Slashdot Mirror
Sendmail 8.10.0 Released
Eric Allman, who is one of the primary people behind Sendmail, wrote to let us know that Sendmail 8.10.0 was released. The code itself can be found at
sendmail.org or from
their FTP sever.
A complete list of changes in sendmail 8.10.0 is available
on sendmail.net.
Postfix is a *much* nicer MTA. It's config makes simple things simple, while leaving complex things possbile. It's source code is very clean and readable, and it's trivial to install (RedHat 6.1 includes it, but doesn't install it by default).
It's a drop in replacement for Sendmail, written by the author of TCP wrappers.
Give it a spin.
(and it supports TLS with a patch!)
I thought Eric Allman was the creator of Sendmail, ie *the* person behind it.
-- Ed Avis ed@membled.com
Enjoy..
SECURITY: The safe file checks now back track through symbolic links to make sure the files can't be compromised due to poor permissions on the parent directories of the symbolic link target.
SECURITY: Only root, TrustedUser, and users in class t can rebuild the alias map. Problem noted by Michal Zalewski of the "Internet for Schools" project (IdS).
SECURITY: There is a potential for a denial of service attack if the AutoRebuildAliases option is set as a user can kill the sendmail process while it is rebuilding the aliases file (leaving it in an inconsistent state). This option and its use is deprecated and will be removed from a future version of sendmail.
EraseMe
I agree that it's easy to set up. I thought that it would be a huge nightmare, but it actually turned out to be really easy.
/bin/false.
/vhome. But when I had to add a new account, wary of linuxconf, I ended up reinstalling sendmail and setting up a convoluted system like I've described above.
:) BTW, do yourself a favour -- don't get the bat book. It'll only scare you. I mean, it's a great book, don't get me wrong, but it's just more information than you need to get a basic server up. You'll just get overwhelmed.
However, it doesn't work like it *should*. I'm hoping that 8.10 will fix this. Apache's treatment of virtual servers is how I want Sendmail to treat them. Let's say that I have two domains: example.org and example.com. And I (waldo) want to get mail at each of those, but in separate POP accounts. And my mail server is named mail.example.com. I have to do this:
1. Let CW recognise example.org & example.com.
2. Get virtusertable to recognise waldo at both accounts and redirect them to separate accounts.
3. Create two system user accounts: example.org-waldo and example.com-waldo.
4. Give them shells of
5. Set up my mail program to check both accounts on mail.example.com with the two e-mail addresses, and have to outgoing reply-to set to the "real" address.
This is really ugly. I'm certain that there must be more elegant work arounds (probably involving MySQL), but I don't mind quite enough to get up to that.
What would be *way* nicer would be a setup where the domains are truly apart from one another. No redirecting accounts. mail.example.org and mail.example.com would be recognised differently by my mail server.
Now, I kind of got this working once, involving (*shudder*) linuxconf. I don't know how it worked, but there was all kinds of weird directories, like
Hopefully, a more Apache-like system will come into being with 8.10. I can't take much more of this.
-Waldo
I know you mean well, but I just want to point out the FUDdy nature of this 'revelation' about Lotus.
1) What is described (part of the 'international' in NSA escrow) is common practice for the US Software industry. Netscape and Microsoft do it in their mailers. Yeah, it sucks, but that's our gubernmint.
In fact, if you have the export version of Netscape Communicator on your desktop, as many Linux users do, the NSA has part of your encryption key.
2) It's now OK to export the 'North American' version of Notes to most countries. This version supposedly doesn't have any part of the key in escrow.
3) AFAIK, sendmail is just an MTA and doesn't do any encryption. If it does, it's configured as a site policy which means that the NSA may or may not have all or some of your key in escrow, depending. Anyway, I'm not sure what sendmail has to do with Lotus/MS/Netscape's mail encryption, which is all done on the MUA side.
--
Business. Numbers. Money. People. Computer World.
You are correct. You also forgot that sendmail is a swiss army knife. You can configure it to do almost anything short of dry cleaning and laundry. The only pending rival here may be the new exim with perl-like capabilities in the config.
But at the same time,
Qmail still rips the guts out of sendmail as performance.
Qmail does not have the record of the second most security-troubled sofwtare after Washington University
Qmail still has more flexible local delivery support which sendmail gets only via various external delivery agents.
Qmail as is does not have SPAM filtering. If you want to kill SPAM you can
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
You have to be kidding, right?
At least as of a couple of weeks ago (haven't checked recently), Qmail hasn't been updated in three years. Here are some features in sendmail that are nowhere to be found in Qmail:
ESMTP AUTHentication/some kind of SASL support
RFC 1894 Delivery Status Notifications
Any kind of spam filtering
LDAP support
UUCP support
Qmail is still incapable of batching recipients for the same domain into one transaction
And there's more where that's came from. I suppose DJB has been a bit occupied, the last couple of years, fighting the US Commerce Dept on the crypto issue, so Qmail has gotten a bit moldy.
--
At least two of those security breaches are nothing to do with the fact that Microsoft technology was involved.
They were down to bad working practices.
I'm not an MS fan, but I would be wary of a company that tries to promote itself on the back of ill-researched half-facts that question the integrity of their main competitor.
Sendmail 8.10 Supports SMTP Authentication; it'l interoperate with Outlook Express, Netscape, Eudora etc. To avoid reinventing the wheel, it uses the cyrus SASL Library to supply the authentication funnctions. See ftp://ftp.andrew.cmu.edu/pub/cyrus-mail for the current libraries. To install sendmail with Authentication, look for sasl in the src/README file in the distribution.
you have moved your mouse, please reboot to make this change take effect
qmail has performed very well here, albeit with only three virtual domains. We use the free add-on vmailmgr (http://em.ca/~bruceg/vmailmgr/), which allows you to add users to a virtual domain without requiring a new Linux logon for each one. (It's very handy.)
The only real complaint I have about qmail is that the add-ons are all over the map, and it's very difficult to know which, if any, are part of the Received Canon, and which, if any, are heretical upstarts doomed to wither.
Alexey from Messaging direct has been keeping lists of all things that support SASL. I'm not sure if the sites moved but here's a cached copy http://www.google.com/search?q=cache:www.taxxi.com /homerus/mail/SASL_ClientRef.html
Hopefully you'll be able to add mozilla to that list shortly too.
Dude, there's something called m4. That's the modern, enlightened way of configuring sendmail. If you're mucking around with .cf files, then you get what you deserve...
James
There are two truths in the universe:
btw, I'm not a GUI admin NT yuck yuck. I've done some incredible things with sendmail.cf files and I can't fathom doing the same things with other MTAs. But, you know, damn, it can be a bitch!
Anyway, thanks for replying.
P.S. Have you guys noticed that you can still release commercial software *AND* be open source at the same time?
read that "bat book" from o'reilly ...
.cf file in order to configure sendmail ... using the m4 files is very easy ... want to use cyrus deliver ? :)
... :)
:)
and look at those m4 files.
You don't need to edit a
use MAILER(cyrus)
Thats it !
I think sendmail is quite EASY to configure
(and its still FAR more configurable than qmail or postfix
In reality it is really as safe as you care to make it.
Majority of the "security issues" come from mis-configured configuration files. There have been others issues of course but misconfiguration is one of the biggest.
Admittedly it takes a bit of time and effort to configure one correctly but from my experiance it is safer than my Exchange servers I run at work overall.
Qmail is a bit more logical in it setup than Sendmail, but that's not saying much. Setup is fairly simple (an hour at most after reading the docs).
There are two places where Qmail really shines for me:
1) Security. There was a $1,000 reward to anyone who could find a bug in Qmail that would allow access to the host. The deadline was a year (IIRC) and it came and went without being paid. Sure, it's not as gone over as Sendmail, but in three years, noone has reported a security bug of this nature.
2) Mailing Lists. There's a package for mailing lists called ezmlm that really works. Normal users can create their own mailing lists as a part of their name (like markk-linux@fixbang.com) with all the regular features of Majordomo - automated sub/unsub, digests, etc. Creation is two or three commands - no editing files, no running "newaliases". It's available immediately.
I'm not sure how it handles big loads, but I have it on a few smaller boxes and I've never had trouble with it.
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
> I'm not sure how it handles big loads, but I have it on a few smaller boxes and I've never had trouble with it.
Actually Qmail is way much faster than Sendmail and requires a lighter load with the same ammount of traffic.
I don't even think of using Sendmail. Why would one want to use a monolithic, buggy system like this? Sendmail has been designed WRONG from the very beggining (it's a monolithic program running as root most of the time). That's why so many security holes appeared. OTOH, a program whose compromise is with security (i.e. Qmail) runs as root the less time possible. No root account has been compromised via Qmail. The only problem that appeared is a possible DoS.
I sincerely can't understand why people go for crappy software. Another very popular example is wu-ftpd. Sorry to say that folks, but IMO wu-ftpd sucks. Have you ever tried to chroot an user using wu-ftpd ? Gee... Not only it's a pain in the ass, it's also messy. How many bugs have been reported to wu-ftpd ? It's also historically insecure. There are much better ftp daemons. My favorite is ncftpd (yes, this one is commercial).
So I just want to understand: Why are wu-ftpd and sendmail so popular ?
-
Roses are #FF0000, Violets are #0000FF, find / -name '*base*' |xargs chown -R us && mv zig greatjustice
Installs in an hour, add addresses via a web interface and so much more, it's really quite exhilarating....;-)
We had sendmail running on one of our Linux machines in the the computer lab. A sysop came up to us and said "What? You don't need sendmail, shut that down." I said, "You gotta have sendmail, what if you forget the root password? You gotta be able to find a bug in sendmail and hack root!"
Sheepdot: Open Source good, Closed Source baaaaaaad!
Ignore the "p2p is theft" trolls, they're just uninformed
Move yourself... I think a new release of a really massive used SMTP Server can be classified as "News for Nerds. Stuff that matters".
Hmmm... I think I'll wait 'til the first or second dot release.
Mail (and mail) is usually fairly IO bound (it must commit messages to disk per RFC 82(1|2) before passing them on). Get good disk and you'll go faster.
That said, I've been told that sendmail can't do more than a couple messages a second by "experts". Fortunately, my machines which ran a typical 30,000 messages/hour with bursts to 50 or 60k per hour didn't know about these "experts."
Rob Kolstad wrote a paper for Usenix on tuning for lists a few years ago. If you're a member, you can find it. If not, join and find it.
8.10 pluses:
8.10 (and the commercial product that uses it) allows multiple queues. This means that you can have 6 queues (each on a separate spindle) running mail for you. This should fill a T1 quite handily.
A big sendmail advantage is that you can get consulting and support. A company I did work for had those guys make some recommendations and help them and they seemed to benefit a lot. I figure if email is a production service, then buying support for it is a Good Thing. If the authors of Sendmail provide that, then great, money well spent - give back to the people who gave it to you (and these clients pay Sun a LOT for 24x7 hardware support).
Much of the tuning that can be done applies to any mailer. Sendmail, by default, is fairly "nice" to the machine. You can tune it a thousand ways so that it runs on machines from a 12MHz Sun 3 with 8MB RAM to a 128 way SGI at peak performance. If you want to tune it to chug out 120,000 message per hour and destroy the bandwidth of a 10baseT network, that can be done with some experience. If you don't have it, you can hire that experience.
Will 8.10 make a huge difference? Well it's been out for what, 15 hours? Beta for a while, but this has diffs from Beta12, so I don't think we know yet.
RE: the qmail/postfix rants. Showing release notes of security fixes of Beta releases doesn't offer that there was a hole that was exploited. It shows that the code has been reviewed (in beta and alpha, largely) and that potential problems have been removed. I thought that's was beta was for.
I can speak for qmail with a little larger number of users. I have qmail running for a small ISP with 3000+ accounts. The same machine is handling authentication, file serving, POP, etc.
The machine is bored and its a low-end PC. You could build it for $1500 today. We push 15000+ messages a day.
We switched from sendmail/qpopper to qmail. I got tired of administrating sendmail, not having real virtual email account support, watching qpopper slam my disk by copying the user's mail file everytime they popped, etc, etc. sendmail just has too much baggage and isn't elegantly designed in the first place.
qmail is built very modular, tiny programs to handle every stop of the MTA process. This makes it more secure, setuid'ing whenever it can, reducing the amount of code that ever sees root permissions. Also, it is very easy to extend. I have qmail-pop authenticating from a SQL database, just by replacing the the checkpassword program.
After using it, Maildir support is a must. In a Maildir, each message is a file. It sounds like a waste of inodes, and it is, but the performance benefits are incredible. Now when a user POPs, they don't have to lock their mailbox, and only touch the messages that they want. Before qmail, qpopper was causing my server (then running 1000 users) to write 4 GB/sec on my little 4 GB drive. In addition, my secondary mail server can deliver into the same mailboxes without locking, etc.
I will give you that qmail can be a pain to administer by hand since its configuration is kind of distributed, with .qmail files in user's homedirs, redirecting their mail, etc. But I built a management system on top of it. This is where qmail really sings for us. We can change damn near anything just by twiddling some files, no restart, rebuilding config files, etc.
And the best part, in my opinion, I have been using qmail for 1 year and I'm still using the same version. It does what it does and is rock solid stable and secure.
How's that for a testimonial?
Will the new release of sendmail perform faster?
/dev/nul).
This may be mildly off-topic, but it's a genuine plea for help -- see if you can recognize the symptoms and propose a solution. I thank you in advance.
I'm in charge of a system which sends out approximately 50,000 emails a day to a list of subscribers.
We were running this on a dedicated box. When I built it, this Pentium 120 with 128 megs of RAM and IDE drives was a fairly happenin' machine. It was running Red Hat Linux 5.2 and sendmail 8.8. The system queues outgoing mail into one of about 40 queues, depending on destination domain. A cron job runs sendmail against each one of the queues (the relevant invocation is:
/usr/sbin/sendmail -OQueueDirectory=name of directory -OQueueLA=24 -OQueueSortOrder=host -OTimeout.connect=1m -OTimeout.helo=1m -q
).
We were getting peak throughput as high as 20,000 messages delivered per hour.
Due to the relaying holes in old versions of Sendmail, I wanted to upgrade to the then-current 8.9.3 Because of the Great C Library Change, the sendmail rpm available from redhat didn't want to work. So I upgraded the entire box to Red Hat 6.1.
(please redirect all comments about the evils of RedHat, the rpm format, or how I should have compiled it myself from a tarball to
Now, the same volume of mail takes 6 times longer than before the sendmail 8.8->8.9.3, RHL 5.2->6.1
upgrade. Moreover, it takes the same time on a VA Linux Full-On rack system, so hardware isn't an issue.
Does anyone have a theory? Will upgrading to 8.10 help/hurt/be neutral?
Again, thanks in advance
This page accidentally left blank
Basically it means we'll never see them improve sendmail management issues in the open source version in order to drive business to their commercial product.
In my capacity as as a manager, I understand the need for commercial support and do pay for that. But my goals to have everything open-sourced are circumvented by this product extension scheme.
(Disclaimer: I could be horribly misinformed and stuff like Sendmail switch *is* open sourced, but I've been poking around their sites and haven't seen it downloaded anywhere without paying.)
is SMTP AUTH .. it rocks my world ! :)
... with SMTP AUTH you can "login" to an smpt server to permit relaying. This feature is a MUST for most ISP's !
:)
.. NO other competitor (qmail,exim, etc...) has it ... GO SENDMAIL GO !
for those who don't know
It uses the cyrus SASL library, so if the client supports it, it can handle nearly any authentication method, from Kerberos to CRAM-MD5
There is even a patch (or allready included in sasl) so that OutlookExpress (which uses an VERY OLD SMTP LGOIN command) can use SMTP auth !
I'm still using one of betas for exact this functionality
regards,
Michael
I agree. Even with the m4 macros, it's just plain stupidly designed.
Why doesn't someone rip out the configuration part of sendmail, and replace it with something apache-style? It can't be that difficult.
--
I have a server which is doing 3, soon to be 5 virtual domains. Apache configuration is simple. Sendmail was also very easy to configure. All you need to do is this:
:)
/etc/mail/aliases, but a bit different. This allows you to redirect, say, webmaster@host1 to a different place than webmaster@host2, redirect all mail for 1 domain to one place, etc.
1. Have support for a sendmail.cw file, so that it will accept mail for all the hostnames. Put the hostnames in that file
2. Add in support for virtusertable, which is similar to
I have the O'Reilly book, but I didn't actually need it; I found all the info I needed on www.sendmail.org. It took about 1/2 hour. In case you're wondering, I'm a college student who's been using Linux for about 2 years, not a 60-year-old UNIX guru.
WMBC freeform/independent online radio.
Yes. Easily. qmail with the vpopmail addon from Inter7 will make you wonder why you ever bothered to try and configure Sendmail.
You might also be interested in their qmailadmin addon which allows web-based management of domains, and sqwebmail which adds a hotmail-esque web interface for checking & sending email.
qmail is different than Sendmail, considerably so. But once you understand how it works, I think it's design is far superior to that of Sendmail. It's much more unixy, IMNSHO. There is ample evidence that qmail is considerably faster and less resource intensive than Sendmail, but what really made the difference for me was the security focus of qmail.
As I said, qmail is different from Sendmail, but there is a lot of contributed documentation available as well as commercial support. The qmail community is large, capable and very motivated. They do have one problem though, they don't have a 4-inch-thick O'Reilly book dedicated to their MTA...
...hmmm, maybe there's a reason for that!
Game Over Man! --Aliens
Sendmail Switch isn't open source software, it's commercial software. It does many sophisticated management thingies besides configuring sendmail.
That being said, OS sendmail configuration got much easier since m4 configuration files came about. And while it's not an Apache-style configuration, etc., it's on the same level in terms of difficulty.
The OS sendmail developers work pretty much orthogonal to the commercial component developers. Feature sets of OS sendmail are driven by the OS community. They are aware of the inherent difficulty of configuring sendmail, and consider it to be quite a shortcoming of OS sendmail, independent of whether management components exist in a commercial software product.
You will probably see OS sendmail become easier to use somewhere down the line.
One final note, Sendmail Switch was built using open source technology. It's not apparent to people outside the company, but if you bought the product you'd see we use open source technology extensively in the product. The commercial component developers also believe in OS principles, which is why our products use open source technology where possible.
Sendmail Switch is commercial software. But buying it supports the company. Supporting the company supports the OS developers - giving a secure "home" and dedicated resources to OS sendmail development. Benchmarking, compatibility labs, food, and clothing are examples of such.
Hope that gives a small view from the inside.
Regards,
Charles
http://sendmail.net/?feed=allabout810
-Leader of the Free Peoples - http://mobgroup.net
MHO also says that if you are looking at setting up a mail server, you should check out Postfix by Wietse Venema, or qmail first. I have been using postfix instead of sendmail for quite some time now, and have not had a single problem. Of course, I only have 600-1000 users, so my system is certainly not a true test of its capabilities.
I found this to be interesting:
/var/spool/mqueue/q* will use all of the directories or symbolic links to directories beginning with 'q' in /var/spool/mqueue as queue directories. Keep in mind, the queue directory structure should not be changed while sendmail is running. Queue runs create a separate process for running each queue unless the verbose flag is given on a non-daemon queue run. New items are randomly assigned to a queue. Contributed by Exactis.com, Inc.
:)
Support multiple queue directories. To use multiple queues, supply a QueueDirectory option value ending with an asterisk. For example,
This could be great for my Solaris box with 50,000+ active SMTP connections, as we may be able to segregate the mail queue onto seperate partitions!
EraseMe
They have a series of articles such as Spam control in 8.10, Performance and usability in 8.10 and many more.
Noel
RootPrompt.org -- Nothing but Unix
kayaking