Slashdot Mirror

Monocultures like this in the biolgical world are known to be extrememly vulnerable to attacks from (biological) viruses and parasites, and it's no less true with computers.

Try telling RMS who wants everyone to use his GNU system.

sendmail

Postfix is a widely used alternative, and it's also a lot leaner and more secure than sendmail, while offering almost the same functionality, and fewer configuration hassles.(no, i won't mention qmail here because DJ Bernstein is a prick and just fucking annoying.). the sendmail monoculture will soon cease to exist.

By checking my logs for the last 24 hours, I have killed over 800 SPAMs for my 100+ users. If this is a 'typical day' in the life of my e-mail server (though I am seeing more around Christmas than ever), I am killing ~3,000 SPAMs per year per user. Not only does blocking SPAM give me a deep sense of personal satisfaction it gives me more time during my work day to do more important duties (like reading Slashdot) because I don't have users calling me to complain about the sex ads, mortgage offers and fly by night investment opportunities in their e-mail box.

I would love to see the US Congress require all e-mail marketeers to be opt-in instead of opt-out (with the Death Penalty for violators). However, I don't know if this would be effective as most of the SPAM coming in is from foreign servers (mainly Asian nations).

postfix,
cyrus-imapd,
squirrel mail,
and procmail

Now for all your backup stuff, write a procmail line to save a copy of all mail. Its really easy. You could extend these tools to do everything exchange does in an afternoon, and continue supporting your outlook clients.

Yup, there's Postfix.

My nomination for is Wietse Venema, the author of the postfix mail server.

Why:

Have a look at the source code, it is a textbook example of how a program should be written. It is just amazing how well the code is commented (all 100.000 lines of it), and Wietse is doing a fine job of maintaining the code. The program is well behaved (also in severe error conditions like out of memory/disk space, high cpu load, network failures, etc), and have an excellent reputation for being "virtually bug free" ...

Postfix is simply the finest piece of software I have ever compiled and used, and I hope that the award goes a person because of his exceptionally high software standards: Wietse Venema.

http://www.postfix.org/ current versions auto-configure spam protection suitably for most users (allows subnet to relay but nobody else). Of course you can change it how you want, but out-the-box defaults are fantastic.

How come IBM doesn't at least try to use Postfix? I mean, Postfix is an IBM-funded thing, and was developed to be the, quote, "IBM Secure Mailer"...

Probably because it is so damned hard to even get access to a S/390 or zSeries virtual machine account to do anything serious with. I'd love to port, test, and package my stuff on more platforms, including mainframe, but an account that is limited to 3 months doesn't work for ongoing projects that never end. And one of my projects needs 2 with dual shared DASD. And those guys at IBM never responded to any of my email. So as much as I'd love to work on the mainframe, I'll just stick with Intel, Sparc, and maybe soon PPC.

How come IBM doesn't at least try to use Postfix? I mean, Postfix is an IBM-funded thing, and was developed to be the, quote, "IBM Secure Mailer"...

No, no, no.
If you want to go the "Sendmail is buggy" way, well, at least, try to be informative where the alternatives are concerned.

For those who wish to try another MTA, the three big ones, not counting Sendmail, are Exim (small and easy, good for your home net), Qmail, and Postfix (fast and powerful, my personal fav). All four have their good points, and all four are certainly worth checking before you decide on one.

See? I mean, if Sendmail is still so widely used, there is a reason, you know... :)

Well, the port 25 must be opened if you want to receive mail. You must add anti spam rules to your MTA then.

I've been using postfix for a long time. I found it is a perfect replacement for sendmail. Easy to configure and it's not an open relay by default.

AussiePenguin
Melbourne, Australia
ICQ 19255837

Postfix is well-designed, small, high-performance, and very secure. I recently had to select a new mail server for our company, and it fit the bill perfectly.

There are a number of things that I like about Postfix, but one of the most noticable is its ease of configuration. There are just two configuration files, and they're very simple -- much simpler than even Apache's httpd.conf. One of the things that you can configure is relaying--for certain hosts, certain networks, or authenticated users.

For mailbox services, I would recommend Cyrus (http://asg.web.cmu.edu/cyrus/imapd/ ). It's a very full-featured POP3/IMAP/KPOP server.

There are webmin modules for both Postfix and Cyrus, solving your web-based management problem.

The postfix/cyrus combination already offers most of what you want. Although I haven't looked into the web based part yet, the management is probably best done with webmin. For reading mail from the web, there's so many perl scripts floating around I'm not even going to bother picking one for you...

Suing you is too much trouble. Adding your server to RSS would be easier if it were mine to control. Oh wait. It is. Sorta. I have a shadow zone of my own for RBL/RSS/DUL zones. Wow, I have the power. I can block anyone I want. I can open up anyone I want. So actually I don't have to choose just between all or nothing. I can block you if I want. Or I can let you back in if RSS blocks you.

Have you made sure you're not an open relay? I've heard it's not trivial to do with old sendmails. I abandoned sendmail back around 8.8 or so, when it was too much trouble to keep hacking sendmail.cf to keep all the tricks of the spammers out, and now run Postfix.

NOWHERE.COM takes all available measures to ensure that no spam originates from this host, or passes through it.

Specifically, we use postfix which will both refuse to relay email, as well as block based on information from the RBL The only valid hosts within the NOWHERE.COM domain are 'mx','ns1', and 'ns2'. Any other hosts claiming to be from within the NOWHERE.COM domain are forgeries.

We assure you, any spam/scam/bulk mail claiming to come from the NOWHERE.COM domain has been forged. Feel free to send a copy of the email you recieved to abuse@nowhere.com, minus threats of legal action, violence and/or death. It is actively being looked into.

Thank you.

p.s. NOWHERE.COM gets about between 5000 and 80000 pieces of email per day, which mostly comprise of bounces, threats and complaints about spamming. We have very limited resources with regard to time, cpu cycles and bandwidth. Please be gentle.

People should really enter x@x.x or something when e-mail addresses are required.

Easy to use, well integrated with other system tools. Very stable, both tools you can trust.

Just check the features !!

Actually, if you want maildir support, you don't have to go with qmail. Postfix does it as well. While I haven't used qmail so I can't compare the two, Postfix is very easy to configure and get up and running. I gave up on sendmail after two weeks when I couldn't get it do what I wanted. Postfix on the other hand took me maybe four hours to completely install and configure to my liking. It also has the same benefits of qmail from a discrete module standpoint -- definitely not the big behemoth-all-in-one that sendmail is. Anyway, check it out at here. An article that I found to be helpful when getting started was here.

I'd go with postfix too. I've put it in on several severs (1000 e-mails per day each) - not a lot of stress on a mail system, but it's done it with ease, and is easy and good to configure. Wietse is real active on mailing lists and newsgroups too - Postfix in general has a lot of really good, friendly, helpfull supporters. I like it.

While adding another set of root nameservers to the standard root.cache sounds like a good idea on its face (and should be technically feasible, unless I'm missing something in my memory of how BIND 8 deals with cache), it won't work.

Why?

A fair portion of the Internet doesn't use BIND. Even on Unix systems, there are BIND replacements, just as there are sendmail replacements. But even ignoring the Unix world, what about Windows 2k, etctera? I mean, sure, they're making plenty of modifications to what's Right on their own (domains segments beginning in "_", for instance), but the chances of Microsoft not going along with ICANN (especially if NSI shuffles some money behind MS stock) are awfully low.

Qmail has one major problem. DJB. Oh, and the license for qmail makes it non-free software.

You'd probably be far better off looking at postfix, which is simpler to configure than qmail, and just as fast, reliable and secure.

-Dom

My set up: postfix as the MTA. Courier IMAP to provide IMAP. I actually tunnel my IMAP connection over an href="http://www.openssh.com">OpenSSH connection, but courier IMAP supports SSL as well. The guy that writes Courier, also writes SqWebMail,(webmail) and maildrop(pleasent alternative to procmail) which I have found to be useful. FWIW I use mutt as my mail client.

If you're like me and think that cat /etc/sendmail.cf | perl would produce the code to Netscape v4, you can look into a great alternative called postfix.

Very nice.. Perl compatible regular expressions, SQL, and human-readable config files. It also lends itself to chrooting, has never had a known security problem, outperforms sendmail, etc.

Try it.. you'll be happy you did :-)
--

I've installed and used sendmail a few times and I swore never to do it again! It's most difficult to configure program in existence.

("apt-get install postfix-tls" if you use Debian.)

Take a look at RFC 2446 (Transport Layer Security) and RFC 2487 (SMTP Service Extension for Secure SMTP over TLS) for details.

For an implementation, look at postfix-tls:

Authors:
Postfix : Wietse Venema Wietse Venema;
TLS extension : Lutz Jänicke Lutz Jänicke

Start with the postfix site and then the TLS site if you don't have the ability to apt-get source I guess.

I have been using sendmail from ages, but I've been replacing all my sendmails by postfix lately. It's a very good mailer daemon. Check: postfix. It's very easy to configure. The spam blocking options are very handy.

And yes, sendmail sucks. run qmail or postfix instead.

(I can't belive that I actually reply to such a blunt flamebait ... )

Well, to be honest, its your fault for using BIND!

BIND is notoriously insecure, so you should always run it in a chrooted environment if you are going to use it.

Also, investigate alternative, and far superior servers for services you want to run.

Instead of BIND, look at Dan Bernstein's DNSCache package, which is lightweight, stable and uncrackable. In fact, he offers a monetary reward to the first person who can find a security hole in it.

Similarly, replace sendmail with either qmail, exim, or postfix and get a superior, more intuitive feature set, and better peace of mind security wise.

Also, look at a more secure OS than Linux, for example OpenBSD which has not had a remote security hole in its default installation for over two years now.

"Finally, only accept connections from hosts with a valid IDENT response."

How exaclty are people who use Win32 supposed to send mail through the SMTP server then? What about machines which have been rooted, or otherwise have identd installed to fake responces?

Relying on the client to provide valid data is a trivial security flaw. Perhaps you mean to say, "only accept mail to a non-local domain from an explicit set of IP addresses," and make sure that your machine has anti-spoofing enabled to its highest level via

echo -n "Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 2 > $f
done
echo "done."

You'll also want to use the Postfix mailer, as you have to misconfigure that to relay spam.
---

-l

• Use qmail or postfix instead of Sendamil.
• Make sure you have all security patches for your system installed. Redhat users, for example, can find those patches here.
• Linux users can read Linux weekly news for security updates.
• Manage your SUIDs. Make sure you keep a close eye on all your suids. For example, I use this script to put all my suid in the directory /suid/bin:

  #!/bin/sh
  
  find / -type f -perm +6000 > /root/suids
  
  for a in `cat /root/suids` ; do
  

  mv $a /suid/bin
  ln -s /suid/bin/`echo $a | awk -F/ '{print $NF}'` $a
  

  
  done
  
• Obviously, turn off all unneeded network services in /etc/inetd.conf and (usually) /etc/rc.d/rc3.d. You can see what services are running on your machine with netstat -na.
• For a UNIX that is free and (hopefully) secure out of the box, check out OpenBSD or Trustix.

- Sam

POP3 over SSH with port forwarding has some timing problems - you must to wait until the SSH connection is up before running fetchmail. Consider this alternative:

Create the script sshtunnel:

#!/bin/sh
ssh $1 "nc 127.0.0.1 $2"

And in your .fetchmailrc use this script with the plugin option:

poll host plugin sshtunnel user name password pass

Instead of opening a TCP connection fetchmail will run the script passing it the hostname and port number as arguments and use its standard input and output to talk to the POP server. No timing issues - fetchmail will wait patiently while you type your password or passphrase to ssh.

It requires netcat to be installed on the target machine.

Why encrypt only incoming mail? My outgoing mail is also delivered over ssh (courtesy of PostFix)

----

• Postfix replacing sendmail for SMTP stuff. We decided to go this way for reasons of fairly straightforward compatability with sendmail in terms of alias and virtual user tables, but with an overall simpler configuration scheme. Postfix also appeared to be much more efficient in terms of CPU and Memory usage. One big plus was the off-the-shelf support for LDAP for users, maildrops and aliases. We are moving alot of our systems across to LDAP and one less application for me to add LDAP support to made things easier. At the office we run this on FreeBSD 3.4, and at home I have run it on BSD, Linux and Solaris with no problems.
• Cyrus IMAP/POP server from Carnegie Mellon. Previously we were running Cubic Circle's cucipop program which proved to be a great package, but the code is so nutty that any attempts to hack it resulted in great frustration. Cyrus also offered LDAP support, but some hacking was required to get things to fit in with our schema, and to get the authentication just right. It took about 10 minutes to insert the code for DRAC (POP before SMTP authentication). Running on FreeBSD.
• Smunge - a service side package I wrote to let users check 2 POP boxes as if they were one. This also has LDAP and DRAC support out-of-the-box (tm) :) - Builds on Linux, Solaris and FreeBSD.
• Hoarde IMP we used as a web email client (talking via imap, whereas dial up customers could only use pop)- Running on Solaris.
• For Radius we currently use FreeSide, but we are moving towards Merit. I have written an LDAP authentication module for Merit, and I'm waiting for the OK from my bosses to GPL it. BSD and Solaris.
• LDAP - we like LDAP :) We currently run OpenLDAP on a production server. We have tinkered with Netscapes Directory Server, but you can only configure that through some crappy slow java interface, and that kinda sucks.

Postfix for mail and Mailman for the list software.

You're both sorely in need of catching up with the program:

RFC 2246 defines (and has for well over a year now) the protocol, and the latest commercial releases of sendmail implement it.

So does the Sun Internet Mail Server

Finally, Weitse Venema's postfix MTA has a freely-available TLS patch that implements SMTP encryption for those of us who don't want to pay for it.

There's even an RPM available.

Postfix, BTW, which used to be called vmailer, is the IBM Alphaworks free MTA project that was covered here in /. back in the day.

As, indeed, was this entire portion of this thread.

--

This is a Mr Smarty Pants Geek In A Can post.... this guy obviously saw the phrase mailing list, and said "Wow, i know what that is, im going to post a reply that has nothing to do with the original question, but include a lot of links to vaugley related, but entirely useless sites within the scope of the question -- And get moderated up on it!!!"

Sendmail is a piece of crap.

Okay, now that that is out of the way, here are the links to modern mail servers-

Postfix
Qmail

- A sysadmin stuck with sendmail

MHO also says that if you are looking at setting up a mail server, you should check out Postfix by Wietse Venema, or qmail first. I have been using postfix instead of sendmail for quite some time now, and have not had a single problem. Of course, I only have 600-1000 users, so my system is certainly not a true test of its capabilities.

I really like Postfix a lot.

"Sendmail - You can't tell me you're not running Sendmail. Sendmail has mountains of anti-spam measures. Take a few hours to figure out the Sendmail config file. You'll be glad you did. Spammers can't even connect to your system now!"

A few hours? Have you seen the line noise piped to a file that is sendmail.cf?

Do yourself a favour, and get Postfix -- a replacement for Sendmail. The Postfix MTA is more secure (ie: anything that talks on a TCP port is not priviledged, all the subdaemons can be chrooted), not spammer friendly (it's almost impossible to configure as an open relay, and has good support for pop before SMTP and other authentication bits), can use DUL, RBL, RSS, and ORBS out of the box, and the config file is plain-jane-text, with simple "name = value" pairings.

Not to mention PCRE and regexp support for filtering various mails, the ability to use dbm, MySQL, PostgreSQL, and other backends (like LDAP) for aliases, virtual mappings, etc. And, best of all, it's more RFC compliant than Sendmail (and smaller and faster ;-).

---

It is more secure and far easier to configure than sendmail, and is fully open source, unlike some of the products now coming out of sendmail.com.

Why sendmail ?

If RedHat wants to do some good, then put engineers into helping Wetse with his Postfix client.

Want to know why ?? Here are some slides to convince you. French only, sorry, but I think you should be able to understand most of it.
--
Why pay for drugs when you can get Linux for free ?

Lots of people use Sendmail. It's the default MTA for most *nixes. Personally, I prefer postfix:


www.postfix.org


It's mostly sendmail compatible, faster than most other MTAs, easy to configure, designed to be secure, and doesn't have the interaction problems that qmail sometimes does with other software. Sendmail is still the most flexible MTA on the planet, and for some people running legacy system gateways, there isn't a good alternative.

It's also easy for vendors to add sendmail (or postfix) to their OS distributions, qmail's license isn't favorable to 3rd parties.

Sendmail is the best "lowest common denominator" MTA. Postfix's sendmail compatibility program attempts to provide the base functionality necessary for _most_ external programs to work. Qmail doesn't even pretend to try to be sendmail compatible. Some people think that's an advantage, others don't. Because sendmail is monolithic, it can do things easily that modular mailers like qmail and postfix can't.

Paul

Why not use the much better 100% sendmail compatible program PostFix. It has better performance, easier (much easier) configuration and is easy to install? At least all of you sendmail users out there should give it a try.

For the record - I have nothing to do with the PostFix project, I'm just impressed since it's a much better program.

The thing about sendmail is that it comes with every single distribution of any kind of UNIX that I know of - I hardly ever have to actually compile it. And yes, it does work straight out of the box, but that's no surprise; you generally have to tweak the configs depending on exactly how you want sendmail to act.

--

• Qmail's maildir format means that you the machine wouldn't bog down as soon as the users started getting large mailboxes - each mail is stored individually, and the pop daemon doesn't have to read through huge files to find out how many messages are there
• The fact that users' maildirs are stored in their home directory also means you can spread them across filesystems easily.
• the configuration and management of qmail scales a lot easier than sendmail's - much more sensible config files / config file names, seperate config files for different things
• global aliases are stored as seperate files (although you can use a hack to use the /etc/aliases format if you like) so managing aliases is easier
• Qmail is more secure ( http://web.infoave.net/~dsill/qmail-challenge.html ll/qm ail-challenge.html)

I say FreeBSD because I know that it's reputation of stability and fast networking are true from experience, but I guess Linux or another open source operating system (OS OS, heh) would do the job fine. I've seen a system at a commercial ISP running with about 15K users on FreeBSD & Qmail, which is why I'm recommending it. They switched from sendmail when it started becoming too slow because of massive mailboxes; every time a user with a 50Mb mailbox logged on the mail server would chug until it had gone through the whole file. If someone gets sent one 50Mb attachment, that means that the pop3d gone through 50Mb of data to say "1 New Message" - it's not an issue with the maildir format.

I guess you could achieve the same effect with a clustering solution, but I think that's probably unnecessary.

You might also want to check out postfix.

URLS:

• http://www.qmail.org/ - Qmail
• http://www.postfix.org/ - Postfix (by Wietse Venema)
• http://www.freebsd.org/

haven't met anyone yet who's used this to any capacity http://www.postfix.org

Sendmail can do it but it's fairly inefficient. You may want to look into PostFix. Qmail is also popular. I believe you can use db or dbm files with to route mail to other servers in at least the first two cases.

I doubt any systems have been exploited through this hole in IIS. There are exploit after exploit for various versions of sendmail throught the years. What is even funnier are the sites which run the new sendmail binaries with the OLD config file!

My ISP here switched over to qmail based system for all email. Sendmail just isn't able to run with thousands of e-mail boxes. They still use sendmail for queueing, but that's probably a mistake...

Oh, as far as 8.8.5+... watch out for the DoS's against 8.9.2 (probably 8.9.x). Search www.rootshell.com for 'sendmail' and see what comes up. Better yet, search altavista or google for 'leshka'.

Postfix is supposedly pretty good too.

A point that your article doesn't mention is that this attack is nearly as expensive to the attacker as it is to the victim, because of the shared-text architecture of modern versions of Unix. Furthermore, this attack can be made impossible by a three line change to these kinds of servers. The code would change from something like this:-

/* get the request */
nbytes = read(STDIN_FILENO, buf, sizeof(buf));
/* normal processing... */

to something like this:-

/* get the request (wait no longer than 60 seconds) */
alarm(60);
nbytes = read(STDIN_FILENO, buf, sizeof(buf));
if (nbytes == -1 && errno == EINTR)
{

exit(1); /* client was too slow! Prevent D.O.S. attack. */

}
else
{

alarm(0); /* turn off the alarm clock */

}
/* normal processing continues here. */

On many of the modern Unix variants, /etc/passwd is only a textual representation of a database file which holds the real user information. The getpw*(3) routines use this database file to access passwd data. This makes things way faster than they used to be, for example, on SunOS4, where ls(1) was written so stupidly that it scanned the (sequential) passwd file for every single uid lookup it needed to make. Type "ls -l /home" on a SunOS system with like a thousand registered users, sit back and relax.

Speaking of today: FreeBSD, for example, uses a Berkeley DB database to store passwd information. In fact, it uses two databases, one with and one without passwords, for "security". This speeds up lookups quite a lot, but beware: The DB files are still generated from text files, so adding users with huge user databases is a lengthy process.

The question is whether you actually want to create that many Unix user accounts. For mail servers, you can often get away better with creating mail accounts only. This requires some hackery with your friendly MTA (postfix or qmail), but it is quite doable and also has positive security side-effects.

Look into Cyrus imapd if you need a message store implementation which is able to handle mailboxes for users who don't have a unix login. Beware, Cyrus comes with a ugly^H^H^H^Hpretty tcl-based administration interface which you can replace by a bunch of home-grown perl scripts to automate administration. Cyrus makes it fairly easy to integrate your own authentication mechanisms through a seperate process, although the performance of such a mechanism would have to be determined.

In a nutshell: Unix in itself is not prepared to handle very large user populations. If you need to serve a lot of users with shell accounts, look into NIS+ or Kerberos and distribute the load onto a bunch of machines served by central (and well-hardened) user-database-servers. If you need to support only mail, you might be well off with one fast machine and a special purpose mailer configuration.