Slashdot Mirror

Collection of small daemons

And yes, you *could* configure it with just a screenful of lines, but we have over 20 domains, and all sorts of bells and whistles going for it so the config is is more like 51 lines of variables.. (postconf -n | wc -l).

But the best part is that even though we have a lot of configured variables, postfix still uses only 1 file on the disk for each normally handled email (is uses 2 if the mail gets delayed) and it is ridiculously *fast*.

.cn 554 Access denied. China's a spammer paradise.

You should have read some postfix architecture wrapup before stating that qmail has the edge : postfix design follows those precise two points.

(eg. for architecture related info see here and here )

You should have read some postfix architecture wrapup before stating that qmail has the edge : postfix design follows those precise two points.

(eg. for architecture related info see here and here )

You know what I like about Postfix? Its ability to easily use MySQL for transports and aliases. There are various howto's listed on the Postfix documentation/howto page and its enough to get you going if you're familiar with both Postfix and MySQL. I'm sure something similar exists for Qmail and the others, but I was suprised at how easy it was to set up with Postfix.

As to the Great MTA Debate, everyone is going to have their preferences and everyone is going to be needing something slightly different. I don't see the point in arguing. Joe Blow likes Qmail more than sex? Great, I hope the security and modularity works out for him. Jimmy Johnson likes the raw power of Sendmail and eats three milters for breakfast? Cool. Myself, I feel more comfortable with Postfix. As long as the sysadmins are competent and the security holes are patched, it's all good in my opinion

Wow. You mean like this?

I've been using clamav for virus scanning since it appeared in Debian unstable. It is used by amavisd-new for virus scanning and with spamassassin for spam scanning of my incoming (and outgoing) email. Amavisd-new is then integrated with postfix and cyrus-imapd (2.1.x) for my mail server. Works like a champ on a Power Mac 8600/200 with 512MB RAM!

The only problem with using clamav is that it needs more mirrors to distribute the virus definitions. The main virus definition download site was down over this past weekend, I'm guessing because of the BugBear.B worm.

This thread has been tossed around for the past few days, and you can check the archives for past discussions of various anti-virus suites for Linux email servers.

"Your mind is like a parachute. If it don't work, you're screwed"

This thread has been tossed around for the past few days, and you can check the archives for past discussions of various anti-virus suites for Linux email servers.

"Your mind is like a parachute. If it don't work, you're screwed"

Huh?? If you look right here on the Postfix web pageI think you'll finds tons of documentations, howtos, and FAQs that are all pretty well written and were helpful when I was configuring postfix for the first time. Although, admittedly the sample config files are pretty straightforward for most applications you might not even need to read the docs. (Just don't tell the postfix guy I said that ;)

Random unproven MTA? I find that ironic coming from someone using sendmail.

If you want a drop in sendmail replacement, then maybe postfix would be a better choice.

Take the time to learn either qmail, exim, or postfix, you'll save more time in the long run.

POPFile Bayesian filtering (works on multiple OSes)

Postfix w/experimental reject_unverified_sender

reject_unverified_sender works like this:

1. mail arrives from sender@example.com for victim@localdomain.com
2. Before allowing the dialog to progress past RCPT FROM, postfix attempts to send mail to sender@example.com. The mail connection is never completed -- just the MAIL FROM and RCPT TO are attempted, so sender@example.com never receives any email as a result of this probe. (postmaster might note a log entry for NULL connection...whatever).
3. If example.com's mail server says "sender@example.com: no such user," the incoming mail connection in #1 is refused.
4. If example.com's mail server accepts mail for sender@example.com, the mail connection for #1 is allowed to proceed.
5. If example.com's mail server takes too long to respond, the mail connection for #1 is given a 450 (try again) response. By the time the sender's server tries again, the attempt to verify sender@example.com's address should have succeeded, and will be cached by postfix.

Add sbl.spamhaus.org and list.dsbl.org RBLs (very, very low false positives), and watch the spam disappear.

If you want to use an MTA that you can feel good about using, switch to Postfix, which is:

• Truly Free Software
• Secure
• Not run by an asshole

Of those three, qmail only fulfills one.

Postfix: the ethical choice!

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic

This is just a really quick overview because there are a few things I would have to lookup again for postfix, and don't quite have time to write a fully detailed essay(good for postfix 1.11).

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actual data doesn't matter, just the entry is importent,so set it to "unknown" for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix there is a transports map that has three fields: domain(key), transport(servic

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

Main Configuration/Documenation

Most of the configuration is done with /etc/postfix/main.cf and /etc/postfix/master.cf. The first sets configuration variables, and the second one sets up the various daemons which are used for queuing, delivering, sorting, and sending mail. The primary documentation are the man pages that come with it, and /usr/<documentation directory>/postfix. Also see www.postfix.org for FAQ's, HOWTO's and mailing lists.

Tables

Postfix supports a wide variety of Table types. sendmail uses "hash" I think.. But you can also have tables based around mysql or ldap, for example. I use LDAP almost exclusively. So my knowledge is very much specialized about that behemoth. Anyway, when I say specify a table this is done in the form

• TYPE:LOCATION

The Type is the type of table/format being used. The Location is simply one of several things

1. For simple tables like gdbm or has it is the location where the table is on the disk,
2. For mysql it's the location of a configuraiton file for the mysql table(i think)
3. For ldap it's the name of the ldaptable and there are additional configuration variable to setup.

For backwards compatibility, hash:/etc/alias is normally setup as an alias database.

Virtual Stuff

Also note the following distinctions that I used, I hope this doesn't confuse anyone reading the other documentation.

• Virtual User -- an address in a fake domain that gets routed to other addresses these are done by creating virtual tables. The configuration variable virtual_maps is set to set space-delimited list of tables to use as virtual tables. So hash:/etc/.../virtualusers should get the map working(I think). Remeber the man pages are very good. See virtual(5) for more.
• Virtual Mailbox -- a user in a fake domain that gets routed to it's own mailbox, but has no associated user account on the machine. This gets more complex, however, as you have to set locations, gids, uids, transport(the method of delivery). See virtual(8)

Fallback Address or "Catchalls"

Catch-alls operate like in sendmail, add an entry to a virtual user table in the variable virtual_maps with the "key" @domain.com. However, since virtual mailboxes are done after virtual_maps they aren't very compatible with catchalls.

Configurable bounce errors

I'm not sure this there is a way to completely customize the return error, but adding an entry domain.com (not @domain.com) the actually data doesn't matter,, just the entry so set it to unknown for readability. This creates a postfix-style virtual domain which should reject unknown users with the appropiate error. see virtual(5).

Delivery to a piped process

Yes you can. You have to edit the /etc/postfix/master.cf in order to setup the service for delivery. Here are some examples:

cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -e -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

Backup mail spooling

In postfix these is a transports map that has three fields: domain(key), transport(service to deliver), nexthop(next machine in chain). An entry has a form the actual data for the entry is in the form tra

This one bug doesn't make sendmail bad. The fact that it's had scores of bugs does.

It's "only" a mail server, but what about a company whose email contains very sensitive information? They may feel safe using, say, smtps and imaps, but if sendmail isn't secure, they're sunk. In addition, getting on a mail server may allow access to a local network filled with insecure windows boxes. Oops.

You seem to be way too attached to sendmail. There are better alternatives available, so why not use them? I broke off from sendmail years ago, happily.

You should not create such an attachment to software; I use OpenSSH currently because it's free and works. I won't pretend it's not bug-ridden, though, and if something better comes along, I will switch because I care about security. I don't care if I've been using OpenSSH for years.

Is your sendmail buggy? Would it be time to change to Postfix?

Only $0,00.

Yup, I can vouch for this excellent setup. I use Postfix with Cyrus. Cyrus is an amazingly fast IMAP server, which is a good thing, seeing my mail server is a pokey 200 MHz machine.

On the client side, I use Mozilla mail whenever I'm behind my own desktop machine. When I'm logged in remotely, I'll use Pine (which supports IMAP) or through a browser with Squirrelmail, an excellent webmail client, which also talks IMAP. I also have my IMAP port open to the world, so I can use Mozilla mail when I'm at one of the computers at my university.

I have all my mailfolders the same everywhere, which is really nice. Now if there only was a nice way to share bookmarks and address books...

Cheers,

Costyn.

Postfix does that out of the box.

Postfix does that out of the box.

It wasn't until I setup a spam filtering mail relay for my home network using a FreeBSD server running Postfix and SpamAssassin, that it really hit home just how much spam I was getting on a daily basis. Postfix is using RBLs and header filtering criteria, and that kills a lot of the spam outright. That which passes Postfix is analyzed by SpamAssassin and flagged as spam in the subject line. My MUA filters my mail and moves flagged messages to a designated SPAM folder for review before I delete it (because I will never trust an automated process like this 100%). Now that my legitimate mail is nicely sorted from my junk mail, the percentage is staggeringly obvious. I get 4 to 5 times the amount of junk mail as legitimate mail, and that is with Postfix kicking a large portion of the inbound mail before it ever hits SpamAssassin! I don't have precise figures on how many Postfix kicks, but my mail log is flooded with Postfix reject messages. And you can add to that the fact that I firewall access to my mailserver from all of Latin America and Asia because of the high volume of spam and network attacks sourced from those regions.

Based on my guesstimation, I'd say that 90-95% of my inbound email is spam. And given the fact that bandwidth and CPU power keep getting faster, cheaper, and more available, I can only see the spam problem getting worse.

Look, I'll freely admit to being biased, but... I'm a little baffled why Sendmail has not been more widely replaced, given that full understanding of its configuration file seems to require a Ph.d in computer science.

There are better (to my eye) alternatives. Postfix and qmail, just to name a couple. I just made the switch to Postfix, and my admin work got a lot easier overnight.

Is it just inertia that's keeping Sendmail in place?

It's far more powerful than QMail

Excuse me, but what the hell are you talking about? Would you care to support this statement in some fashion?

Moderators, shame on you for giving points to this unsupported drivel.

Unbiased readers: compare and contrast for yourself. Qmail and Postfix are basically feature-equivilant, have roughly comperable performance, and both have stellar security histories. Both have plenty of 3rd-party tools to automate stuff like virtual domains, catch-all users and the like; both integrate nicely into a number of webmail and pop/imap servers.

Deciding between the two is largely a matter of taste: qmail's many small config files versus postfix's few large ones; different methods of handling aliases; etc etc etc.

Use Postfix isntead.

It's written with security in mind from the start and it's infinitely easier to configure than sendmail.

Postfix has been good to me and it has simple instructions (in the INSTALL file) for replacing sendmail. As long as you are using pretty standard settings in sendmail it is almost a drop in replacement.

A remote root exploit for the maybe more used mail server in the planet, one that can bypass firewalls if connection with the smtp server is possible, or even with smtp proxies in the middle, is a nasty one. Specially when as it is so widely deployed, even with the months "needed" to make a worm of it, a big amount of vulnerable server will remain.

At least it cold be used as an opportunity to fix mail servers which have administrators that don't care and are used as open relays.

Or as another superior alternative, check out Weitse Venema's mailer, Postfix. It was built from the ground up to be fast and secure, and it benefits from not being maintained by the notoriously finicky djb. (if you've never dealt with him, he's much like a Theo De Raadt, except he doesn't even have a good cause.)

QMail is fine for a four- or five-user machine, but the installations who currently require Sendmail's power for their mail service needs would likely be happier with Postfix. It's far more powerful than QMail, while still being easy to set up and use.

• Open Relays Database ORDB
• Osirusoft RBL
• Spamcop
  
• And Postfix and it's great spam filtering options.

You're right ---- sendmail can be very powerful and is not for newbies.

The reason people complain about sendmail so vehemently is that standard distros seem to think it's funny to provide sendmail as the default. I know this is true for redhat and I suspect it follows for others(?). I doubt there would be as much frustration if a more admin-friendly package was offered as the default.

For newbies, sendmail is an beast far too complex to bother with configuring. There are no decent GUI front-ends and the config files require compilation and are basically a complete mess.

Changing the setup is hard enough - I dread to consider the possibility that someone might have to tune it. The topic certainly warrants a thick textbook.

Personally, I agree with others here when it comes to your typical desktop linux setup:
destroy sendmail and install Postfix or QMail.

Absolutely. I have a GNU/Linux (Debian) system at home which uses Fetchmail to pop emails off my ISP account. Fetchmail delivers to Postfix for local delivery. Postfix calls Procmail as part of its configuration. Procmail first pipes incoming mails through Spamassassin. If Spamassassin decides that the mail is suspect, it is placed in to a "caughtspam" mbox for later examination/deletion.

The postfix config is a basic:
mailbox_command = procmail -a "$EXTENSION"

The procmail config is as simple as:
:0fw
| spamassassin

:0:
* ^X-Spam-Status: Yes
caughtspam

This has cut down my personal time spent on processing emails by many many times. OK, so it's not exactly the most computationally cheap method of filtering spam, but the box isn't doing anything else particularly important and CPU cycles are cheap.

All I now need to do is go through the "caughtspam" mbox every now and again (nicely managed using Mutt) and double-check whether anything has slipped through. Only one email has been badly marked by Spamassassin and that was due to the sender incorporating lots of spam phrases in the email.

• only allow trusted hosts or smtp-auth'd clients to use group addresses
  
• enable smtp auth over ssl
  

The point he was making that in windows it's often not documented, so it often ends up with trial and error, hours of kb searches, or just reinstalling with fingers crossed. In Linux, you have the source and the configuration files are human readable, you just need to find the beginning of the yellow brick road and follow it.

"bringing up Runlevels,"

Start at /etc/inittab and follow the rail of scripts, first the script on the 'si:' line, then look at the 'default:' line, and follow the 'l?:' line with '?' the runlevel. You'll probably find most your start and stop scripts in /etc/init.d, and /etc/rcS.d with links from /etc/rc?.d

Most other configurations are in /etc, and per user ones in '.*' (hidden) files or directories of the user's home directory.

Sendmail problems? Try postfix, you'll love it. Easier to configure, easier to understand, and better security track record. btw, configuration is in /etc/postfix... duh.

Got a kernel panic and it's not because youre using the 2.5.x unstable kernels? -> Most probably hardware that is breaking down.

The main.cf config file of Postfix. Without the comments it's maybe 30 lines of actual settings. With comments its 540 lines, and it's clear enough that a relative n00b like myself got it up and running in 1 hr with minimal trips to the website. Good documentation was a major factor in my picking Postfix over Sendmail. No dis to Sendmail, you understand. :)

AmaVis: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL

Clam Antivirus (clamav): virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus project; (does not disinfect, just identifies); GPL

SpamAssassin: Perl-based Spam filter; use with Procmail; client-server architecture (one daemon); Perl Artistic License

Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.

I'm not sure it's such a good idea not to have some kind of on-the-fly scanning for each client system, espeically if they're the type to demand the use of Outlook (I have the same situation here, and I sympathize). There's always the chance they'll grab infected files off the web as well.

Greg Egan is an author, programmer, and scientist.

In one of his short stories, he mentions having a setup where a whitelist of people you know are allowed to send you email for free, and anything else requires a minimum payment (which can be set from 0 to as high as you want). Tired of spam? I wouldn't be, for 25 cents a spam. That'd pad my bank account nicely.

How could it be done? There are already proposed extentsions to the SMTP command set so that clients and servers could agree on an amount and pass a token to each other (be sure you're using a TLS aware MTA, like Postfix), and it could be verified by both sides with the 3rd-party escrow server (which manages the money). Paypal is the only current online money system with enough momentum to make this work well for everyone, but maybe another one will come up :)

Either way, it makes it easy to stop spam by removing the one thing that spammers like -- the cheapness. Only people who want spam (haha), or people who don't live in the 21st-century (MTA wise) will have to deal with the 20th century scourge known as spam.

Other programs do the same (have a separate security dedicated process). Check ssh and its privilege separation, and postfix and its multitude of little processes.

The best protection is install the antivirus in the server. Most antivirus apps can run in linux.

amavis
will call the antivirus from postfix ,sendmail and others.

viralator
scan the files downloaded with the web proxy squid

Both are worth install.

Open source would have a much better security record if Sendmail were killed off.

No need. The neat thing about open source are the choices. I've used sendmail extensively in the past, but these days I'd use, say, postfix. Sure, sendmail's security record is much better than it was, but I'd prefer the performance benefits of a late-model MTA, as well as the security plusses. The point is, whether we are talking about SMTP, HTTP, IMAP, POP, FTP, or whatever, there are secure servers that work great and I can use whichever one of them I please. That's a far cry from some more proprietary environments I've experienced in the past. I also like not having to wonder what gotchas are hidden in a some privileged binary I'm running.

I think everyone's spam relay record would look better if folks'd turn off the MTA daemon on systems that don't need to accept mail, though...

Postfix is good, free, and open source. It's also easy to configure. You should be able to get it going in about half an hour.

As for Microsoft and Exchange Server, aren't they convicted criminals? I don't want to use software made by criminals. If they are willing to break the anti-trust laws, what other laws might they be willing to break? I don't trust them with my email.

Sendmail is fundamentally insecure. It is a single, monolithic process running as root - not necessary for most of its operations. A single buffer overflow would completely compromise the machine running sendmail. It was originally written with little regard to security and has a long lifespan, accumulating cruft. It should be no surprise that it has had several vulnerabilities over the years. (That seems to be just 2001 ones. I'm sure there have been problems between 1988 and 2001; I just don't care enough to find them right now.)

In contrast, Postfix is broken apart into several different processes. Each executes at the minimum privelege necessary to do its job. A process running as an unprivileged user inside a chroot() jail containing no setuid binaries is a minimum risk to the system. The entire system was constructed with a focus on security - both eliminating vulnerabilities like buffer overflows and minimizing their impact should they occur. It has, by comparison, an unblemished security record.

For more information on why Postfix's security is completely superior to sendmail's, please see this page.

There has to be a solution to this sort of problem. About the only way I could get Flowgo to stop SPAMMING my mail server is to call up a buddy of Tony Soprano to break their knees because Flowgo doesn't care and I have never, ever, ever been able to get one of my elected officials or law enforcement agency to pay any interest in Unsolicited Commercial E-Mail. Its not like Flowgo is hiding its behavior either. It should be easy to get them but no one that matters or has the power, gives a damn about this huge waste of bandwidth.

My system is very tuned to the systems I have available to me. Disclosing my rag-tag collection of Perl scripts, AppleScripts, postfix configurations and e-mail programs that I have cobbled together would compromise my security and most likely would never work on anyone else's setup.

However, take the concept and run with it. If I can do it, most sysadmins could figure it out -- I am a hack programmer. I find that Postfix is a great alternative to Sendmail and makes SPAM killing a snap.

I also cheat by blocking China, Korea and Taiwan off from my mail server. My company is USA focused and never does business with non-English speaking countries. No offense folks in Asia, I lived and worked there for 3 years and enjoyed my time. Its just an easy way to whack 1/2 the SPAM sent to my servers.

Actually, the internet would become much more secure. :-)

If you are a Unix geek you should seriously think about doing your own. I host 7 domains web/email now and it really wasn't too hard. Just put a cd-burner on the webserver. (For fast backup/restore) All you need is one IP address.

OpenBSD makes a great firewall. Drop three NIC's in it and you are ready to rock. The really cool part is you can charge a nominal fee for hosting and either pay for your DSL or bump it up to a bigger pipe.

Virtual Hosting with Apache is brain dead easy. With postfix and OpenBSD and the ports tree, Authenticated SMTP is really easy too.
A friend of mine has a howto on the authenticated part.

I think we need a document to configure sendmail "for dummies"... They do have Sendmail for dummies, it's called Postfix. I use it and like it.

Of course, all of you can say that is NOT an infalible procedure... but what the hell, none is ! Having dozens of desktops with anti-virus is not infalible also. Sure there are some very fine packages but if you co-ordenate your traffic in a good combination of redirectors for SQUID, disabling file-tranfers through messengers and having your gateway pretty much tied up, I believe that you can have some relaxation time!

• STATS :
• 5Gb net traffic (mail+web) per day
• 3 virus caught in 27 days
• 0 infections