Slashdot Mirror

I have been using SPAMCop for the past 5 months at my work. I am also using QMAIL as my mail server and it took me about 10 minutes to get it hooked into the Spam Cop Database. The best part it is free and it it blocks about %80 of SPAM that gets delivered - I will just have to live with the other %20. Has anyone heard of other Spam IP Databases that are available for public use?

Regarding cost, a colleague outsourced her county's mail server to the regional telco altogether thus decreasing costs, increasing availability/reliability, and dratically decreasing client-side maintenance/support. Her previous situation was the the MS-Outlook + MS-Exchange problem you describe. Those were side benefits, the main reason to drop MS-Exchange was to get acceptible uptime and reduce the number of lost messages. The upfront costs of the outsourcing went from 7 to 3.5 per user per month. I've seen analyses showing $2 USD per user per month for FOSS solutions when serving 5000+ users, so 3.5 has to include a nice profit.

The client side benefited, too. Since end users were no longer locked into MS-Outlook, the support time for clients went down from several hours per week to less than an hour. That and outgoing/incoming external mail stopped disappearing.

Using Postfix, Exim or qmail seems to be best practice. In addition, these can be run on any platform, whereas MS-Exchange has the added drawback of being locked into a single platform.

From my observations at 4 sites, pretty much any MTA is worlds more stable and reliable than MS-Exchange. My previous employer tried to put the whole institution on MS-Exchange which was a nightmare. Among the main problems, I found that 15% of the incoming mails (to a legitimate address) during a two week test either just disappeared or bounced with a 'user does not exist'

Lost mail == delayed projects or lost bids.

I have not found a mail system as stable as Outlook with an Exchange server.

I have not found a mail system as unsecure, unstable and incompatible with external users as Outlook with an Exchange server.

Scanning email for specific viruses is overkill. This solution stops more viruses (read: all of them) with far fewer system resources:

http://qmail.org/qmail-smtpd-viruscan-1.0.patch

Or qmail, which kicks both their asses.

Says me, who runs it on a crappy amd 5x86 (sub P75) alongside djbdns, and gets more performance than his adsl can provide, and who hasn't tried anything else.

...my only experence with qmail or postfix was reading the documentation to see how hard it would be to convert my sendmail setup...

I don't see anything unusual in your list. Do you think there aren't qmail users who have widely varied and specialised needs? I'm not going to pretend that you won't have to do any reading and learning in order to migrate to qmail, but that's very different than claiming that only sendmail has the features you need. Unfortunately, I am unable to give you step-by-step instructions, but given that you're intelligent enough to understand how to configure sendmail, you shouldn't have any problem starting with the qmail home page and proceeding from there. Also good is life with qmail.

Thank you,
--The rest of the fucking Internet

Qmail is small, fast, easy and secure.

Qmail. Thanks anyway.

Not to troll, but why is anyone using Sendmail when it's a well-documented block of swiss cheese as far as security is concerned? As far as I know, Qmail hasn't been cracked yet.

Qmail Nuff Said! Resistance is futile!

but seriously, why?

Maybe because I don't want to have to screw around with a bazillion patches to get it to work the way I want.

I looked at qmail once. Sendmail is still better.

Have you ever try to run 2 instances of qmail on
one machine for exampe?

I believe I speak for the entire oxygen-breathing population of the planet earth when I say "huh?"

First of all, there's actually nothing stopping you from doing this: just compile and install qmail twice, with a different value in "conf-home" each time. Et viola, two distinct qmail installs on the same machine. Then just create a tcpserver instance for each qmail-smtpd, bound to the proper interface.

But second, this is almost certainly the wrong way to solve whatever problem it is you think you're having. Read qmail's documentation for the smtproutes control file: dollars to doughnuts says the functionality you need is in there.

Qmail is anything but rigid, and making it jump through hoops backwards and forwards is usually just a matter of reading the f-ing manual.

What are you trying to do here anyway?

this isnt meant as a flame or troll, but seriously, why? the first thing i do when i install a new system is to wipe sendmail off (or not install it if the option is there) and install qmail, which has much better security record then sendmail

some things i'll just never understand i guess

While you're at it check out Qmail it's a lot more modular than sendmail and is much more secure.

My ISP does block outbound port 25. The problem is that they still end up in the RBL Lists all the time as a multi-hop spam relay. All blocking outbound port 25 does is prevent people like me from running a legit amateur mail server.

At least my ISP doesn't block inbound port 25 too, like some others do!

-Ben

PS: I can still set a static SMTP route, but things such as mail bouncing, etc don't work properly in this situation.

An SMTP server doesn't speak LDAP? Why should it? You can add LDAP functionality from one of the patches on qmail.org or through the QMail-LDAP project.

You're right ---- sendmail can be very powerful and is not for newbies.

The reason people complain about sendmail so vehemently is that standard distros seem to think it's funny to provide sendmail as the default. I know this is true for redhat and I suspect it follows for others(?). I doubt there would be as much frustration if a more admin-friendly package was offered as the default.

For newbies, sendmail is an beast far too complex to bother with configuring. There are no decent GUI front-ends and the config files require compilation and are basically a complete mess.

Changing the setup is hard enough - I dread to consider the possibility that someone might have to tune it. The topic certainly warrants a thick textbook.

Personally, I agree with others here when it comes to your typical desktop linux setup:
destroy sendmail and install Postfix or QMail.

...like qmail or something.

Ok, that could be considered a troll, but having worked with both, I really prefer qmail. It's smaller and I feel that its more robust than Sendmail. The fact that Sendmail is monolithic (one program does it all) where as qmail is modular makes it more secure too. A buffer overflow in one will not compromise the other modules. But no one has found a hack for qmail as yet.

Just my 2 cents.

Find a vulnerability and you're not even allowed to release a fixed version!

That's assuming you ever find one. qmail's withstood the security guarantee since 1998. djb tends to write fairly good software... Besides, people are allowed to release unofficial patches to djb projects and quite a community has grown up around additional features. See qmail.org and tinydns.org.

There hasn't been a djbdns release since 12-Feb-2001 [freshmeat.net] and the project is bound to go stale sooner or later if djb does not renew his interest.

Oh come on. If something works well and implements the standards, why should you bother to add more gimmicks? "If it ain't broke, don't fix it."

Howdy, Russ. You've been a very helpful person on the qmail lists and int the qmail community and I appreciate that. I'm going to try to take your apparent excess of attitude in that context.

You do not need a license to use qmail. Period. End of sentence. And your problem with this is?

My problem is that whatever you call it, Dan Bernstein has been careful to keep legal control of qmail in a way that prevents others from forking. I was very excited when it came out; qmail had a fresh approach that showed a lot of promise. And there it stopped. I decided not to.

Clue: qmail is at version 1.03. qmail has never had a security flaw. Now, if Dan was to change qmail in any way, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security?

If security were my only concern, I'd just unplug everything from the net and be done with it. Alas, I have other concerns, which I balance with security.

But let me ask you a related question: If people other than DJB are patching qmail to get features they want, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security versus funneling all the changes through an expert coder who knows the system better than anybody?

Configuration files are easy to read. cat /var/qmail/control/me. Works for me.

That's swell! You should probably use qmail, then. I find Postfix much more easily managed. Many other people do, too.

That, of course, doesn't mean that qmail should change a whit. I gather that DJB has consciously decided that qmail won't be all things to everyone. In which case, you guys should presumably be happy that other packages address other audiences, yes?

What features do you need that qmail does not have?

Honestly, will it do any good to say? If you really don't know of any feature differences between the two and would like to add some things to a qmail 2.0, I'm glad to make suggestions.

But what I suspect will happen is that you will tell me that I can get everything I want with add-on programs A, B, C, D, and E, along with patches X, Y, and Z, plus some jiggery-pokery with various dot files and magically named files. That's been my experience with qmail, and others can verify that by looking at the qmail home page for spam prevention, high-volume servers, and other add-ons.

Then I'll tell you that I'd rather just download the postfix RPM, set a few lines in a config file, and go. At which point I'll receive some more attitude for not being sufficiently smart, elite, tough, or whatever quality it is that makes people willing to deal with a mail server on its terms rather than their own.

But if you're really looking for help understanding the difference between the two mailers, drop by the postfix mailing lists. There are a number of former qmail users there, and I'm sure you can collect a wealth of feature suggestions there.

Howdy, Russ. You've been a very helpful person on the qmail lists and int the qmail community and I appreciate that. I'm going to try to take your apparent excess of attitude in that context.

You do not need a license to use qmail. Period. End of sentence. And your problem with this is?

My problem is that whatever you call it, Dan Bernstein has been careful to keep legal control of qmail in a way that prevents others from forking. I was very excited when it came out; qmail had a fresh approach that showed a lot of promise. And there it stopped. I decided not to.

Clue: qmail is at version 1.03. qmail has never had a security flaw. Now, if Dan was to change qmail in any way, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security?

If security were my only concern, I'd just unplug everything from the net and be done with it. Alas, I have other concerns, which I balance with security.

But let me ask you a related question: If people other than DJB are patching qmail to get features they want, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security versus funneling all the changes through an expert coder who knows the system better than anybody?

Configuration files are easy to read. cat /var/qmail/control/me. Works for me.

That's swell! You should probably use qmail, then. I find Postfix much more easily managed. Many other people do, too.

That, of course, doesn't mean that qmail should change a whit. I gather that DJB has consciously decided that qmail won't be all things to everyone. In which case, you guys should presumably be happy that other packages address other audiences, yes?

What features do you need that qmail does not have?

Honestly, will it do any good to say? If you really don't know of any feature differences between the two and would like to add some things to a qmail 2.0, I'm glad to make suggestions.

But what I suspect will happen is that you will tell me that I can get everything I want with add-on programs A, B, C, D, and E, along with patches X, Y, and Z, plus some jiggery-pokery with various dot files and magically named files. That's been my experience with qmail, and others can verify that by looking at the qmail home page for spam prevention, high-volume servers, and other add-ons.

Then I'll tell you that I'd rather just download the postfix RPM, set a few lines in a config file, and go. At which point I'll receive some more attitude for not being sufficiently smart, elite, tough, or whatever quality it is that makes people willing to deal with a mail server on its terms rather than their own.

But if you're really looking for help understanding the difference between the two mailers, drop by the postfix mailing lists. There are a number of former qmail users there, and I'm sure you can collect a wealth of feature suggestions there.

Howdy, Russ. You've been a very helpful person on the qmail lists and int the qmail community and I appreciate that. I'm going to try to take your apparent excess of attitude in that context.

You do not need a license to use qmail. Period. End of sentence. And your problem with this is?

My problem is that whatever you call it, Dan Bernstein has been careful to keep legal control of qmail in a way that prevents others from forking. I was very excited when it came out; qmail had a fresh approach that showed a lot of promise. And there it stopped. I decided not to.

Clue: qmail is at version 1.03. qmail has never had a security flaw. Now, if Dan was to change qmail in any way, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security?

If security were my only concern, I'd just unplug everything from the net and be done with it. Alas, I have other concerns, which I balance with security.

But let me ask you a related question: If people other than DJB are patching qmail to get features they want, do you think that would 1) increase qmail's security, 2) decrease qmail's security, or 3) have no effect on qmail's security versus funneling all the changes through an expert coder who knows the system better than anybody?

Configuration files are easy to read. cat /var/qmail/control/me. Works for me.

That's swell! You should probably use qmail, then. I find Postfix much more easily managed. Many other people do, too.

That, of course, doesn't mean that qmail should change a whit. I gather that DJB has consciously decided that qmail won't be all things to everyone. In which case, you guys should presumably be happy that other packages address other audiences, yes?

What features do you need that qmail does not have?

Honestly, will it do any good to say? If you really don't know of any feature differences between the two and would like to add some things to a qmail 2.0, I'm glad to make suggestions.

But what I suspect will happen is that you will tell me that I can get everything I want with add-on programs A, B, C, D, and E, along with patches X, Y, and Z, plus some jiggery-pokery with various dot files and magically named files. That's been my experience with qmail, and others can verify that by looking at the qmail home page for spam prevention, high-volume servers, and other add-ons.

Then I'll tell you that I'd rather just download the postfix RPM, set a few lines in a config file, and go. At which point I'll receive some more attitude for not being sufficiently smart, elite, tough, or whatever quality it is that makes people willing to deal with a mail server on its terms rather than their own.

But if you're really looking for help understanding the difference between the two mailers, drop by the postfix mailing lists. There are a number of former qmail users there, and I'm sure you can collect a wealth of feature suggestions there.

I would have to agree with this.

ezmlm has the advantage of tight integration with QMail, and extremely impressive speed. One suggestion I have with it, though, is to make sure you include the ezmlm-idx patch. This adds a few very important features, and greatly enhances ezmlm's usability.

I've run a couple of very large mailing lists with it and even under heavy traffic, it held up like a champ.

ezmlm supports a couple of different database backends for storage, although even without them it works remarkably well. I don't remember the name of it, as I don't really use it, but there is a web based mailing list management program available, as well.

And before anyone complains about the license of QMail/ezmlm, yes, that sucks. The license is a royal pain in the butt, as it doesn't allow direct distribution of modifications, only patches. It still works though, and works really well.

I can only second that. qmail runs like a charm and scales.

Check out cr.yp.to/qmail.html and www.qmail.org

You won't get good performance with mbox, period. You need to switch to Maildir. qmail-pop3d works great with Maildir. Maildir scales far better than mbox since it doesn't have to parse out the individual messages. It also doesn't have to use locking. This also makes Maildir inherently more reliable than mbox. There are many tools available to convert between mbox and Maildir.

You won't get good performance with mbox, period. You need to switch to Maildir. qmail-pop3d works great with Maildir. Maildir scales far better than mbox since it doesn't have to parse out the individual messages. It also doesn't have to use locking. This also makes Maildir inherently more reliable than mbox. There are many tools available to convert between mbox and Maildir.

You won't get good performance with mbox, period. You need to switch to Maildir. qmail-pop3d works great with Maildir. Maildir scales far better than mbox since it doesn't have to parse out the individual messages. It also doesn't have to use locking. This also makes Maildir inherently more reliable than mbox. There are many tools available to convert between mbox and Maildir.

Now, to the other purpose of my message - you mention awk/sed scripts to run across a mail spool, do you happen to know of any that would run across a spool and remove messages by age? I maintain several (RFC822) spools for use in my IMAP clients at all my various locations, mostly mailing lists, digests, etc. and have searched Google in vain for a script that will parse out old messages. The only other viable solution I've found is to simply bulk-archive the entire spool at xxx interval, which is, to say the least, an imperfect solution. I'd write it myself, but I'm not quite comfortable enough with sed/awk to prune entire messages, and I'd likely wind up going through a hundred test spools before I got it right. :) Any pointers would be greatly appreciated.

Do your self a favor and stop using mbox format. It sucks. You should be using maildir. With maildir, every message is a separate file. This means no locking, no corruption, no crazy message scanning, etc. Want to delete every message over 180 days old? Easy:

find /home/user/Maildir/ -atime +180 -exec rm -f {} \;

There are scripts to convert mbox to maildir and vice versa.

Now, to the other purpose of my message - you mention awk/sed scripts to run across a mail spool, do you happen to know of any that would run across a spool and remove messages by age? I maintain several (RFC822) spools for use in my IMAP clients at all my various locations, mostly mailing lists, digests, etc. and have searched Google in vain for a script that will parse out old messages. The only other viable solution I've found is to simply bulk-archive the entire spool at xxx interval, which is, to say the least, an imperfect solution. I'd write it myself, but I'm not quite comfortable enough with sed/awk to prune entire messages, and I'd likely wind up going through a hundred test spools before I got it right. :) Any pointers would be greatly appreciated.

Do your self a favor and stop using mbox format. It sucks. You should be using maildir. With maildir, every message is a separate file. This means no locking, no corruption, no crazy message scanning, etc. Want to delete every message over 180 days old? Easy:

find /home/user/Maildir/ -atime +180 -exec rm -f {} \;

There are scripts to convert mbox to maildir and vice versa.

try qmail instead. Qmail is much faster and never had the bug problems that Sendmail has. I've switched from Sendmail 3yrs ago and have never even given the slightest thought to even thinking about turning back.

You can configure Sendmail fairly easy -- that is until you have to do something even remotely complex. Then you have to buy a book and be an expert in regular expressions and a PhD in Metaphysics.

qmail is the #2 MTA on the Internet, and the fastest growing. Highly recommended over sendmail, with distinct superiority in issues of security, reliability, and efficiency.

My company has been running/deploying/migrating several installations of Qmail+Courier-IMAP+IMP into Windows client/server networks for two years with much success. Our clients are pleased not only with the savings of money and licensing, but with the functionally and performance.

Recently we've found Twiggi as a Groupware solution for Linux. It provides webbased mail, contacts, scheduling, notes, todo and integrates with HylaFAX for faxing.

So far our clients love it.

Question?
Has anyone experienced MS Outlook and Outlook Express in a IMAP setup, duplicate mail if you change your hostname/IP of your IMAP server?

ie, Setup an IMAP account for mail.somedomain.fake and then later on change the hostname or give it an IP that points to the same mail server and have Outlook duplicate all your mail.

It's really frustrating to find Outlook setups pointing directly to the IP and then need to change it to use a hostname for say, SSL certificate reasons and then have users mail duplicate.

And if you actually try to see what's available (qmail) you can find anything you're looking for.

I love qmail + courier + horde + imp + ...

But consider Qmail. Its more secure than sendmail. Much easier to configure. And does all the things you requested. Here is the link for the Anti-Virus support. Check out the RAV product as it is can scan both emails and your drives...aka samba shares. Although it is a product you have to pay for... I consider anti-viruse one of those things that is worth paying for to make sure you're up to date.

But consider Qmail. Its more secure than sendmail. Much easier to configure. And does all the things you requested. Here is the link for the Anti-Virus support. Check out the RAV product as it is can scan both emails and your drives...aka samba shares. Although it is a product you have to pay for... I consider anti-viruse one of those things that is worth paying for to make sure you're up to date.

Only if you never send mail to the same person twice. Once you're on someone's whitelist you don't see another acknowledgement request.

I use a similar setup (custom-written) and it does a wonderful job of cutting down on spam. I have yet to get a reply from someone who found it a significant inconvenience -- on the contrary, the most frequent comment I get about it is, "Wow, how can I do the same thing with *my* mail? I get way too much spam!"

To answer your question, mailing lists that I know I'm on get to bypass the acknowledgement filter, but their mail still gets run through other filters (Vipul's Razor, etc.) which catch most of the spam people send to them. Using qmail, I can also give people a unique private address that bypasses some or all of my filters but that I can shut off completely without affecting anyone else.

So in practice, just one more tool in the toolkit, but it catches a good 74 out of the ~75 spam messages I get each day, and as far as I can tell has yet to cost me a single legit message.

could we please stop this needless bashing of MS

MS should be bashed...it's like the diner that tries to sell rancid water and stale bread for $100(us). They use whatever means necessary to beat down their competition, so almost all of the other diners (or food producers) have gone out of business or are struggling. You can get better food from homeless shelters for free.

If you want to make a better comparison of MS vs open source then take 80-90% of _all_ open source programs and compare the number of flaws to MS' flaws.

Probably 80-90% of all open source programs are made by one or more of: script kiddies, teenagers playing around, hobbists, power users, people that bought "Learn to Program C in 21 Days" who now think they are "experts", and the people can't program so they start a project on SourceForge with a basic description and hope someone bites. None of these people should be expected to create a decent, bug-free program. For you to even think MS needs to be compared with them shows how backwards your position is.

Anyone and their cat can start an open source project in their garage. It doesn't mean anyone will use these programs, and it is absurd to compare those projects with a funded company that has paid professional programmers. However, from what I've seen, Microsoft would barely scratch by with even this test. If compared with the commonly used (and made by real programmers) Open Source projects, Microsoft wouldn't even have a chance.

Take a simple program like "BitchX," an IRC client.

I've used it before. Not to dis the guy who made it (BitchX isn't too bad an effort), but it does seem a bit script kiddie-like. In fact only a script kiddie would choose such a name. ;-) In fact read their page: "BitchX was started by Trench and HappyCrappy as a script for the ircII client."

It has had countless security issues, and IRC has been around since '89 or so.

Why don't you compare BitchX with Microsoft's IRC client--assuming they still have one. All I remember about it was almost no features and stupid cartoons. BitchX has lots of features. Not that I'm saying they should be compared, BitchX is made by script kiddies after all--in fact they seem to want to be known as script kiddies--just look at their page!

We like to conveniently forget about sendmail and bind

What kind of dumbfuck would use sendmail or bind on their servers??? There are plenty of alternatives to those programs...

there is no equal or objective comparison between MS and "Linux" (or whatever you want to define as the yardstick of security.. which is typically "Linux" on /.) in terms of security.

There is no equal or objective comparison between the two because MS doesn't care about security or bugs! Whatever Linus would call a "Brown Paper Bag Bug", Bill calls a "feature". ...and I don't think most slashdot readers define Linux as a "yardstick of security". That would be something more like OpenBSD, who kick the hell out of Microsoft in terms of paranoia and therefore security. Numbers from bug reports aren't a good comparison between them either--the OpenBSD people seem to raise hell when they find the tiniest potential exploit, while Microsoft won't even acknowledge the most horrid of bugs/exploits and will only release a patch if they are embarrassed into it.

Agreed. So, you're going to start running Qmail right away then? I am.

Use the Qmail native format, 1 file per message. Let the filesystem do its job. Qmail is a great alternative MTA to Sendmail, fast, secure (no exploits so far IIRC) and easy to configure. Qmail

Storing mail in a Postgres DB is actually at Mail2DB

You can find it by searching the Qmail Site

Argosoftis an awesome win32 one.

If they are blocking port 25 outbound, you can do what I used to do when the fuckers at earthlink did that. I setup a qmail/proxy machine at work running on port 5000 something and sent all my mail through that, hell if they are to the point of scanning the packets themselves you could always tunnel in as well. The problem is that the majority of people out there are screwed by this and do not have enough knowledge to take recourse against it.

Yep, that's true. There's even a small prize to win if you crack qmail (very improbable...)

Check it all here.

The alternative is Qmail Notorious for it`s good security record and the fact that ms hotmail used to use it, tho i`m not sure if they still do. It also happens to be fairly performant, i have never had a qmail box fall over due to the load of incoming mail floods.

I always thought NFS meant "No File Security"

DJB calls it Network Failure System.

Absolutely, these HTML mails are dangerous with their 1x1 gifs with a custom URL so "they" know you've read the message.

I check the source and add the urls to junkbuster's list. If the filters don't get the mail, then the images still don't get requested.

If anyone's interested, I have the scripts up on my website. filter-html is an awk script that strips HTML out of a message. You can use it by itself as a filter for procmail. If you want to send a warning to lamers who send you HTML mail, you'll also want to get filter-html-mail, a shell script called by procmail to feed the message to filter-html and generate the warning message (note that it also assumes that you use qmail as your MTA).

For what it's worth.

Check it!

One point is that Qmail's author issued a Cash Reward for the first person to find a security hole in qmail- That was in march 1997 and it still has not been claimed.

compare this to sendmail, where there's a security hole fix in EVERY release.

Qmail is also AWESOME at handling high amounts of email sanely, is absolutely simple to configure, has a large and very supportive user base, and again, it was designed with security in mind.

Apart from that, ezmlm is EASY to configure, and if you get the "qmailadmin" program, you also have an easy web-based configuration interface, if you prefer that. (though, I myself prefer the commandline tools.)

The one thing you'll have to get used to is the 'Maildir' format, which applies to anyone using a shell on the qmail server to check / receive email- mutt has builtin maildir support, there's a patch available for pine.

qmail's home location is http://cr.yp.to/qmail.html and it's supporting community is at http://www.qmail.org

There is no license along with his programs, and absent a license you have NO RIGHT to share, study, or change Bernstein's code!

I do not think a lot of the developers are going to take the time to answer a RFP in the depth that most software vendors or VARS would.

Open source people are not going to be paid for a "sale" were as the normal software vendors are competing for some money if they can make a sale.

He sends them a large bill - $15,000 - for his services, and someone in the Accounts Payable department says the bill is too expensive for what he did, and needs to be itemized. So he itemized his charges:

• Making chalk mark, $1.
• Knowing where to put mark, $14,999.

One can sell one's expertise in selecting software as much as one can sell one's expertise in creating it. Or one can sell other things. We sometimes miss this in our industry because it is extremely rare for someone other than the manufacturer of a software product to provide maintenance and support of it. But because a product is open source, a purchaser can find anyone who is capable of doing so to provide maintenance.

In about 50 miles I need to change the oil again in my 1998 Dodge Intrepid because it's been another 3,000 miles. I can do the work myself and perhaps save money, I can pay a third-party perhaps $12 to do it, or I can pay a little more, take it to a dealer of the car to do it. It's a commodity operation and I can get anyone I feel qualified to perform it.

With non-open-source you only have the last option when you need something done (if they even will do it; consider calling up Microsoft and asking for a customized change to Outlook. Better be prepared to either be a huge customer, pay a huge fee, or suck air). With open-source you can get your hands as dirty as you want or you can pay someone else if you don't feel competent (or your organization doesn't have the direct ability) to make the changes. You have choices.

An RFP has some type of reward (sale) possible to the winner for them to spend time on responding to it.

A RFP is a request for proposal - A proposal for what? A proposal is a first step toward a contract. A contract with who? Who will get paid? I do not think a RFP process will get you very far.

For an open source product the cost of the software will be zero.

What is the cost of water these days? I can get it for free from a water fountain, perhaps pay almost nothing for a quart of water out of the tap, perhaps pay $20 for a filter every couple of months if I don't like the taste of tap water, or perhaps pay anywhere from 50c to $3 for a bottle of it in a store. That does not ignore the fact that the original price of the water was probably in the neighborhood of 1/10 of 1c per gallon from a public utility or a municipal water district. For all intents and purposes the original price of the water might as well be considered 'free' yet that doesn't stop companies from making money 'selling' water that cost them next to nothing to obtain.

Perhaps the customer pays for having the supplier provide and deliver 20,000 CDs of the software to sites so everyone has a copy instead of clogging network usage downloading it from servers. Or pays for a customized installer where the original product didn't have one or it's too complicated. Or pays for special services to go with it, like paying not only for the software but having someone write documentation. Or train people in how to use it. Or train their technical staff in how to support it. Or doing the support themselves. Or that the customer pays the supplier for finding the precise package that best fits their needs because the supplier knows what products are better for their particular circumstances.

Support and maintenance I guess would be in-house.

Let's say the Sixth National Bank wants to stop paying for Microsoft Exchange as their mail server and client licenses for Microsoft Outlook. I offer to provide them with an equivalent functionality using a Linux box running QMail (let's say that they want a highly reliable e-mail system so that eliminates use of Sendmail) and include for the client end some Windows port of an open-source client or group of clients that originally ran on KDE or GNOME, for less money than it would cost to have one person at the bank to maintain it because the maintenance I can offer on an as-needed basis to several companies.

The bank has people who could do the work inhouse but they are better suited handling the stuff that is the bank's core expertise (handling checking accounts and the billing of outrageous fees on those checking accounts), and the bank can pay me to provide them with updates and added functionality without having to have people doing work that isn't part of their core competency, BUT with the additional advantage that since the product is open source if I decide to quit, they can find someone else to do it or they could do it themselves if they choose to do so.

What's left then is comparison of different capabilities. This becomes a request for comments now (RFC).

A suggestion change here. Maybe send a RFP to consulting firms on helping you with project(s). A selected firm could help in gathering requirements, research products, help in the installation and maintenance ... If you trying to spend money anyways. :)

Paul Robinson <Postmaster@paul.washington.dc.us>

I think it's great that companies embrace OS projects and software, but at the same time, they should be careful in which apps they are running. For example, you'd be better off if you didn't run wuFTP in favor of something more secure such as NcFTP (okay, it's not free or GPL, but still...) or PureFTP.

Does anyone know of a site which can make recommendations for one type of server app over another based on security, specifically to replace those types of server apps that have been shipped with so many distros for way too long? There are so many things that people really shouldn't run anymore, like wuftp, sendmail, inetd, and so on.