Score:2)
Of course now I get al the exim, qmail and postfix fanboys blasting at me, but sendmail works well. Works good enough for most. Heck, if sendmail were so insecure, why is OpenBSD still including it in it's base?
The devil is in the details. I remember when I was trying to set up a virus checker for sendmail, I screwed up, and sendmail started sending my emails to /dev/null. With qmail, at least, when I screw up my configuration, it keeps the emails in the queue until the configuration is repaired.
I've switched one box to postfix.. (Score:5, Informative)
Re:I've switched one box to postfix.. (Score:2)
You can use them old-style like Sendmail, or you can use them Postfix style. The two differ by slight syntax variations. Confusing at first, but the point is you have the option to run compatable virtuals from Sendmail, of not depending on the situatation. I won't even claim to have a full understanding of the differences.
Re:I've switched one box to postfix.. (Score:5, Interesting)
Sendmail.. ugh. Remember that old comment, if you've got nothing nice to say? At least they gave out free sendmail swiss army knives once!
Re:I've switched one box to postfix.. (Score:5, Informative)
example.com Virtual domain
ad1@example.com destuser1
ad2@example.com destuser2
I can feel the flames... (Score:5, Insightful)
The reason why (Score:5, Insightful)
Just had to say it. Mod me down if you disagree.
sendmail for legacy (Score:5, Insightful)
As for myself, I switched to postfix several years ago and haven't looked back even once.
Re:sendmail for legacy (Score:2)
Debian has defaulted to exim as long as I can remember. exim tends to choke pretty seriously on some of my mail, though... (fetchmail'd from an Exchange server) sendmail has never had any such trouble, and I suspect Postfix, based on my previous experience with it, also would not.
i'd like to point something out (Score:2, Funny)
hahaha
(it's a joke ok ? i use unix.....)
Lucky I'm on windows (Score:5, Funny)
Panther / Mac OS X 10.3 (11?) will use Postfix (Score:5, Informative)
Personally, that's what is pushing me over the edge to learn Postfix and use it on my OpenBSD servers. In a nostalgic way, it's too bad... I once made some seriously good money writing custom sendmail.cf files on a consulting basis.
Courier (Score:5, Informative)
Mmmm...postfix (Score:4, Interesting)
I finally settled on Postifx. I really like it. I feel I don't have to jump through nearly as many hoops to get it running well as I did with sendmail. I certainly didn't need a 900 page 'bat' book to get postfix running.
With that said, to each his/her own. Use what you want, I'm sure people love qmail for reasons that make sense to them, and the same with exim and sendmail. Those of you who would flame me or others because of our choice of email servers all I can say is "Get over it..."
Ender
Stupid question... (Score:5, Interesting)
Just like Internet Explorer is still used because it ships as the default browser with every flavor of Windows, and Apple Mail is still used because it ships as the default mail client with every flavor of Mac OS X, and so on. This surprises you because...?
--
Damn the Emperor!
Re:Stupid question... (Score:2)
Re:Stupid question... (Score:3, Informative)
alternatives --set mta
service sendmail stop
chkconfig sendmail off
service postfix start
chkconfig postfix on
And you now run Postfix!
Re:Stupid question... (Score:5, Informative)
Re:Stupid question... (Score:4, Informative)
The only thing missing with postfix is native authenticated smtp. One needs to authenticate through sasl to use it, and I don't trust sasl. I'm not implying that sasl is an insecure product by virtue of bugs, but there are too many variables to make me confident that I can configure and deploy it securely.
Not Debian (Score:5, Informative)
I've used Postfix, and like it very much. Currently, the email server for which I'm responsible runs Sendmail, because I haven't had time to figure out how to port the virtusertable over to Postfix.
As for hackstraw's comment, Debian makes it easy because packages depend on "an MTA", and all of the MTAs conflict, so you just use APT to install your MTA of choice, and it replaces the existing one.
Not on any decent linux distros (Score:3, Funny)
Yes. Yes it is.
...).
...
...
No, SuSE and Mandrake have been shipping Postfix by default for a few years (Mandrake at least since 7.1). Of course, sendmail is still available and supported (pity, otherwise there may be space for other secure mail servers
I think it's only the Redhat users who get an insecure MTA by default
It seems Debian may have also seen the light
Debian may switch (Score:5, Informative)
There's been discussion about switching to postfix as the default for new installs however, and it may even be a done deal. A lot of arguments have been tossed about for this, however the biggie seems to be its simplicity: with something as complex as exim or sendmail, there are just more opportunities for something to go wrong. Postfix is quite enough for most users.
Re:Debian may switch (Score:3, Informative)
If you've bothered to read any of that particular thread ("default MTA for sarge" [debian.org]), you'd have found that Postfix isn't actually very likely to be the default MTA for any Debian release any time soon. exim4 is simple and powerful, and what's more, it builds on the legacy of exim as the default mailer in Debian.
There isn't really any compelling reason to switch away from exim, and that more than anything else is likely to leave exim as the default for years to come.
Alternatives (Score:3, Informative)
Rus
Qmail just works (Score:3, Interesting)
If you run virtual domains, Postfix or Sendmail is not an option, especially if you dont want to deliver john@d1.com and john@d2.com to john@localhost. Heck, with virtual domains, you don't want to have user accounts anyway.
I wish there were other easy to use open source options, because Qmail really suffers under Sobig at this point.
Re:Qmail just works (Score:2)
Obviously, you haven't heard of virtusertable [sendmail.org]...
Re:Qmail just works (Score:2)
Actually, I have. It still requires you to have user accounts on the box, or to forward the mail to some other mail server.
AFAIK, with virtusertable, you can't have multiple "john" accounts on the box. I could be wrong, or horribly misinformed, but to get the functionality of vpopmail in bare Postfix or Sendmail has not been done so far. In fact, you can't even get that functionality with bare Qmail either.
Re:Qmail just works (Score:5, Informative)
Sendmail & Postfix support virtual domains with no problems.
Postfix: http://www.postfix.org/faq.html#virtual_domains
Sendmail you can do it extremely easily with the virtualusertable (and I have for years and years)
Re:Qmail just works (Score:2)
Its also real cool because you can use a mysql database to manage the accounts over the domains so that the users do not need real shell accounts.
Wait for the "backlash" (Score:3, Informative)
All it demonstrates is that large complex pieces of software are inherently more difficult to secure than smaller simpler ones.
Sendmail is great but we switched to another MTA about four years ago, also because Sendmail had exploits.
Re:Wait for the "backlash" (Score:3, Insightful)
What happens to this when it's Windows, and it's suddenly "WINDOWS WAS DESIGNED FROM THE BEGINNING WITHOUT SECURITY IN MIND!!1." You know, the standard hysterical absolutes.
Oh? You mean nothing is 100% secure? You mean Linux has more monthly than Windows? People need to get off their high horse and gain some perspective. [linuxsecurity.com]
Re:Wait for the "backlash" (Score:5, Insightful)
Both were designed as insecure -- sendmail because the net was so small in those days that you could trust it, windows because it was intended for single-user off-net PCs.
Neither is securable. Both need to be replaced while maintaining backwards compatibility. Windows got Windows NT, Sendmail got qmail, postfix, exim and others.
Windows NT is still terribly insecure, qmail/postfix/exim are rock solid. Why?
Because the mail compatibility relies on a well thought out open standard (RFC822) whereas Windows relies on an entire slapped-together API.
So stop being overly critical and learn something! :-)
aMy postfix is extremely secure (Score:3, Funny)
And this isn't an advertisement how? (Score:3, Interesting)
"The Dodge Ram has had a number of documented problems over the years. However, for less problems, try the Ford Explorer."
Come on...
Popular open-source packages with security holes (Score:5, Informative)
- wu-ftpd. Most recently known for the crack of alpha.gnu.org.
- sendmail. "Not having sendmail is like not having VD", according to popular wisdom
- vixie-cron. I don't even know of a "virgin" distribution of this, which is probably a good thing; all the Linux vendors have their own set of extensive patches to vixie-cron.
There are multiple choices for replacing each of these, most of them a written-from-scratch replacement. Not all of these are perfect, either, but at least they're less popular, so (hopefully?) less likely to get hacked.I personally run fcron, postfix, and proftpd instead of the more popular packages. I don't honestly claim that they're any more secure, in all cases they were mostly personal choices having to do with cleanness/installation ease.
Re:Don't forget BIND. (Score:5, Interesting)
BIND was originally was an implementation in C of Jeeves, which was the original PDP-10 DNS implementation. This explains some of the cruft (but in fact I don't feel that BIND has all that much cruft).
Re:Don't forget BIND. (Score:4, Informative)
SMTP (Score:3, Troll)
Re:SMTP (Score:4, Insightful)
This configurability honestly isn't needed today in 99% of cases. The number of people I know who need a bang-path to get mail to them (uucp) is now down to two.
But the ability to do things dynamically in sendmail through its configuration file isn't necessarily a weakness, the regex abilities are often used for other things today.
Old News (Score:5, Insightful)
Why is this being posted nearly half a year later? Solely to advertise Postfix?
Postfix virus filter (Score:4, Informative)
stop executable (ie virus) content. And nobody
in my company got the recent SoBig virus. Here's the line:
Re:Postfix virus filter (Score:5, Informative)
Even more fun than than that (in newer versions o' postfix) is this one:
Mostly I like that because you include the actual extension in the return message and it allows the string "file=blah.exe" in headers other than those two that might cause a problem
Note that I left .com out of the list because that one also catches messages with URLs attached (like, http://domain.com/). Since we mail URLs a lot where I work, that's not so good to block.
Re:Postfix virus filter (Score:3, Informative)
Other example scripts can be fond on the left-bottom of
here [hispalinux.es]
I prefer to keep it simple. Ie not filtered for spam strings, etc. Just stuff catching content that is very very obviously bad.
MTAs for desktop/client installations (Score:5, Interesting)
(Offtopic: A similarly nice, elegant solution for desktop/clients PC printing is pdq [sourceforge.net], which unlike lpd and cups runs only as a local spooler without opening a network port, and is lean (65k), dead-simple and functional. With nullmailer/ssmtp & pdq, I managed to close all ports (except of course SSH) on my two desktop PCs under Debian GNU/Linux without any firewalling. AFAIK, Debian is the only OS offering all the aforementioned pieces of software as part of its main distribution.)
sendmail is NOT that popular (Score:4, Interesting)
According to http://cr.yp.to/surveys/sendmail.html [cr.yp.to] and http://cr.yp.to/surveys/smtpsoftware6.txt [cr.yp.to], Sendmail has long been trending towards less and less hosts running it. As of his last survey two years ago, it was at 42%. And if you look only at "serious" MTAs, those for sites that have heavy mail volumes, you'll probably see even less Sendmail.
Newspapers not so wrong? (Score:4, Insightful)
Assuming each e-mail passes on average 3 MTAs, and sendmail is used on 50% of those servers, that gives:
- .50 (probability first server rung sendmail)
- .50*.50 = 0.25 (probability second server runs sendmail, if first didn't)
- .50*.50*.50 = 0.125 (probability third server runs sendmail if first two didn't)
Summarizing: in 87,5% of cases, the e-mail was handled (= routed through) by at least one MTA running sendmail.If sendmail is deployed on 40% of the servers, the same reasoning gives a total of 62,4%. So the newspaper talking about "routing" and not about the percentage of servers running sendmail, may be correct.
My 2c.
a good comparison of all the major mailers (Score:3, Informative)
"major" being: courier, sendmail, postfix, exim and qmail.
it looks like it's about a year old, and has some missing information, but it's a place to start for anyone looking to switch MTAs.
The article didn't mention the best feature (Score:5, Informative)
smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, reject
permit_mx_backup_networks = 64.15.260.112/27, 282.66.92.0/22, 67.91.305.33/32
(specific addresses changed to protect the innocent, and yes, I know that a byte can't exceed 255, that was deliberate)
This tells Postfix to accept mail for any domain that has an MX in one of the specified networks. So whenever I add a new domain to one of my primary MX servers, I don't have to change the configuration on my backup MX servers at all.
Re:I use (Score:3, Interesting)
You could try Debian; not only does it not install Sendmail by default (I think they're on Exim now; used to be smail, IIRC), but it's designed to only have to be installed once, ever, which solves your other problem.
Re:Its look like Qmail Vs Postfix war (Score:5, Interesting)
(this was on stock redhat 7.2 installs with scsi raid 5 disk arrays)
Re:.. in scripts? (Score:5, Informative)
I can't comment on other MTAs in that regard.
Re:Replacing SENDMAIL does not eliminate problem. (Score:3, Interesting)
Re:Exim for me (Score:3, Interesting)
Switching to Exim was great, I thought the config file much better. When I rebuilt my server to Gentoo a couple of weekends ago, I moved to Exim 4.1 and thought the config even better.