Slashdot Mirror

http://www.postfix.org/postconf.5.html#canonical_m aps
http://www.postfix.org/generic.5.html
http://www.postfix.org/ADDRESS_REWRITING_README.ht ml
http://www.postfix.org/transport.5.html

Pretty trivial stuff.

If sendmail is so egregiously evil, how come most alternatives to sendmail are basically less functional sendmail clones?

Wietse Venema's Postfix and Eric Allman's Sendmail X are API-compatible total rewrites of sendmail. Postfix is currently stronger, but sendmail X implements pretty much the same shite as postfix, so the advantage is code maturity - right now postfix is arguably better than sendmail 8 (which is what NetBSD ditched, incidentally) and when sendmail X gets its legs it will probably be even better. Each one incorporates lessons learned from its predecessor.

Run postfix if you are starting from scratch; it's easier to learn. If you already know sendmail, or you need antique transports, run sendmail 8; it is more flexible. When sendmail X is mature, run that (run it now on your test machines). When the next evolution of MTAs arrives, with telepathic agents and antigravity packaging, run that.

Remember that the criticisms being leveled against sendmail 8 are equally valid when applied to old-school unices like NetBSD. Ancient codebase, long history of security problems, tough learning curve, etc. But *nix still has its uses (particularly the newer rewrites like linux).

In that the mediocre admins will bodge some hacks into sendmail.cf to make sendmail appear to perform the job they need it to, whilst the best admins will take the presence of sendmail.cf as an indication that they need to remove sendmail and replace it with something that's actually fit for purpose? :-P

I've always wanted to know what MTA software they use at Yahoo. I've always assumed it was something homegrown, but have never heard anything one way or the other.

I was working at a large ISP and around six or seven years ago I was troubleshooting this exact problem. I noticed these same symptoms with yahoo where some of mx's were available sometimes, rarely, or never. This particular problem turned out to be that yahoo's MTA will not communicate with Post.Office, at the time a product of Software.com. Very bizarre. Even watching the traffic with a network sniffer, I could see no explanation at all.

The interim fix for that particular problem was to simply tell Post.Office to route all mail bound for yahoo.com addresses to a small Sun Ultra1 that I quickly put into production. I put postfix on it which came to the rescue just fine.

Take a look how Postfix is programmed http://www.postfix.org/OVERVIEW.html

As an 'expert' system administrator (albeit unpaid) I have four servers. One is running Microsoft Windows Small Business Server 2003, one is running Microsoft Window Server 2003, one is running Ubuntu Linux 5.10 (Server), and the other is running Apple OS X Server (10.4).

I can tell you now that when I first started my company, although I was a major advocate of Linux, I soon found that I did not have the time to maintain a then Gentoo or custom LFS distribution, Debian was far too heavy to pick up, and Slackware felt a little dated. So I took a look at Microsoft Windows Small Business Server 2003, liked what I saw, and bought a Dell PowerEdge 400SC with an OEM install.

At first Small Business Server was a breath of fresh air. It was easy to maintain, with a full complement of features, having been bundled with Microsoft Exchange, Microsoft SQL Server, and Window Sharepoint Services. I actually enjoyed - yes, enjoyed - using it.

Until backup stated to fail. Until my tape drive disappeared. Until the sharepoint website database got corrupted. Until exchange monitoring failed. Until the POP connector started to thrash the CPU. Until the Windows Update website failed to check for updates.

These things happened. I'm not saying that they wouldn't happed with another system, but that is not the point, since they happened to me, and that caused me grief, and time, and money to resolve. I ended up trying to build a new system based on Microsoft Windows Server 2003, since I already had Microsoft specific data (files and tables), but this proved even more difficult to maintain.

I struggled for eighteen months, and then decided to build an Ubuntu 5.10 server. I use Ubuntu on one of my laptop, and had gently learnt the apt- way, and liked it. I set up a server with similar features to the Small Business Server, using Postfix, MySQL, and Plone, and even went some ways to transferring my sharepoint data. It works. It hasn't failed yet.

I bet the guys who took part in the survey only set up a server, installed some applications, and patched it. I bet they didn't try running a business for 18-months, just to see what it was really like.

I must say that we recently purchased an Apple PowerMac, and were so impressed we are now looking at completely switching, hence the OS X Server. It is a dream to install and configure, but we are going to run it for several months until we are satisfied that it can do the job.

I just add a bit on that list from top of my head.
Although I think the listed app goes beyond what the so called 'average pc user' wants, but there goes...

1. Konqueror ( http://www.konqueror.org/ )

2. Email - Sylpheed ( http://sylpheed.good-day.net/ )

3. I think Evolution is more like in this place.

4. Lately "Sound Juicer" is taking more attention too

5. VideoLAN aka VLC ( http://www.videolan.org/ ) and Ogle ( http://www.dtek.chalmers.se/groups/dvd/ ) [and Goggles ( http://www.fifthplanet.net/goggles.html ) for Ogle GUI wrapper] for DVD watching.

6. There are plenty way to do this, but the typical ones could be 'Jinzora' ( http://www.jinzora.org/ ) and 'MusicPD' ( http://www.mpd.org/ ), even plain Apache does it fine too, in a way.

8. If you want easier to manage iptables wrapper, Shorewall ( http://www.shorewall.net/ ) and there are other wrappers too.

9. KOffice ( http://www.koffice.org/ ) and by individual components, Abiword ( http://www.abisource.com/ ), Gnumeric ( http://www.gnome.org/projects/gnumeric/ ), Gnucash ( http://www.gnucash.org/ )

10. Inkscape ( http://www.inkscape.org/ ) or Sodipodi ( http://www.sodipodi.com/ ) for vector graphics.

11. Miranda ( http://miranda-im.org/ ). Windows only.

13. Hmm , Samba? ( http://www.samba.org/ ), WedDAV (Look parent post), FTP (plenty ftp daemons, ex : http://www.proftpd.org/, http://vsftpd.beasts.org/ etc)

16. GPhoto ( http://www.gphoto.org/ ), EOG ( http://www.gnome.org/ ? ), GQView ( http://gqview.sourceforge.net/ ). The latters are for just viewing mainly.

20. FreeNX ( http://www.nomachine.com/ , http://freenx.berlios.de/ ) http://www.poptop.org/ ), L2TPd ( http://sourceforge.net/projects/l2tpd ), RP-L2TPd ( http://sourceforge.net/projects/rp-l2tp/ )

24. Postfix ( http://www.postfix.org/ ), Sendmail ( http://www.sendmail.org/ ), Exim ( http://www.exim.org/ ), Cyrus ( http://asg.web.cmu.edu/cyrus/imapd/ ), Xmail ( http://www.xmailserver.org/ ), qmail ( http://www.qmail.org/ )

25. Spamassassin ( http://spamassassin.apache.org/ )

26. Same as above.

27. XSane ( http://www.xsane.org/ ) for sane frontends.

30. Buzzmachines ( http://www.buzzmachines.com/ ) I could be wrong...

31. 'various GUI frontends' - X CD Roast ( http://www.xcdroast.org/ ), K3B ( http://k3b.sourceforge.net/ )

32. Don't know any opensource ones...

postfix is clearly written and well commented ANSI C, one of the better examples around.

milter-greylist is also reasonably clearly written ANSI C.

gnu wget is written in ANSI C and seems reasonably well commented and clearly written.

A good place to start is exim.org if you

1. do not want to use Postfix which runs almost perfectly for small networks in its default installation on many distributions.
2. want to run a powerfull, MANAGEABLE open-source mailserver

I strongly advise against using qmail. It is not open-source and may not be redistributed in a changed form. So you have to patch it up yourself if you want to add some features it didn't have at its latest release 1998(!). Furthermore it uses DJBs obscure daemontools which are so unlike init it hurts. It is a nightmare alone to get rid of them.

Hope this helps.

ps. Flame me, I know you will. You know who you are.

SMTP AUTH

Mail server documentation is written for IT professionals and system administrators who know what they are doing.

This is not meant for end users.

And if you had bothered to read those links, they are newbie friendly and actually explain in depth what the changes you are doing do to the mail system.

Also, MUAs are supposed to submit mail on 587/tcp via SMTP. I recommend you follow that rule.

Basics
Standard configs

You shouldn't need to really configure much more than that.

Basics
Standard configs

You shouldn't need to really configure much more than that.

At my office I have MailScanner configured with Postfix, SpamAssassin, and ClamAV. Every bit of this configuration is free (beer and speech) and works very well. I have the rules set fairly loosely, yet it still manages to catch >80% spam and I have yet to see a virus make it passed. It is a bit of a bear to set up, but for those who would rather not, all of those packages can be found in openprotect (with or without commercial support).

Now, for the caveat. As is the case with any type of email scanner, it is very resource intensive. As such, I have a dedicated dual Athlon machine which handles scanning for 50-100,000 emails/day and it stays very busy (load over 1, >50% processor utilization).

Clamav rocks for me on the mail side. Postfix, Amavisd-new, Clamav, SpamAssassin combine to form a very efficient virus and spam filtering/classifying system.

Get them here:
Postfix
Amavisd-New
Clam antivirus
SpamAssassin at CPAN

You would be particularly interested in header_checks, mime_header_checks and body_checks for Postfix.

Linux and FOSS is affected by Windows viruses.. Lets see.. because of Windows viruses, my Linux based mail servers have had lots of great FOSS software developed to help combat the issue. On the down-side, many of these Windows viruses have also greatly affected my Linux systems due to DDOS attacks that have origins pointing back to viruses and other malware that has infected Windows boxes.

lost worker productivity among end users is just one important factor in the total cost of spam.

there are a number of other important factors, including:

• more time spent administering e-mail servers: keeping MTA current (e.g. sendmail or postfix upgrades) and keeping anti-spam software up-to-date (e.g. spamassassin upgrades, some occasional score tweaking, etc)
• occasionally upgrading server hardware to keep pace with increasing spam bombardment
• time spent investigating major spam incidents and/or abuse complaints (e.g. resulting from spam sent with headers forged to look like they come from your domain)
• bandwidth and disk space used by spam

MTA, or Mail Transfer Agent, meaning sendmail or postfix, or any similar program that is supposed to deal with SMTP.

I guess it just comes down to what people like to code. Some like to code pratical, easy to use applications such as postfix, neomail, and gambas. Others however, like to make flashy looks-good-on-your-desktop things, and that's ok. It's just that it's generally an easier sell if it can do more things than look better IMHO.

Only problem with in-line scanning is the time/resource it takes to do it.

While great for low-volume mail servers, you really need a beefy box to enable you to have enough MTA threads for handling the initial SMTP communication, threads for doing the virus scanning/spam filtering, and CPU to do it in the time allowed by the SMTP standard (I *think* it is 180 seconds... probably enough time).

I don't know if there's an advantage to not accepting virus-laden mail as one can biff it "off line" without inviting more infection attempts (ie, after the message is accepted by the transport).

But, there's plenty of good reason to do spam filtering at that point: reject the message before you even store it, so your server doesn't even have to bother with trying to deliver to forged bounce addresses.

Last problem with that, however, is attack through backup MX host, but... I'm starting to digress.

Postfix has great integration for smtp proxies with their Before Queue Content Filter.

(That's not for the author, but for others who might want to learn more about plugging his suggestion into their mail server, or upgrading to an MTA that supports it).

What if you wanted to communicate with a non-compliant e-mail recipient?

That's the trade-off. Just like many mail servers won't accept mail from people who have their DNS misconfigured or are an open relay. You can choose to run a mailserver which will accept mail of this type but then you're in for tons of spam.

Obviously, if SPF becomes the law of the land, and EVERYONE starts using it, the problem of spam would go away, at least for a while ;-)

Actually, SPF doesn't stop spam. All it does is guarantee that mail claiming to be from joe@example.com actually came from example.com's mail servers. So you could easily get SPF-compliant mail from stiffie@cheapviagra.com and it would pass SPF checks. You just won't get mail about cheap viagra claiming to be from bgates@microsoft.com. It helps with the spam problem because you can then make somewhat-reliable blocklists and reduces the effectiveness of spam zombies.

The original topic here was backscatter and SFP addresses most of the current backscatter problem.

The Postfix Spam Controls have reduced my spam by 95% without using compex spam filters like Spamassassin.

W2K is generally considered quite stable, and relatively secure (again, with all of its patches in place)

That must explain that when I'm reviewig the patches on my SUS server that so damn many of them have descriptions that state things like "A security issue has been identified that could allow an attacker to compromise a computer running Windows and gain complete control over it." The number of root level exploits that those patches fix is positively stunning, as is the fact that they have to keep re-releasing the same patches and then issue even more patches to fix the same security issue and the bugs introduced by the previous patch.

You're also ignoring the security nightmare that is IE.

Agree with you about sendmail, though. Try Postfix instead--unlike sendmail, it was designed with security in mind.

Apache impressed people with its English-style configuration directives that have influenced other developers to switch to such logical formats. Another example: the Postfix MTA is becoming more popular and many users say they enjoy using it because of the straightforward configuration, compared to the m4 mess of sendmail. "It has to be complicated to be powerful" is no longer an excuse.

Your move Bill.

:P

Like the AC said, put Exchange behind a proper MTA. Keep your exchange server inside the firewall for the suits to fiddle with their calendars and crap. Setup Postfix, Qmail, Sendmail, Exmim or some other MTA as your internet-facing email server. I use Postfix with Amavis forming a nice interface to Clam-AV and SpamAssassin. I don't run exchange though. Can't help you there.

My first suggestion is to subscribe to the SPAM-L mailing list.

My next suggestion is to front-end Exchange with something stronger on security, especially if the machine running Exchange stores any confidential data (such as mail). For example, you can run a Postfix server on OpenBSD or Linux and configure it to accept mail for all your domains and pass them to Exchange. Put Exchange on a private IP address so it isn't reachable by the public. That will cover you between the times when exploits are revealed and you can get them installed. And this will let you build up some experience in this software, too.

And finally, help advise us on how better to get the word out to those mail admins that don't yet know. For example, what could we have done to help ensure you had become aware of these things a lot sooner? Is there some course you took that we should clue-in the teacher for? Is there some book you read that we should clue-in the author of?

Use Postfix 2.1 and configure it to use two different smtp daemons on two different ip addresses, one internal and one external. Configure header_checks (and maybe body_checks too) to filter email coming in from the external ip address and discard emails with forged sender addresses purporting to be coming from your own domain(s). Postfix 2.1 allows you to have these filters on the external network interface, but not on the internal one.

See This Postfix HOWTO for more info.

IMHO, BSD's jail() is one of the more interesting developments in recent versions -- at least for an internet service provider.

For those of you unfamiliar, check it out. It's very much like User Mode Linux and allows running virtual servers within a larger server. Many colocation/virtual server providers (e.g. take, your, pick) use FreeBSD jails to provide low-cost root-access hosts for customers. This really has revolutionized cost effectiveness of large scale hosting!

There have been various limitations with FreeBSD jails when they first appeared. There were glitches with information leaking across jails. There's a limit to a single IP address, inability to do raw socket operations or even ping/traceroute, and some glitches with a couple system calls used by major applications like Postfix.

But my understanding is that 5.x seriously improves jail support, especially from a resource efficiency perspective. One of my BSD developer buddies also tells me that he's fixing raw socket support. Keep an eye on the jail feature...

Most email currently goes through Apache . . . I think that the open sorce community has done a pretty good job of creating the email server of choice. I think that they're probably the right group to also make it more secure.

To clarify someone's "ummmmmm" comment -- this is some sort of weird troll, right?

The Apache Software Foundation does support a project known as James, a "pure Java SMTP and POP3 Mail server and NNTP News server, but ummmmm...well, not a whole lot of people use it.

Are you perhaps thinking of qmail or postfix?

The latest version of an application... how about including a link to the release notes / changelog. No point in upgrading if you don't know the changes - RELEASE_NOTES

I know this sounds like a commercial, but it's hard not to sound that way when everything just kind've worked the first time. I now have authenticated, encrypted SMTP and POP and my users are, literally, thanking me. My experience has been that using Postfix was an easy way for me to look good.

Here's a Postfix SASL HOWTO which came in handy, but there are a lot of resources on the Web, especially at the Postfix site.

If every Linux and Windows machine ran Postfix with CRM114 by default (and with manpages and documentation), this would help. Maybe a new anti-spam Linux distribution is needed. MacOSX ships with Postfix, but not CRM114.

Do you have any idea how many open-relays still exist? Why does SMTP software allow '*' open-relays in the first place? Do you know how many proxy servers are out there on the Internet? How many SOCKS4&5 proxies that just allow any SMTP to be bounced? How many are seemingly closed but available with the CONNECT method? Let's close some of our holes, and prevent software from opening them in the first place.

Also - know your enemy. Why haven't people dissected the software these creeps are using. The majority of spam comes from a program called DarkMailer or DM. Let's reverse engineer this application and figure out how it works, so our defenses can be built around the enemy's weapons and not just generalizations about spam.

Finally, let's set some ethics and procedures about how to deal with spammers. Too many is the case that people just want to beat their heads in with baseball bats or delete all their files on all their computers. This activity is not productive. It's my firm belief that if you take away their tools and educate them, less spam will be out there. You make it a war -- and that's what you'll get. Passion drives creativity and efficiency.

I got sick of playing whack-a-mole with Sendmail's bugs and switched over to postfix in that year there has been only one bug discovered in postfix -- a DOS vulnerability. AFAIK, Postfix has NEVER had a remote root exploit.

Security is HARD to get right. Postfix was designed from the ground up with security in mind by one of the leading experts in the field of computer security, and it still occasionally has problems. OpenBSD is reviewed line-by-line for security problems by some of the most anal-retentive programmers in the world, and it still has an occasional hole. Programs like sendmail, where security is a poorly-implemented afterthought, can never be trusted.

This comment is definately worthy of an Informative, I have been saying for a long time that there should be a standard DNS record for SMTP servers to simplify blocking them from mail exchangers

There are actually two different competing standards for DNS records for indicating which source IP addreses can legitimately source email for a given domain, both were covered on Slashdot not long ago.

does anyone reading this know of other solutions (aside from write one) to block dynamic IP addresses from the mail exchangers?

I use qmail-spamthrottle, with exceptions (high limits) for just a few mailing list servers. You can even populate the cdb file from the PDL and basically restrict the entire Cox cablemodem network to sending you one message per minute if you'd like.

Sendmail 8.13 (currently in Alpha testing) offers a very simplistic version of rate-limiting by source IP address. I've heard rumors of similar enhancements to Postfix.

# The mailbox_command parameter specifies the optional external
# command to use instead of mailbox delivery.
[some snipping]
#mailbox_command = /some/where/procmail
#mailbox_command = /some/where/procmail -a "$EXTENSION"

So, is qmail getting in on this solution????

Oh yeah. This will be patch #23451 you have to apply before the damn thing will actually be usable as a mail server.

Seriously, use Postfix instead.

Could this be a sign of the beginning of the end of spam?

Dunno... but it could be the beginning of the end of sendmail. Not that it would be a bad thing...

There's much better software out there.

Yep. Amavis-New on Postfix with NOD32 and SpamAssassin for us.

I use Postfix + amavisd-new + ClamAV on Debian stable with an official Postfix backport for stable and a couple of other modifications, probably.

Here's the appropriate configuration change.

Edit /etc/amavisd/amavisd.conf and change the $viruses_that_fake_sender_re variable to include
"Worm.SCO" (and all its variants; ClamAV detects this virus as "Worm.SCO.A"). The proper Perl notation would be, eg. from

$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizz er|palyh|peido|holar'i,
qr'tanatos|lentin|bridex| mimail|trojan\.dropper'i,
qr'swen|gibe|mimail'i,
);

to

$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizz er|palyh|peido|holar'i,
qr'tanatos|lentin|bridex| mimail|trojan\.dropper'i,
qr'swen|gibe|mimail|worm\.sco'i,
);

Save, /etc/init.d/amavis reload, go get some coffee, pat yourself on the back.

Some stats:

# zgrep Worm.SCO.A mail.log.1.gz|wc -l
1840
# grep Worm.SCO.A mail.log|wc -l
7679

(mail.log.1.gz is the mail log that was rotated this morning at 6:25 AM BRST (8:25 AM UTC/GMT).

I suggest that you check this solution out, it might ease your pain.

Parenthetically, the MTA you may be using when running Pine just might be a Microsoft mail server... so beware.

Links: Pine, Elm, Postfix, qmail. Might as well throw Lynx (web) and BitchX (irc) out there for you oldschool turbo C shell users. Home this gets me some karma :)

Glad there are some people out there not using GUIs for simple purposes like these. I hate the mouse.

Blargh! sendmail.

Is there really still a distro that ships with sendmail as default-MTA?!
Someone invite them to 2004 and tell them about qmail and postfix.

Windows and IIS were the most convenient platform for our corporate web site given our .NET product focus. You can visit Eric's Eric's personal web site, which was running Apache last time I checked.

can i use 'real' regex there, like this:
/^X-Spam-Level: [*]{12,}/ REJECT

Yes, I believe you can. That's certainly a neater regex than the one I used. =)

You can also find out more about Postfix's filtering.

I'm setting up my own Email server (yes, paid the extra bucks to get a business broadband account), complete with filters, attachment blocking, etc. Even purchased and read a couple of books on the subject... it's proven to be quite an educational endeavor.

Congrats! My Internet experience also 'opened up' when I took control of my own communications, instead of letting my ISP provide their own brand of crappy, buggy email service.

I have some recommendations for you. First, look into using postfix as your MTA. It has a much better security track record than sendmail, and is easier to configure (and IMHO is more flexible). Then activate DNSBLs, DNS blocklist, that will stop a huge amount of spam before it even wastes your bandwidth. I use the following option in postfix's main.cf to do filtering:

I'm working on something similar... Exchange/OWA on the net.

There are a couple people who just need to POP their email while away. Perdition POP3-proxy over SSL is a decent solution. Setup POP3 proxy box on a separate network (ie. DMZ) from the Exchange Server and you're set.

There are a few that must have OWA access. For them, set up a reverse proxy with Apache/Squid and get a certificate for this server to communicate with your Exchange/OWA/IIS box.

And forgoodnesssake relay all your email thru something before it hits your virus-protected Exchange box. I suggest a Postfix / Spamassasin / ClamAV setup.

-sid

That's why you should be using qmail, ya' code monkeys!

Great idea! I'll just download a package from my favorite distribution that's tuned qmail to mesh nicely with how my system is configured.

Hmm, they don't supply packages for qmail. Why not? They're not allowed to. If I take the time to make up such a package, I'm not allowed to give it to my friend.

Quoth Bernstein:

But that's a decision for the Apache maintainers, not the UNIX integrators!

Darn those pesky integrators, attempting to make their system internally consistent and trying to please their users!

I've heard great things about qmail, it's great that is available with source for no cost. But it's proprietary software, putting me at the mercy of Bernstein. If you want someone else to maintain a fork with features you desire, you're out of luck. It's fine if you're willing to accept that, but it's not acceptable to everyone. Fortunately there are other options available.

Bah! And I'll say it again, Bah!

Use Postfix! Ok, use either really, just stop using Sendmail. I run Qmail at work (due to legacy and converting Qmail's Maildir to Cyrus' Maildir just seems neigh impossible) and Postfix at home. Postfix is really straight-foward on setup and has TONS of documentation in the conf files.

Qmail, on the other hand has tons of docs on the site and lists a number of different ways to perform various tasks.

It's really a crap-shoot as to which you prefer. Just STOP USING SENDMAIL!

Who cares? Sendmail is obsolete.

qmail
postfix
exim

Is it perhaps time for a code rewrite in Sendmail...

IIRC 8.9 was the code rewrite.

maybe a quiet, dignified retirement?

At this point, I'd settle for a noisy drag-it-out-back-and-shoot-it.

Secure alternatives exist - Postfix, qmail. Other alternatives with better security track records and lower target profiles exist - Exim, Courier.

Time and past time to move. How many holes is it going to take?

Ian wrote:
>I use UUCP with qmail. It's easy.

Though not as easy as Postfix with Postconf's GUI front-end.

R7