Slashdot Mirror

Exim already does this. I have it turned on, and it does cut down on the amount of spam. The one annoyance is genuine mail that is unreplyable. It shouldn't be sent, but lots of things happen that shouldn't... Even groups.yahoo.com went through a period when it wasn't accepting bounces.

There are better methods. Message analysis (ala SpamAssassin), spam clearing houses (ala Razor), RBLs, bayesian filters, and sender address verification. I use all five at my site, and my users are happy.

Plus, can you imagine a potential client of your company e-mailing for information, only be sent a TDMA message? I'd bet money that person would either not no what to do, or just ignore the message and think you never got back to them.

Well, why not use Exim as your Mail Transfer Agent and transfer your POP3/SMTP/IMAP inside a SSL/TLS tunnel ?

Well, why not use Exim as your Mail Transfer Agent and transfer your POP3/SMTP/IMAP inside a SSL/TLS tunnel ?

For those out there looking to replace sendmail, I suggest Exim.
It's extremely stable (we've been running it on our mail cluster for 326 days now with 0 seconds of downtime) and unlike sendmail it doesn't have a config file that looks like line noise.

The latest version of SpamAssassin also has a Bayesian junk mail filter in it. Tie this together with Exim and SA-Exim, and you've got a tarpit which can learn from the kind of spam which it receives.

Tarpits rule. Why just reject spam, when you can hold the spammer's connection open and continue to suck up resources on his mail server for days? And when the spammer hits enough tarpits, he'll be dead in the water... even quicker if he's stupid enough to try a dictionary attack. If you run a mail server, stick a tarpit on it, and you'll be doing a lot to help stop spammers.

"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SANS Institute, a research and education group that lets security companies, system administrators and others share information. "The DHS are the ones that can put the pressure on all the vendors and keep it quiet."

How, exactly, did they keep people from talking? Could the same be used against private citizens?

More chilling however, is the implied government guidance and endorsement of private work and enforced silence. What is the federal government doing working with Sendmail INC? How about a little of my tax money going to Exim's developers? I'll pass if that means that no one can talk about bugs the feds happen to stumble across. Is sendmail to be considered the "secure" mail program, sanctioned by my federal government?

At first glance, centralization of bug fixes within the federal government sounds good but it might make problems. this poster sings praises for the effort, having been told what patch to apply without a meeting to get his opinion. What he seems to have missed is that the red tape still exists, hence the lag time between discovery and implementation, it's just been taken from his control. Now, if this kind of thinking is applied throughout the federal government, every one of their machines will be running exactly the same software! Bust one, bust all. The creators of this agency hope to bring the best talent to the problem. If they have done that and if they stay out of the way, great. What I fear however, is the usual political pressures turning this office into a means of making money for particular vendors of software. It could and might result in a system that enforces worst practices everywhere, especially if the government decides that private networks are also "security risks" to be managed.

Another great alternative is Exim. Exim has an excellent security record, Postgres/MySQL/LDAP/DNSDB/CBD/etc/etc support and a relatively easy-to-understand configuration file format. It's also fast as all hell.

I like exim. And I've heard good things about PostFix from people who's judgement I respect.

Huh? Many of the software packages I use are configured via plaintext files and perform extremely well, and are very easy to maintain in an enterprise enviroment.

While people complain about the collateral damage caused by most spam prevention techniques, and others advocate Paul Graham's idea of Bayesian filtering, the one question remains: Why are we still going after the symptoms of the problem, rather than the cause? This brings me to my barrage of questions. What are your policies (as an ISP) on configuration of clients' mail servers? This stems from a recent debate on the exim-users mailing list (archived at the Exim homepage) about interfering with customers's set-ups. Some of the participants believed that it was not their duty, or their business, to tell people how to configure their servers. Some even go so far as saying that it's not good for business. What these posters seem not to understand is that the whole Internet concept relies on all participants helping with the upkeep of the network. As an ISP, what measures are you taking to insure your network is clean? Are blocking access from DSL and dial-up subscribers to port 25 on servers other than yours, and checking the configuration of customers' mail servers for proper relaying restrictions, measures that would be acceptable to yourself and to customers? On a second point: What are your policies as to the records of new customers that you contract? Does your contract include a clause allowing you to investigate customers before granting them access, and is this at all legal? Would you check for records such as those found on ROKSO (operated by the Spamhaus Project, before allowing a customer direct IP traffic to port 25, anywhere in the world, for instance?

I'm going to take advantage of a duplicate article, shamelessly grab a place near the top of the replies, and tell y'all how to fight back against spam.

1. Get a cheap discarded PC and install Linux on it. Get one of those 'always-on' net connections to your home, like DSL or a cable modem. You'll need a service plan that gives you a static IP address. Register a domain name of your very own, and use dyndns.org to point your domain name at your PC. This has the added benefit of letting you host your own web site on your own domain name if you want to.

2. Download the Exim mail server and install it on your PC, and set it up to accept email for you. You'll also want to set up an IMAP server so that you can fetch your email from the PC. Now you can make up any address you want on your new domain, and have mail sent to it reach you. This is great for when you need a one-time throwaway address for something.

3. Install SpamAssassin, and also install SA-Exim to link SpamAssassin with the Exim mail server. This will let the mail server identify and reject spam instead of only dealing with it after it's been accepted.

Once you run this for a while to make sure it's doing a good job of identifying spam, turn on Sa-Exim's teergrube ('tarpit') feature. Now, when someone tries to send you spam, your mail server will hold the spammer's connection open indefinitely by sending it occasional 'keepalive' messages without ever sending an accept or a reject. Once the spammer stumbles across enough teergrubes, the mail relay he's using will hit a process limit and be unable to continue sending spam until the spammer notices and resets it or moves on to another relay.

Teergrubing is a passive way of tying up a spammer's resources, or the resources of an open relay that's being abused by spammers. It has a negligible hit on your own resources. The more teergrubes (and honeypot web pages which feed spamtrap addresses to address harvesters) pop up out there, the harder it will be for a spammer to simply spam millions of people with the touch of a button.

Nice to know that not only can I avoid looking at the spam, I can flat out refuse to accept it when it comes in! Mind you, it does save it to let me look at it before I /dev/null it, but gives me much more satisfaction than just dropping it in a different folder.

I always thought this was illegal.

What, portscanning? In the U.S. at least, some courts have ruled it legal, whereas some courts have considered it an element of computer crime. I don't know what the case is in Italy.

It is theoretically possible to block IP scanning almost instantaneously, if there was a protocol that traded information with other clients when it was abused.

Sure. Now, tell me how you'll secure this protocol from forgery -- so that when Joe Hacktivist gets pissed off at CNN kowtowing to Red China again, he can't just tell the world that CNN is scanning him and get them cut off the Net.

Think also of the sheer quantity of processing that is involved in maintaining routing tables now, and how fucked-up the Net gets when routers do stupid things or when rogue ISPs (like Above.net) propagate fraudulent routes as a mechanism of censorship.

Like I said, SMTP AUTH is the way. It's available on near every mail server software in the world : Sendmail, Postfix, Exim, and even more. There is no need for an unsecured relay nowadays. Trust me.

exim. From their front page...

In style it is similar to Smail 3, but its facilities are more extensive, and in particular it has some defences against mail bombs and unsolicited junk mail in the form of options for refusing messages from particular hosts, networks, or senders.

It's not just a spam filter, it's a GPL'ed MTA. Perhaps that's why no one mentioned it. It works, though. Well, for the most part. I just re-activated my hotjobs account, and now I'm getting resume spam, but the offers to enlarge my penis (erm, yeah, that won't work at all), enlarge my breasts (uh.... that's not useful. I don't want to have to wear a back brace, or buy custom-made undies), re-finance my house, sell my children to Zimbabwe, or CHECK OUT THESE HOT TEEN SLUTS have actually stopped appearing in my inbox.

'nuff said.

Maybe things wouldn't be quite so bad if we did recieve updates from Microsoft, directly. I've installed Windows on lots of machines, registered them properly and everything. Never once has anybody from Microsoft phoned, or emailed to let us know about a security problem.

Like most other sysadmins the first notification I get about a problem with a particular program is when I read BugTrack, or NTBugTrack.

Just to keep this on-topic: I'm a sysadmin at a large company. We filter out attatchments as they arrive, via some magic with exim - In the two years that I've been here we've never been hit by a single virus.

You probably have to repeat that over and over again - the biggest threat to a working system are [in-|over-]competent admins. In the past it turned out that none of both worlds were immune to inadverted misconfiguration.

Feb 4 08:15:36 hal9000 bind: refused to HUP and re-read the configuration file /etc/named.conf as there's utter bullshit in there

I am not asking for a system that is more clever than we are, but starting a second instance of a critical server to check the config file shouldn't be too hard. Yes, exim and some other un-redhatized products can do that...

There are solid competitors for all of these.

ftpd: Proftpd wins, hands down. Configuration is like Apache except less crufty. It's modular, and pretty secure too (I can't remember hearing of any major security holes). Some people who use it: ftp.gnu.org, download.sourceforge.net. Enough said. www.proftpd.org.

bind: bind 9? I can't really think of a replacement except DNScache, and I've never used it. I have no idea if it's better or worse or just weaker.

sendmail: I hear qmail is extremely good, if you don't mind DJB's bizarre lack of license (also applies to DNScache). Qmail purportedly runs Yahoo! Mail among others. Otherwise, the only other alternative I can think of is exim, which is designed to be easier to configure and simpler IIRC.

Next time, post some links or something. Sheesh.

Daniel

Seems that O'Reilly has a new book out on Exim, by the creator of Exim, Philip Hazel.

No, no, no.
If you want to go the "Sendmail is buggy" way, well, at least, try to be informative where the alternatives are concerned.

For those who wish to try another MTA, the three big ones, not counting Sendmail, are Exim (small and easy, good for your home net), Qmail, and Postfix (fast and powerful, my personal fav). All four have their good points, and all four are certainly worth checking before you decide on one.

See? I mean, if Sendmail is still so widely used, there is a reason, you know... :)

It integrates well with either cyrus or UW-IMAP for POP/IMAP access. As for webmail stuff, take a look at the archives of the exim mailing list to see what people there have used and recommended. A good webmail system will simply be a front end to a good IMAP server, since IMAP does everything that webmail should do (accept for the HTTP interface).

I run exim at work as our SMTP server. It supports TLS for using ssl when sending and receiving (if it converses with a mail client or other server that supports it).

I've educated the users about ticking the ssl option on their email clients, so emails are automatically encrypted at least to our mail server, and sometimes on the next hop too (I have spotted in the logs a few other servers talking via ssl to us).

This doesn't give you the same benefits of encrypting the message before you send. The mail is unencrypted when in the mail spool, there's no guarantee the hops'll all be encrypted, but it's a start at least - and if more servers do bring TLS facilities online, then you'll get encryption happening automatically without the users having to worry about it.

I don't think .NET has been released yet, though. As for the "open source hype", well, I am using open source technology exclusively on our systems at work and it has been an extremely successful venture. To give you some idea, we have up to 5,000 mail accounts running on exim, 3,000 shell accounts, run an industrial strength DNS system, industrial strength, internally developed network management systems running on Zope/Python, and a staunch news server all running off an 8-node MOSIX cluster.

Your best bet is to run your own mail server. Register a domain and get some friends to run nameservice for you. Get a static IP and point a MX record for your domain at your machine. Run a decent MTA like Exim, Qmail, or Sendmail, and you're set. The price is right, too.

Chris

Investigate the latest version of Courier-IMAP which has built in support for IMAP-SSL/TLS, as opposed to using stunnel.

stunnel is great for a small number of connections, but the overhead of launching a new process every time is fairly significant as you scale up, so Courier does a great job of a lightweight, secure IMAP server.

You have to use maildir - but both Exim and qmail support it natively now, and it's far superior to the traditional mbox format anyway.

Well, to be honest, its your fault for using BIND!

BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.

Also, investigate alternative, and far superior servers for services you want to run.

Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.

Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.

Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.

Nice post.

Regardless of which IMAP server you use, I would reccomend that you still make a POP3 server available. If you go with Cyrus, I'm not sure if this is possible but I know you can mix UW IMAPd and other POP3 servers.

For POP3, I highly, highly reccomend cucipop. Search for it on Freshmeat. If you're commercial though, you might want to review its licensing terms. Cucipop's advantage over qpopper is that Cucipop runs as a standalone daemon. This makes a *huge* speed difference on lightly loaded POP3 servers and an unbelievable speed difference on a heavily-loaded server. When I switched to cucipop, I actually got comments from users who noticed how much faster "netscape checked mail".

As far as Windows-based clients go... I like Eudora myself. It's IMAP support is kinda funky--it stubbornly insists that each server be a subfolder of your main inbox folder. I don't like huge nests of mail folders so I find this annoying. To get around this, I just use POP3.
Outlook is a bloated pig and seemed difficult to customize. Outlook's calendaring is nice but there's probably a standalone calendaring app that does just fine. Netscape Communicator does IMAP nicely but I don't like the lack of customization options.

For *nix clients, pick your poison. I'm sure some folks here will flame this but if your *nix clients have good NFS file locking support, you can't beat exporting /var/mail to your local network and letting people mount and read mail from this partition. If you don't want to do that, POP3 retreival to users' local machines with fetchmail works nicely.

For MTAs, take a look at Exim. Exim is very fast and I found it a bit easier to configure than Sendmail. Exim's filtering capabilities are top-notch and you don't have to have a PhD to implement them.

For OSes, I'm a FreeBSD bigot so I'd urge you to give FreeBSD a try. I used Linux starting in 1994 but switched to FreeBSD when I got tired of patching up the million and one r00t exploits that my Linux boxes were vulnerable. FreeBSD is fast and very stable--our boxes have 300+ day uptimes. They would have 700+ day uptimes had we not brought them down for RAM upgrades last year.

buena suerte!

chris

Someone has posted a recipe for postfix here

I'm told you can just adapt the Melissa one for sendmail

Here is the recipe for exim

# exim filter
# -----------
# Put this in your system filter - say
# /etc/exim/system_file.exim
#
if $h_subject begins "ILOVEYOU" and not error_message
then
fail text "you appear to have a virus on
your PC (see http://www.fsecure.com/v-descs/love.htm).\n
Check your system, or rephrase the subject"
endif

You need to call this filter from your config file, so add

message_filter = /etc/exim/system_filter.exim

to the main section - remember to HUP or restart exim after this.

The list archives have some ongoing discussion on this - including some more devious filters for VBS scripts.

Someone has posted a recipe for postfix here

I'm told you can just adapt the Melissa one for sendmail

Here is the recipe for exim

# exim filter
# -----------
# Put this in your system filter - say
# /etc/exim/system_file.exim
#
if $h_subject begins "ILOVEYOU" and not error_message
then
fail text "you appear to have a virus on
your PC (see http://www.fsecure.com/v-descs/love.htm).\n
Check your system, or rephrase the subject"
endif

You need to call this filter from your config file, so add

message_filter = /etc/exim/system_filter.exim

to the main section - remember to HUP or restart exim after this.

The list archives have some ongoing discussion on this - including some more devious filters for VBS scripts.

ISTR Exim allows you to specify an arbitrary character as the separator. If spammers did get wise to the + symbol trick, all you do is change the symbol used.

And, it's really quite flexible. There are other good MTAs of course, but I wouldn't count Sendmail among them.


Interested in XFMail? New XFMail home page.

I find Exim to be an excellent MTA. It is easy to set up, yet very powerful, and it works like a dream.

Sendmail is just a large, crufty piece of software with a lot of security holes. I know that a lot of time has been spent on it to fix these problems, but I think Red Hats money would be better spent on further developing the other MTAs out there which are better, such as Exim and qmail.

Still, any investment is better than no investment I suppose. I just dread to think what Red Hat is going to do with the results, are they going to be 'Red Hat-ised'?

The original posting doesn't say if the server is running pop/imap, and thus if it is used as the final delivery point for those 10,000 users.

If it is, then the hashing of the mailbox path that lucky luck mentioned is worth investigating. Also worth investigating is alternative mailbox formats. If you're using mbox format, then I'm not surprised there's a problem if you have a large number of users (and/or reasonably large mailboxes).

There has been some discussion about these issues on the exim-users mailing list. I read it via egroups.

Sendmail is still necessary for certain special cases, like when you need BITNET support, or something else out of the ordinary.

But, I think for most users, Exim is a better choice.

If you haven't played with Exim before, you really ought to check it out.

--
Interested in XFMail? New XFMail home page

exim is also an excellent mail transfer agent.

It's not really odd; they've been advertising their closed-source Sendmail Pro thing for some time here on Slashdot.

Of course, the only reason anyone would need Sendmail Pro is because of the sheer user hostility of sendmail.cf and friends. Keep that bat book handy.

I've switched all my machines over to Exim. Nice configuration files, and licensed under the GPL.

I think the real question this article raises is...if you're setting up a mail server, and you've chosen sendmail as your MTA, why in the heck would you want to run it on NT?

--
Interested in XFMail? New XFMail home page

I'm just wondering, because I'm somewhat surprised Bruce isn't using the GPLd Exim for his MTA. I've found it to be quite good, and it scales up well to at least several thousand users. Easy to configure, too. It doesn't support some of the more exotic transports like BITNET or FidoNet, though, I think.

I'm guessing security, since I seem to recall a quasi-flamefest on Bugtraq between qmail and Secure Mailer over that issue.

--

For what it's worth; I've been using Exim now for quite a few months and has found it very capable of doing everything that sendmail once did for me. In fact; Exim provides quite a few methods that gives functionality which I would only have dreamed of in Sendmail. Exim is also released mostly under the GPL (three pieces of code exists which is not GPLed, but I think it would be possible to leave them out if one is a purist).

On many of the modern Unix variants, /etc/passwd is only a textual representation of a database file which holds the real user information.
getpw*(3) uses this database file to access passwd data. This makes things way faster than it used to be, for example, on SunOS4, where ls(1) was written so stupidly that it scanned the (sequential) passwd file for every single uid lookup it needed to make. Typing "ls -l /home" on a SunOS system with like a thousand registered users was an invitation to get ahold of some (some!) coffee.

Speaking of today, FreeBSD uses a DB database to store passwd information (in fact, it has two databases, one with and one without passwords, for "security"). This speeds up lookups quite a lot, but beware: The DB files are still generated text files, so adding users with such huge user databases is a real pain.

The question is whether you actually want to create that many Unix user accounts. For mail servers, you can often get away better with creating mail accounts only. This requires some hackery with your friendly MTA (postfix, qmail, sendmail, exim or even smail), but it is quite doable and also has positive security side-effects.

Look into Cyrus imapd you need message store implementation which is able to handle mailboxes for users who don't have a unix login. Beware, Cyrus comes with a pretty tcl-based administration interface which you almost certainly want to replace by a bunch of home-grown perl scripts to automate administration.