Slashdot Mirror

When Mickey$oft first bought Hotmail in 1997, and for many years after, it was running Qmail, on FreeBSD, and Solaris computers! (See also, Qmail.org)

IMHO, it hasn't worked as well since they moved it to their own software! ;^)

The "joke" is on Mickey$oft! ;^)

Microsoft saw that GMail was more secure than their systems, so they hired some Chinese guys to hack it, knowing that it would be in the news, though access to hotmale accounts never make the news (as it happens too often). Then as NSA used this as a excuse to get access to Google's data on "possible terrorists" all over the world, while they make sure not to let anyone know that they're selling all their data to NSA and others.

EVIL!!!!!

We shall all use Linux, and Linux only (or alternatively Plan 9).

qmail, for those who don't want their data on cloudy 3rd party datacenters.
Ads by Google

Yeah, that's why yahoo uses it and why it's second most popular MTA. http://www.qmail.org/top.html

Can you give examples of good Exchange replacements?

Yes, for that see DVL. Seriously, though you have to define what activities you need to do before you can ask for a replacement. MS Exchange is marketed in many niches and fails (on the surface) in most. The most spectacular is its failure as a mail server replacement, if you look at it as such. If you look at the wonderful cover of plausible deniability it gives executives by randomly losing and delaying mail, then that is a success.

Anyway, try looking these. Keep in mind that, unlike with M$ products, you can combine pieces of several packages.

• Kolab — http://www.kolab.org/
• Citadel — http://www.citadel.org/
• Dingo Calendar Server — http://andrew.triumf.ca/dingo/
• Darwin CalendarServer — http://trac.calendarserver.org/
• Bedework — http://www.bedework.org/
• Zimbra — http://www.zimbra.com/
• OpenGroupware — http://www.opengroupware.org/

If you are simply looking to improve reliability of e-mail they a plain Mail Transfer Agent (MTA) will do. Before it became too embarrassing for M$, it used to be recommended practice to put one of these in front of MS Exchange to improve reliability and security. Also look up ClamAV, Spamassassin and how to do greylisting.

• simta — http://rsug.itd.umich.edu/software/simta/
• Dovecot — http://www.dovecot.org/
• Postfix — http://www.postfix.org/
• Exim — http://www.exim.org/
• Sendmail — http://www.sendmail.org/
• qmail — http://www.qmail.org/

However, before you can think about "replacing" MS Exchange, you will have to get rid of the staff that selected and deployed it in the first place. They ignored all the licensing shortcomings, the bad reviews, high price and ongoing technical failure to instead push ideology over technology. People making decisions based on ideology are not going to accept any technical or economic arguments...

They already do. I've done support for W.A. schools that were having problems with their internal Exchange server. They were shocked when we discussed the 'real' price for Exchange. They paid less than $1000 for it including CALs and hardware. MS has some serious sweetheart deals for schools and I bet if it came down to providing even cheaper Windows and Office for schools they will do it.

That's not the real price, though. The real price also includes all the down time, extra re-builds, malware tools, etc. Add to that also the cost of missing incoming messages, missing outgoing messages and delayed messages -- these last add up to more work for the users, which can number in the 100's, rather than just the maintenance staff which can usually be counted on one hand.

Before MS Exchange was hammered through the back door, e-mail was both so fast and reliable that many used it in ways resembling instant messaging.

Worth a look:
Roundcube: http://roundcube.net/
Kolab: http://www.kolab.org/
Citadel: http://www.citadel.org/
Zimbra: http://www.zimbra.com/

If you need a plain vanilla mail transfer agent instead of all the non-essentials, then postfix, exim, qmail, the new sendmail, and simta each have their niche. They're used pretty much everywhere, even if you don't always see the evidence of them outside the message headers.

Charles Cazabon, Dave Sill, Henning Brauer, Peter Samuel, and Russell Nelson have put together a netqmail-1.06 distribution of qmail. It is comprised of qmail-1.03 plus the recommended patches and some documentation.

then I would be inclined to agree with Mr. Ranum's points. But the fact is that there are lots of people out there working on Real Security. Let's see, there's OpenBSD's work to integrate cryptography as a system service, there's Neils Provos' work on systrace, there's GCC's ProPolice stack-smashing protection, there's OpenBSD's write XOR execute protection (which, BTW, Windows now has to some small extent), there are phishing mitigation features in Firefox, there are Free implementations of good authentication systems (e.g., MIT Kerberos, Heimdal), lots of programs now ship with sane defaults (ala Postfix and qmail), there are safe-string libraries of all license stripes, and on and on and on! The fact that Microsoft apparently does not use their own safe-string implementation is indicative of the problem here. Microsoft writes crap. If you want systems where security is a real concern, it's easy to find it. That's not to say that those systems are "secure"-- security is always a work in progress-- but to say that "our responses to those problems also remain the same" is disingenuous. Projects like OpenBSD (among many others mentioned above) have attempted to identify entire classes of problems, and solve them on the big-picture level instead of doing the patch-a-week thing.

There are modern mail management systems that remove the user from archive functions. One such piece of software is offered by Symantec as part of a package which filters spam/virus/phishing while at the same time auto-archiving all in and out bound messages. There are other free options that the WH could take advantage of. Qmail has now a wonderful plugin ability that would make auto-archive a snap.

We are talking about GW's staff. These folks, dastardly as they are, are not tech-stupid. They have resources at their fingertips that would make any geek green with envy. They knowingly deleted messages and failed to preserve archives. The Presidential Records Act isn't a new piece of legislation, it's been around since 1978.

The technology exists, and the White House can afford it. The question remains, will the White House obey the courts when told "don't break federal laws" or will they continue to break the law as usual.

Concur. Even beyond that, there's still plenty to respect about the software as well, that many folks don't bother thinking about.

True, Dr. Berstein can be a screaming asshole at times. However, if you RTFA, you'll see that even screaming assholes can learn from their mistakes, and Dr. Berstein has learned from some of his -- even to the point of acknowledging that he was saved from one of his mistakes only by a lack of bugs.

True, his software operates in a fundamentally different way than most daemons you're used to dealing with. That doesn't make it bad or evil or stupid, merely different. On the other hand, if you can't handle things that are different, you shouldn't try to simultaneously administer Samba and Apache, since they're different from one another as well.

False, his software isn't "undocumented." There are excellent resources available on the net (and at your local bookstore) for the software. The fact that Dr. Berstein didn't write them doesn't mean they're not useful. When in doubt, consult eg thedjbway or qmail.org or LWQ (Dave Sill's excellent howto, which is actively supported on the mailing list) or LWDJBDNS.

True, the people on the mailing lists can seem to be assholes. However, it has been my experience that if I scrupulously adhere to ESR's suggestions on How To Ask Smart Questions, I get much more helpful responses than when I do not. On the occasions when I've needed to go to the mailing list for help, when I failed to be clear and intelligent, I got useless garbage back. When I ask intelligent questions, I get back answers that either tell me what the mistake I made was, or (more often) point me in the right direction so I can solve the problem myself. Sometimes, just writing the question up will reveal the problem to me. If you don't like that, it's not a flaw in the software -- it's a flaw in your thinking.

There are lots of reasons I use djb software, but the most important is this: Once it's set up, I can forget it. In seven years of running qmail, I've once had to seriously jack with it after getting it going, and on that occasion I can't say definitively the flaw was in qmail (but I can say definitively that the trigger was me and my not paying attention to the box). I've never had to update for a security hole for either qmail or djbdns. It is one less thing to have to jack with, and I have plenty of other things that need my attention.

> 1. How do you start / stop your MTA? /etc/init.d/... or delete a file and recreate it to restart.

http://cr.yp.to/daemontools/svc.html

svc -d /service/qmail - stops
svc -u /service/qmail - starts
svc -t /service/qmail - terminates the service and daemontools restart it.

> 2. How do you configure software? Config files or adding and removing files from a magic directory?

http://www.qmail.org/qmail-manual-html/man5/qmail-control.html

> 3. How do you kick the mail queue? Buggered if I can remember.

send ALRM to qmail-send process.

kill -s ALRM `pidof qmail-send`

Does anybody run an ISP mail system with Qmail featuring predominately as MTA of choice?

At my previous job we used to run qmail for our mailhosting boxes. I can tell you that we were really happy with qmail back then, with the right patches it can be a really flexible mailserver, and once you're used to how it works you'll be in SMTP bliss. However, when you need functionality that isn't provided by qmail, you're doing one (or some) of the following:

• patching qmail, recompiling, testing, deploying
• writing a perl/bash/whatever script that goes somewhere in the Big Qmail Picture
• muttering curses and djb's name for the licensing

I can't really bring myself to bashing qmail over these things because it's served me well and I've hardly had any "unexpected" things happen to me, which is something I can't really say of other MTAs I've tried and I've never had any security problems (altough you might want to read this page). There's a lot of information available on qmail, and you can check out this guide (although this may now be quite dated). An indispensible tool is qmHandle for inspecting and manipulating the qmail queue in case something did go wrong.

Finally, I have to admit that when I left that company my own mailhosting services are currently being run by postfix, simply because I don't have the time to build my own qmail packages whenever I need some feature. If you look at the postfix design, any qmail user will see similarities and the fact that you're not patching and rebuilding it whenever you need feature X sort of grows on you.

I know that if I were to start hosting a large mailserver, I'd have a hard time deciding between the two and I'd do a lot of testing before I made a choice.

I think I missed the part where you demonstrated that "least restrictive" equals "best". Could you back up and go over that again, please?

I count 60 licenses. Qmail is NOT OSI certified. Affero is not approved either, or at least I can't find a single reference claiming it to be. So out of the 60 OSI-certified licenses, GPL stands to be the worst, you agree with me?

open source to me means that the source code is available, nothing more, and nothing less

qmail is not open source

In case you're wondering, qmail is not open source, and does not qualify for use of the OSI-Certified trademark. Other programs which Dan Bernstein licenses similarly, including djbdns, ucspi-tcp, and daemontools, are also not open source. For a program to be "open source", you must be able to, among other things, change the source and redistribute it. DJB prohibits distribution of modified code and so programs which are so-licensed are not open source. Other code written by DJB has been placed into the public domain. Public domain code is unlicensed, and it qualifies for use of the OSI-certified trademark.

In that the mediocre admins will bodge some hacks into sendmail.cf to make sendmail appear to perform the job they need it to, whilst the best admins will take the presence of sendmail.cf as an indication that they need to remove sendmail and replace it with something that's actually fit for purpose? :-P

No, most of his software is copyrighted. The only djb software which is in the public domain is software that he has explicitly given to the public domain. The term for the rest of his software is "license-free". You don't need a license to use it. Just download it! Copyright law lets you do anything you want with a copyrighted work, except redistribute it. You can publish patches, as we've done with netqmail.

I use qmail for my servers and it can do this quite easily in a number of ways. There are lots of good online documents about qmail as well as the official qmail site. The simplest method is probably a default install with a .qmail-default file in the alias directory which has two entries in it. Each entry could be a different destination email address or local account. This would certainly duplicate the email coming through, but may not be the best way to do your job. Working with the qmail-smtpd program may get you a solution closer to your needs. Good luck!

1) It's a bitch to install. Won't even compile on modern Linux distributions. You have to patch it to compile it and the patch isn't even hosted on qmail's site.

Look, it's annoying that Bernstein and the GLIBC authors have decided to take their mutual pissfest out on us, but "echo gcc -O2 -include /usr/include/errno.h > conf-cc; make" is not exactly going to kill you, now is it?

If it is going to kill you, there's always the net-qmail distribution.

2) It's a bitch to configure. Rather than parsing a single configuration file, qmail relies heavily on the presence of individual files in a directory.

A matter of taste, I guess. The single-config-per-file method makes it very easy to build kickstart/rpm profiles that add or remove certain features without having to carefully parse/edit a monolithic configuration file, but I can see how for a junior sysadmin it's a little more confusing than just "look in main.cf."

3) Not not not not scalable! That's a myth. Doesn't properly batch jobs together. Hell! qmail was originally designed to be run from inetd!

You really have no idea what you're talking about, do you? (Hint: qmail isn't sendmail, and qmail-smtpd isn't "qmail" any more than inetd is "unix".)

4) Heavy reliance on other daemontools.

You can use daemontools to manage qmail if you want to. It's not a requirement, and the official docs don't even suggest it.

5) Breaks well-known and understood UNIX standards.

Really? Which ones?

6) Security through lack-of-functionality.

It's an MTA. It transports mail. Securely, as it happens. This is a feature, not a bug.

7) Not really secure despite the claims.

Really? Care to enlighten us?

8) No longer maintained.

This is as close to an actual valid complaint as you've got here: it's certainly been a good long time since the last release. And yet, it still works.

9) No features. Adding them requires patching, and patching, and more patching.

Look, if you need an MTA that speaks LDAP, SQL and UUCP, has hooks into an integrated calendar, and polishes the bumpers on your car, it's probably true that qmail is not the tool you want to use. Have fun trying to manage whatever monstrosity it is that does.

It does one thing, and it does that one thing extremely well: some of us still consider that to be a virtue.

Serious sysadmins don't use qmail and for damn good reason.

I rather doubt you'd recognize a serious sysadmin if one bit you.

Qmail is most likely the best option, since it is very scalable.
the web site for qmail is :
http://www.qmail.org/top.html

you are going to have to add this patch for more than 256+ connection ( which you will need for safety's sake and scalability )
http://www.qmail.org/big-concurrency.patch

You are going to need to add preventive measure ...double email bouncing script http://www.30below.com/~zmerch/qmail/spambad.cfm

there are tons of patch's and how - too's for spam reductions.

read this http://www.lifewithqmail.org/ldap/
to get some better understanding of qmail

Now onto the server side .... well I use the basic thinking that each users will use 1 to 3 meg of space before downloading to there outlook account. You have some history, so check what the average file space used per user is. next don't forget to find out what the company's e-mail policy is ( do they have to save e-mail for xyz amount of time, back-up policy's ... ).

next don't forget that no mater what, each user gets 3 pieces of e-mail per day ( that's my number that I use for configuring the server ) ... so with your needs you'll require a 2 cpu system ( of which you'll share the spam software ) and an excess of ram ( to run the dns blacklisting or other cpu/ram intensive operation ).

File server... that's open, my thinking would be a true raid 5 system, hot swappable, build it yourself. here is a link to a do it yourself terrabyte server for under 10K way back from 2002 and posted at that time on slashdot http://home.fnal.gov/~yocum/storageServerTechnical Note.html or http://www.accs.com/p_and_p/TeraByte/index.html that should help you along the way

best of luck and enjoy

Onepoint

Qmail is most likely the best option, since it is very scalable.
the web site for qmail is :
http://www.qmail.org/top.html

you are going to have to add this patch for more than 256+ connection ( which you will need for safety's sake and scalability )
http://www.qmail.org/big-concurrency.patch

You are going to need to add preventive measure ...double email bouncing script http://www.30below.com/~zmerch/qmail/spambad.cfm

there are tons of patch's and how - too's for spam reductions.

read this http://www.lifewithqmail.org/ldap/
to get some better understanding of qmail

Now onto the server side .... well I use the basic thinking that each users will use 1 to 3 meg of space before downloading to there outlook account. You have some history, so check what the average file space used per user is. next don't forget to find out what the company's e-mail policy is ( do they have to save e-mail for xyz amount of time, back-up policy's ... ).

next don't forget that no mater what, each user gets 3 pieces of e-mail per day ( that's my number that I use for configuring the server ) ... so with your needs you'll require a 2 cpu system ( of which you'll share the spam software ) and an excess of ram ( to run the dns blacklisting or other cpu/ram intensive operation ).

File server... that's open, my thinking would be a true raid 5 system, hot swappable, build it yourself. here is a link to a do it yourself terrabyte server for under 10K way back from 2002 and posted at that time on slashdot http://home.fnal.gov/~yocum/storageServerTechnical Note.html or http://www.accs.com/p_and_p/TeraByte/index.html that should help you along the way

best of luck and enjoy

Onepoint

Check out qmailrocks.org for a fantastic full featured mail server install based around Qmail. Support for database users and ldap are options, and it includes spam filtering, web mail, and even an admin web interface. The website walks you through every single little step, and has paths for various linux flavours plus the BSD's and even Solaris.

In terms of scalability you're going to want to star with some honkin' hardware. You will also need to seperate the sending (SMTP) servers from the receiving servers and the mail storage servers, in order to distribute your load. qmail.org has a ton of info as well about the Qmail system.

Could you be a bit more specific on the following items?

5) Breaks well-known and understood UNIX standards.

Which standards are these? Are you talking about the errno fiasco?

6) Security through lack-of-functionality.

What sort of functionality is provided by, say, postfix, that qmail simply won't do?

7) Not really secure despite the claims.

How's that? Do you have $500? If not, what's the security vulnerability that the author refuses to acknowledge?

Which of these problems that you enumerate are not addressed by netqmail?

--grendel drago

Sendmail is asking for trouble, until they completely throw out the old code and rewrite it from the ground up, with security in mind.

I just add a bit on that list from top of my head.
Although I think the listed app goes beyond what the so called 'average pc user' wants, but there goes...

1. Konqueror ( http://www.konqueror.org/ )

2. Email - Sylpheed ( http://sylpheed.good-day.net/ )

3. I think Evolution is more like in this place.

4. Lately "Sound Juicer" is taking more attention too

5. VideoLAN aka VLC ( http://www.videolan.org/ ) and Ogle ( http://www.dtek.chalmers.se/groups/dvd/ ) [and Goggles ( http://www.fifthplanet.net/goggles.html ) for Ogle GUI wrapper] for DVD watching.

6. There are plenty way to do this, but the typical ones could be 'Jinzora' ( http://www.jinzora.org/ ) and 'MusicPD' ( http://www.mpd.org/ ), even plain Apache does it fine too, in a way.

8. If you want easier to manage iptables wrapper, Shorewall ( http://www.shorewall.net/ ) and there are other wrappers too.

9. KOffice ( http://www.koffice.org/ ) and by individual components, Abiword ( http://www.abisource.com/ ), Gnumeric ( http://www.gnome.org/projects/gnumeric/ ), Gnucash ( http://www.gnucash.org/ )

10. Inkscape ( http://www.inkscape.org/ ) or Sodipodi ( http://www.sodipodi.com/ ) for vector graphics.

11. Miranda ( http://miranda-im.org/ ). Windows only.

13. Hmm , Samba? ( http://www.samba.org/ ), WedDAV (Look parent post), FTP (plenty ftp daemons, ex : http://www.proftpd.org/, http://vsftpd.beasts.org/ etc)

16. GPhoto ( http://www.gphoto.org/ ), EOG ( http://www.gnome.org/ ? ), GQView ( http://gqview.sourceforge.net/ ). The latters are for just viewing mainly.

20. FreeNX ( http://www.nomachine.com/ , http://freenx.berlios.de/ ) http://www.poptop.org/ ), L2TPd ( http://sourceforge.net/projects/l2tpd ), RP-L2TPd ( http://sourceforge.net/projects/rp-l2tp/ )

24. Postfix ( http://www.postfix.org/ ), Sendmail ( http://www.sendmail.org/ ), Exim ( http://www.exim.org/ ), Cyrus ( http://asg.web.cmu.edu/cyrus/imapd/ ), Xmail ( http://www.xmailserver.org/ ), qmail ( http://www.qmail.org/ )

25. Spamassassin ( http://spamassassin.apache.org/ )

26. Same as above.

27. XSane ( http://www.xsane.org/ ) for sane frontends.

30. Buzzmachines ( http://www.buzzmachines.com/ ) I could be wrong...

31. 'various GUI frontends' - X CD Roast ( http://www.xcdroast.org/ ), K3B ( http://k3b.sourceforge.net/ )

32. Don't know any opensource ones...

A good place to start is exim.org if you

1. do not want to use Postfix which runs almost perfectly for small networks in its default installation on many distributions.
2. want to run a powerfull, MANAGEABLE open-source mailserver

I strongly advise against using qmail. It is not open-source and may not be redistributed in a changed form. So you have to patch it up yourself if you want to add some features it didn't have at its latest release 1998(!). Furthermore it uses DJBs obscure daemontools which are so unlike init it hurts. It is a nightmare alone to get rid of them.

Hope this helps.

ps. Flame me, I know you will. You know who you are.

I would disagree that it is completely irrelevant. Locking is a pretty big issue, and mboxes are prone to corruption (especially when they grow to any substantial size) and make life hell for NFS/AFS/Coda home directories. I'm not sure what you mean by "private use" and how that relates.

Overall, a solution like maildir is a lot more flexible. The only disadvantages that maildir has would be slightly more complex set up (but then again, you don't have to worry about locking) and additional time for backing up. I've been very happy with maildir, and haven't had (knock on wood) any corruption issues.

gratuitous URL: http://www.qmail.org/man/man5/maildir.html

Amail, Bmail, Cmail, Dmail, Email, Fmail, Gmail, Hmail, Imail, Jmail, Kmail, Lmail, Mmail, Nmail, Omail, Pmail, Qmail, Rmail, Smail, Tmail, Umail, Vmail, Wmail, Xmail, Ymail, and Zmail

Sorry.

Sounds like you want DomainKeys. Sendmail has support for DomainKeys as well, as does qmail.
-russ

...every piece of software has bugs and issues, regardless of the language you use to describe them...

True, there are bugs and issues which dont' bother me as long they are not security flaws.

And as story of qmail shows you can write a software without security flaws - in its seven years of existence, Qmail has never had a security flaw!
This is definition of GREAT SOFTWARE to me.

Most email currently goes through Apache . . . I think that the open sorce community has done a pretty good job of creating the email server of choice. I think that they're probably the right group to also make it more secure.

To clarify someone's "ummmmmm" comment -- this is some sort of weird troll, right?

The Apache Software Foundation does support a project known as James, a "pure Java SMTP and POP3 Mail server and NNTP News server, but ummmmm...well, not a whole lot of people use it.

Are you perhaps thinking of qmail or postfix?

they'll be very sure it works. in the meantime, get broadband and set up your own mail server with qmail. i was able to do it with a 100mhz pentium, and my inbox is 5 gigs with no content snooping or other restrictions

Well, having a stable target for patches and extensions can be a nice thing, too.
And if you're dealing with mailing lists (from the admin side) you definately wanna take a look at ezmlm.

I haven't tried postfix in a while but I guess the old rule of thumb (for small sites use whatever, if you need it big stick with qmail) still applies?

I know that you already know this, but you can't; DJB's annoying choice of license forbids distributing qmail binaries built from modified sources. Instead, you simply download the source and compile it. It takes about 5 minutes on modern hardware.

If you have a strong preference for RPMs, you can use an existing .spec file to build your own, then use that within your organization.

Additionally, a group of qmail hackers have put together netqmail-1.05, a patchset which addresses this and other issues.

...even though my procmail system had defanged the filename so he had to rename it. What're ya gonna do?

I have procmail set up to delete certain attachments, although forcing it to run along with SpamAssassin on my web host is proving to turn more than a few hairs gray... but when I do, I swear, I will be an ubergeek, I swear! Qmail, procmail, et al are great tools to defang spam for family consumption, as well as reduce download times for myself. Even over cable, I spent way too long downloading "Microsoft fixes" from "Hotmail addresses."

Use qmail.

Then have a ~/.qmail-default file pointing at your real mailbox. Then armorfiend-anything@armorfiend.com will be delivered to your regular mailbox, with the To: header intact. If you start getting spam at one of your disposable addresses, dispose of it by creating a ~/.qmail-amazon with /dev/null in it.

There's a few addresses I can't turn off in this way (like hostmaster@), so I use an opt-in filter for those.

.eml is the common extension for MBOX formatted e-mail letters. Although Outlook Express can export this format, Outlook does not (easily). MBOX format is the most widely-used format to save mail to your hard drive under linux, but I'm not sure of what Linux mail programs specifically export mail as .eml.

-- paper

I pluged it into my router and opened ports 25 & 110 for it.

Then I added Fetchmail .

And then the neatest thing since sliced bread; TMDA.

4 months now - zero spam, zero lost valid emails.

I didn't have to give up any existing (POP3) accounts, and gained as many as I want to create, because I now have my own email server.

This is easy and cures spam, period.

I'm on DSL, with dynamicly assigned IP, so I use a free DNS service no-ip.com.

This really is simple to do, all were RPM's and I mostly just took whatever default was offered.

I really am New To Nix, so if I could do this, then anyone can.

And it was free.

I am so happy - 40 - 50 spam emails a day, went to ZERO spam. And I still have and use my same email address! Plus some special occasion ones I create as needed (timed experation for usenet, etc.).

And the disclaimer - I have nothing to do with any program mentioned in this post, other then being a happy user of same.

NewToNix (668737)

Is any software really at the point where we can install it and forget about it?

Qmail is pretty damn close.

Try:
qmail-relayreject obviously you can build reporting to IRC, rrd, syslog, etc

spam section of qmail add-ons

smart spam throttle

It goes on and on, and that is just the stuff for qmail...

Blargh! sendmail.

Is there really still a distro that ships with sendmail as default-MTA?!
Someone invite them to 2004 and tell them about qmail and postfix.

Sendmail is for the most part replaced by Postfix and other varients. Apache... well, although quite a large portion of web servers run apache, a very small portion of linux systems are web servers.

While I personally don't use SendMail (I love Qmail), I believe the vast majority of Linux (and other Unix) machines offering mail services are using Sendmail. Just think of how many Cobalt RAQ machines administered by idiots are out there...

Apache has always had a pretty strong focus on security, though everyone makes mistakes from time to time. It does certainly have a better record than Sendmail or Bind, and I trust it quite a bit myself.

Sure, not every single Linux box is running Apache, but an attack that is targetted only at web server machines can still cause quite a bit of havoc; just think of Code Red and it's decendants.

Just because you aren't targetting *every* single machine out there doesn't mean an attack can't be effective. You comprimise a few thousand unpached Linux/Apache machines, or *nix/Sendmail, or whatever -- you still have plenty of power to (for example) attack an anti-spam site, or cause other, similar dammage.

Yes, an exploitable Windows -- especially when it's exploitable in its default configuration -- is a helluva target; but that doesn't mean all exploits need a hundred million exploitable machines to have an effective target.

Bernstein is a loon. No one can use the software he writes because of his license, which specifies you can't change it and have to keep the binaries in /var.

In addition to being an anonymous coward, you're a fucking idiot who apparently can't read.

Bernstein's "license" (it's actually an explicit disavowal of a "license" and a statement of your existing rights under copyright law, but whatever) lets you do any damn thing you want with his software under your own auspices: you can install it in /usr/local/shut/the/hell/up/ac/idiots, you can rewrite components in C# and Visual Basic.

What you can't do is redistribute a version of it with your changes pre-built in. This is annoying, but far from the end of the world: if your changes are actually useful, publish the patch. Hundreds of people do.

And did you read that link in your post ? The guy has no idea how to do what he wants.

It's a proposal. Criticising a proposal for not being an implementation is rather missing the point.

I like this combo
Qmail (pick a mirror)
And
Horde/IMP
The Horde site also has calendar modules and other cool stuff as well. (You can use it with Courier IMAP too)

I like this combo
Qmail (pick a mirror)
And
Horde/IMP
The Horde site also has calendar modules and other cool stuff as well. (You can use it with Courier IMAP too)

I couldn't agree with you more.

My beef is with the amount of time I've spent setting up a spam filtering solution for my family at home - with the nature of a lot of the spam that gets sent to me, it scares me that my daughter will one day have an email address of her own.

I currently have a fairly robust system - qmail, qmail-scanner, clamav, spamassassin - that seems to do the trick, and manages to drop 99.99% of the spam I receive.

Mail that has been identified as Spam gets dropped into an IMAP folder so I can do a cursory check once a day to see if any false positives have been caught (2 in the past 6 months - but in both cases it would have been fairly disastrous if I'd missed them).

But why in hell should I have to jump through so many hoops to get an email service that's workable?

Since this morning, my system has had to deal with over 300 spam emails and 500 instances of Worm.Gibe.F - if things carry on the way they are at the moment it won't be long before people start ditching their email accounts

...still needs work.

NitPick 1: a cvsup cron job every 3 hours? Cvsup traffic is always high at the top of the hour because everyone does this. Fix: Look at the second hand / second readout on your watch right now. Pick that value as the minute your cron job does its thing. It's a simple psuedo-randomizer that makes things a little easier on the cvsup.freebsd.org servers.

NitPick 2: a cvsup cron job every 3 hours? (Is there an echo?) freefall.freebsd.org is the authoritative cvsup source. Its only client is cvs-master.freebsd.org, which checks freefall every 6 minutes. Official mirrors are allowed access to cvs-master, and generally update between 1 hour and 4 hours. If you're updating more often than once a day via cron, maybe you need to think about becoming a mirror. Besides, the smart thing to do is do a cvsup on your src and ports trees and keep it back a day and watch the mail lists to see if anyone else's machine burnt their toast. If there aren't (m)any complaints, go for it.

Nit 3: An official warning and a gruff "who the heck are you" getty message aren't going to keep kids from nmapping you. Try Fooling Nmap for Whatever Reason. If you're worried your OS and your kernel version will give you away, maybe you aren't keeping as up-to-date on your security lists?

Nit 4: Sendmail. Sure. You could run sendmail, but why not look into qmail, written by djb. While you're there, check out djbdns if you need DNS services.

Is it perhaps time for a code rewrite in Sendmail...

IIRC 8.9 was the code rewrite.

maybe a quiet, dignified retirement?

At this point, I'd settle for a noisy drag-it-out-back-and-shoot-it.

Secure alternatives exist - Postfix, qmail. Other alternatives with better security track records and lower target profiles exist - Exim, Courier.

Time and past time to move. How many holes is it going to take?

qmail?

Look, someone had to say it, it might as well have been me.

If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif

Even easier: reject it at the SMTP level