The Exim SMTP Mail Server

ollyg writes "Exim is a mail transfer agent that can be run as an alternative to Sendmail on most Unix and Unix-like systems. At my organization we use it to relay around half a million messages per day, although it's suitable for many other types of installation including those with local delivery, and far larger (or smaller) ISPs." Ollyg reviews here the official guide to Exim's current release, which weighs in at a hefty 621 pages. The Exim SMTP Mail Server: Official Guide for Release 4 author Philip Hazel pages 621 publisher UIT Cambridge rating Recommended reviewer Oliver Gorwits ISBN 0954452909 summary A thorough guide to the configuration and deployment of Exim v4.x

A bit of history, first. Exim is currently in its fourth version, and is developed by Philip Hazel at the University of Cambridge Computing Service. The third release was accompanied by an O'Reilly book, also written by Philip, but there were enough fundamental differences that this release warranted its own volume. And what a book: more than 600 pages straight from the horse's mouth (as it were); you can't go wrong.

The structure is flat, being twenty-two chapters and two appendices long, but I'd say there were three main acts if you take it cover to cover. Philip begins with five chapters that introduce the reader to Internet mail, Exim, and some rudimentary runtime configurations. There's nothing to fear here, as the text is beautifully self-contained, covering topics from the DNS to routing lookups. As Exim's runtime configuration is both flexible and easy to read, the quite technical examples given early on can be understood without flicking to and from other chapters in the book.

The next four chapters cover in a rather succinct manner the parts of Exim that route and transport your messages. By this point you should have a grasp of the philosophy and design of Exim, which allows Philip just to give you the details. This section does feel most like a reference manual but I'm not sure there's another way he could present the information without confusing the reader. The remainder of the book covers each of the Big Features of Exim, one per chapter. I'm guessing that Philip just kept on writing until he ran out of features, rather than time or space! These chapters feel far more like the heart of the book, and the author treads a fine line between thorough process description and distracting technicalities. The two appendices cover regular expression syntax and special variables (both being available to Exim's configuration).

The book would be ideal if, for example, you manage a mail system on your own and don't have a great deal more admin experience close at hand. Its great strength is the vast number of scenarios that Philip has thought up; it seems that if you can think of something that you want the application to do, it'll be in there somewhere. At my site however we do have a good number of people who are familiar with Exim, so armed with a copy of the (equally well written) reference manual we can usually get along just fine.

Those expecting the chatty, irreverent style of an O'Reilly text may be in for a disappointment. Philip writes in a clear, precise manner, and obviously knows the subject matter (literally) inside-out; but there's no messing around and you have to be committed to learning about the subject in question. Having said that, I don't want these last two paragraphs to put you off. If there's even a whiff of a chance of you having to come into contact with Exim or its runtime configuration, then I can do nothing else but strongly recommend this book. The detail's there in spades, it reads very well, and is a fine complement to the reference manual.

For more information, see also the Exim home page, as well as this book's website. You can't yet purchase the book from American retailers, though if you're in a hurry, bn.com stocks the previous version. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

hefty?

[Tancred]

Hefty 621 pages? The bat book is very nearly twice as hefty.

Re:hefty?

[Surak]

Yeah. That would be because sendmail is about twice as baroque and twice as complicated as Exim (or PostFix, or Qmail, or just about any other smtp server software). ;)

Re:hefty?

[mdvolm]

Would you say then that sendmail is baroque beyond repair?

Re:hefty?

[Tancred]

Yeah, that was kind of my point. Sendmail's been great for the net, but unless it's completely rewritten to simplify it and discard its backward compatibility, it's a mess. Actually, I haven't used it in a while, but I got rather familiar with it in 1994 when I was hacking the conf file to do twisted things for uucp feeds to various places, the worst being a Major BBS that seemed to need everything rewritten just so.

Re:hefty?

[notque]

If it's baroque, don't fix it.

Re:hefty?

[Surak]

Yeah, in light of the now cheap and ubiquitous Internet access, doing crazy stuff like UUCP and/or FidoNet feeds are just not very useful anymore.

Besides, sendmail has had far too many security vulnerabilities and has grown far too bloated to be very useful, IMHO. Exim and Postfix are each remarkable mail systems in their own right and have way simplified the process of setting up a mail server. sendmail was once great ... it was the ONLY thing, but now that there are so many systems out there that are better, why should anyone really continue to use it?

Re:hefty?

[GeekWade]

Only for Monet...

Why would I want to use exim?

[Captain+Tenille]

I understand sendmail, I like sendmail, and sendmail works. Forgive me if I don't feel the need to use some random unproven MTA.

It annoyed me to no end yesterday when I was installing Debian on my Ultra 1 and it went and installed exim for no apparent reason. As soon as I get around to it, I intend to remove exim and get sendmail on there. I want a functional mailer.

Re:Why would I want to use exim?

[Aliencow]

If it's not broken, don't fix it.. But if you don't know it, don't learn it if there's something that's pretty much as good but much easier..

Re:Why would I want to use exim?

[reaper20]

Random unproven MTA? I find that ironic coming from someone using sendmail.

If you want a drop in sendmail replacement, then maybe postfix would be a better choice.

Take the time to learn either qmail, exim, or postfix, you'll save more time in the long run.

Re:Why would I want to use exim?

I understand windows, I like windows, and windows works. Forgive me if I don't feel the need to use some random unproven OS.

Security is the answer my friend.

Re:Why would I want to use exim?

[Captain+Tenille]

I make sure I keep up on the sendmail advisories, never fear. I'm not a fool.

I've just spent enough time to learn how sendmail works that I don't see learning yet another MTA as being especially necessary. Besides, you can do some neat stuff with sendmail.

Re:Why would I want to use exim?

Or qmail, which kicks both their asses.

Says me, who runs it on a crappy amd 5x86 (sub P75) alongside djbdns, and gets more performance than his adsl can provide, and who hasn't tried anything else.

Re:Why would I want to use exim?

[leppi]

> Re:Why would I want to use exim?

Answer: you probably wouldn't. But for someone who wants to write config files that are easy to understand, exim is a good alternative. Sure, sendmail is great, and if you are familiar with it, good for you. But exim is also a good, solid alternative. Especially for someone who hasn't wasted (*ahem*) time learning sendmail.

Re:Why would I want to use exim?

[Captain+Tenille]

I didn't say choice was bad. I just said that I didn't see the need to use exim.

Incidentally, I'm a FreeBSDer, not a Windows guy. Did you miss the part where I was talking about the Ultra? I was putting Debian on the Ultra because unpatched Solaris 8 didn't like le0 for some reason, and the other copy of Solaris I had wouldn't work in its CD-ROM for some reason, and FreeBSD-5 doesn't work on Ultra 1's.

Re:Why would I want to use exim?

[StealthBadger]

Considering that Exim was originally made to be "bug-for-bug" compatible with sendmail (from the older manpage for exim), and that it still supports much of the sendmail-style configuration, I'd think you'd like it....

And I've had less trouble from exim than I have from sendmail. Then again, I run a small ( users 100) site.

Re:Why would I want to use exim?

[AmunRa]

Forgive me if I don't feel the need to use some random unproven MTA.

I hate to tell you, but the ISP I used to work for used exim throughout, with 1000s of domains and 1000s of simultaneous dialup users. I also know that one of the largest ISPs in the UK Freeserve use(d) Exim for all their mail. So I wouldn't say it is unproven.

Re:Why would I want to use exim?

[windex]

Anything you can do with sendmail you can do in exim in a way that is human readable and does not require a configuration preprocessor. :)

Re:Why would I want to use exim?

[arglesnaf]

Your sendmail foo is weak. I never use the preprocessor and just hack the cf directly. Of course Sun tech support won't touch my Amavis Perl + sendmail config with internal domain rewriting rules with a ten foot pole.

I use Exim at home on my Debian box, but I could not figure out how to to get Exim to do authenticated smtp, mostly due to a limitation of the pam modules. (I want a success or a failure, but the 3K other return codes are useless for exim, and a bitch to hack in the config.) I hacked in a static user and pass for relay, and force anybody without it to use squirrelmail.

If anybody can point me to a nice walktrhough I'd be grateful.

Re:Why would I want to use exim?

[Neophytus]

Blueyonder have recently introduced several exim servers to their mail service, too.

Re:Why would I want to use exim?

[chegosaurus]

Last time I worked there Freeserve still used Exim, as does BT Openworld. That may or may not be an endorsement for it.

Re:Why would I want to use exim?

[A+Masquerade]

Last time I looked BT still use exim.
Unfortunately they don't appear to have upgraded in close on 4 years (they certainly have some machines running 2.12).

The Freeserve (or rather Energis Squared - the hosting ISP) mail system was the first in the UK, and probably in Europe, supporting over one million individual mail users. All the mail transport was done with exim on Linux, the mailboxes were on NetApp filers (Maildir structure). It was also one of the first mail systems with substantial anti-spam features (mostly on the outgoing side initially - as a toll free ISP Freeserve got more than its fair share of mail bombing jerks and didn't really want to end up with the reputation of having the most clueless users - that was left for AOL).

That overall system sustained serveral millions of incoming and outgoing mails per day (can't remember the exact figures) over a smallish number of Compaq PII based linux servers. The quantity of mail will not have decreased in the 5 years since that system got going.

Re:Why would I want to use exim?

[FatalTourist]

I understand Hotmail, I like Hotmail, and Hotmail works.

Exim's design is bad for security

[Fefe]

Exim has the same bad monolithic setuid-root style design as sendmail and even more useless (for the majority of people) features. It is a big messy pile of bloat code.

I don't understand why anyone would want to use a piece of software where the author apparently does not have even a small bar of quality or usefulness that a patch must fulfill to be accepted in the main code base. Someone asks for it on the mailing list? It gets added to Exim.

Server software has to be simple, understandable, small yet modular and powerful enough to make it possible to extend it if need be. Exim does not want to be extended, it wants to assimilate everything, making the result too big to be understandable by anyone (I wonder if even the author claims to understand every single line of code in there).

Postfix and qmail have vastly better design, can be extended easily and are minimal for what they strive to offer (in particular qmail).

qmail is used by more people than exim, yet fewer bugs (and in particular security problems) have been found in it. If you have a choice, go for qmail instead.

Re:Exim's design is bad for security

FUD! It seems that people don't realize that sendmail 8.12 now has an excellent security model and very advanced queuing features. In fact, in comparison qmail in particular looks very outdated.

Re:Exim's design is bad for security

[haeger]

Exim does not want to be extended, it wants to assimilate everything, making the result too big to be understandable by anyone

So, it looks like we'll have our MS-Exchange replacement afterall?

.haeger

Re:Exim's design is bad for security

So, it looks like we'll have our MS-Exchange replacement afterall?

Well, except exim actually works.

Re:Exim's design is bad for security

Exim does not want to be extended, it wants to assimilate everything

My God! Exim is trapper-keeper. Quick - go find Rosie O'Donnel.

Re:Exim's design is bad for security

[Dicky]

Okay - you're a qmail fanboy...

Answer me this then - how do I get all mail going through my qmail system (not setup by me, but I'm one of the admins) to go through SpamAssassin, but with per-user settings - i.e. after the decision has been made on who to deliver the mail to - without losing the ability to use .qmail files? Oh, and ideally without lots and lots more patching - there's a lot to be said for a stable system, but it's a real problem when the author doesn't seem to be planning any more releases, but the license forbids people from distributing patched releases...

Or to put it another way: qmail may be better for security, but I've had a lot of trouble working out how to hell to administer it, since it seems to ignore most of the tradition UNIX rules on 'how stuff works' in favour of newer, cooler, but random-seeming rules...

Re:Exim's design is bad for security

[noahm]

Exim has the same bad monolithic setuid-root style design as sendmail and even more useless (for the majority of people) features.

Hold on just a second:

mail 145 0.0 0.2 6288 276 ? S Mar05 1:09 /usr/sbin/exim -bd -q30m

Yes, the daemon needs to be root initially, but it drops root privilages ASAP and does not, in fact run as root (unless you're insane and configure it to do so). Yes, it is a monolithic design, which may turn you off, but a remote exim exploit is not an automatic remote root exploit.

Personally, I like Exim a lot, and I haven't even upgraded to version 4 yet. Just be glad you have a choice of MTAs and aren't stuck with sendmail, as was the case not too long ago. (Though to be fair, sendmail is getting significantly better!)

noah

Re:Exim's design is bad for security

[DrPepper]

I'll bite - I like a good flamefest on a hot day...

I don't believe that just because the exim code is one binary, and qmail has multiple binaries, makes either better than the other. There are pros and cons to both approaches for this type of application. Certainly exim will run on pretty mediocre hardware and handle a very high volume of traffic with no major headaches. To be honest, on an MTA your performance bottlenecks will be elsewhere.

Not everything mentioned on the mailing list gets into exim; however if it solves a problem then it's likely to be made available as an option. Users are free to compile in the bits of code that they require. Although you can use a stock binary, I find it best to roll my own for any serious application (ie. high load applications).

Since when did the number of users of a product determine how good it is? More people use sendmail than much else - it doesn't make it the best MTA on the planet (flames > /dev/null!)

Looking at security advisories for both MTAs, although exim has slightly more reports than qmail, neither has a significant number, and the count is very close. On security, I'd be happy running either.

I don't know of any stats on bugs overall, but certainly there have never been enough in either product to be of any major concern to me.

They're both good products. Personally the choice of which to use would come down to the application I needed it for.

Re:Exim's design is bad for security

[ansible]

Yeah, well, that's why some qmail people are moving to Courier instead.

I started with qmail, because I liked Maildirs much better than mbox format. But then I needed an IMAP server. And then I needed a webmail server. And then I needed e-mail filtering.

So instead of installing all the pieces separately, I just installed Courier.

While the DJB-style configuration directories are kinda interesting, I perfer Courier's more mainstream configuration files.

Still using DJBDNS though. Small and simple, which is what I like.

Re:Exim's design is bad for security

[Medievalist]

FUD! It seems that people don't realize that sendmail 8.12 now has an excellent security model and very advanced queuing features.

True. Sendmail is very mature, and I find it integrates nicely with LDAP, SpamAssassin, MailScanner, etc. etc. etc.. I've never had a security problem in the eight years or so I've had it running here. I do load patches immediately, of course... but there have been more *nix kernel vulnerabilities than sendmail vulnerabilities during that time.

In fact, in comparison qmail in particular looks very outdated.

I don't know about that because I would never run qmail- I don't like the licensing restrictions. If I wanted a more secure architecture than sendmail's (did I mention I run sendmail chrooted as an unprivileged user?) I would use Wietse Venema's Postfix, which also has a segmented architecture and more congenial licensing. If I wanted maildirs instead of mbox, and I didn't feel competent to hack them into my sendmail.mc, I'd run Courier.

I personally have no need for qmail, or Exim either, but software diversity is good, especially in key infrastructure roles.

Re:Exim's design is bad for security

[liam193]

I'm not sure what the issue is here... I have my mail going through SpamAssassin with per-user settings and have it going through qmail-scanner with clamscan for antivirus and the .qmail files are still working. The only major hurdle was patching qmail with the QMAILQUEUE patch. That's not a big deal though.

Re:Exim's design is bad for security

[Florian+Weimer]

Exim has the same bad monolithic setuid-root style design as sendmail and even more useless (for the majority of people) features. It is a big messy pile of bloat code.

The code is very well-written and and properly commented. Something you can't say about qmail. It's extremely suprising that DJB's software has so few bugs, given that it's basically unmaintainable.

Monolithic MTAs have one advantage which is extremely important for most users: much, much better debugging facilities to test configurations. For example, it's possible to run relay checks against a new Exim configuration without actually activating it.

qmail is used by more people than exim, yet fewer bugs (and in particular security problems) have been found in it.

qmail is unmaintained software, and it isn't totally bug-free (in particular the documentation that ships with the sources omits a few critical details). But given the source code quality, I wouldn't want to touch it ever again if I were the author.

If you don't want to use Exim because of your religious beliefs, you should use Postfix, not qmail. You can live with qmail if you invest plenty of time and are an experience C programmer. Using qmail certainly contributes to your job security. But this makes qmail an extremely poor choice for small shops.

(And don't forget that qmail lacks so many features that you have to use helper programs such as procmail, with quite a questionable security record!)

Re:Exim's design is bad for security

[Fefe]

ROTFL, sendmail has an excellent security model in 8.12? Yeah, you can see that clearly when you read things like the last remote root exploit in sendmail 8.12.7, or are you now going to argue that 8.12 really starts with 8.12.8?

And what "advanced queueing features" are you talking about here? If you mean milter, that is a kludge akin to fastcgi, and it typically involves linking untrustworthy sendmail code to your filter application. I don't know about you, but for me that is not an option. Never has been, never will be.

And qmail looking outdated, that claim is so ridiculous, it does not even warrant an argument. Sorry, dude, but my little brother is a better troll than you are. Muhaha, you are even cheap enough to post as AC instead of using a throwaway account...

Re:Exim's design is bad for security

[Fefe]

It's easiest to use a virtual domain with a two-line shell script glue, but you can also just use spamassassin as default delivery method and let the users override it in their .qmail files.

Who says Dan isn't planning any more releases? And who cares if you can patch your own release? Why would you care if you can distribute a patched release when you can distribute an unpatched pristine version and a patch (which, incidentally, is what all the Linux distributions do anyway)?

Also, qmail is the only MTA I know that can virus check email without bogging down the system with temp files. The reason is qmail's advanced queue layout (which Wietse in his inexperience and incompetence preferred to bash for personal reasons and now Postfix needs temp files for virus scanners and whatnot, doubling real life disk I/O in comparison to qmail. Good job, Wietse).

The downside of qmail is that you need to spend time understanding it. The upside is that you can thorougly understand it in a week or so, while you can barely skim through all the cruft in the Exim manual in that time.

Re:Exim's design is bad for security

[Fefe]

The code is very well-written and and properly commented. Something you can't say about qmail.

The qmail code is obvious enough not to need much commentary. You can judge the quality of a code base pretty well be looking at a) how many patches are available (if the code base sucks, nobody will want to patch it; people will rather write their own MTA), b) how big the patches are (if the code base sucks, you need to touch more in your patches to get your problem fixed), and c) how often it needs updates.

It is true that qmail is missing functionality that many people want. On the other hand, much of that functionality does not need patches at all; for example Dan implemented RBL checks in a separate program without even touching the qmail code base.

Your other remarks about the qmail code are totally unfounded as well. I have never been more happy with a code base to patch than with qmail and djbdns. The helper functions are all there, qmail even contains man pages for most of them, the manual (and source code!) are small enough that I don't have to spend a year in a monestary in Tibet to even survey all of it...

I really wonder where that urban legend comes from that the qmail code is hard to read or maintain. Your other point about relay debugging is wrong as well, you can check relaying in qmail without even running it, you just have to run the smtp part of it, and that part can be run without even binding to a TCP port. In short, there is no way it could be easier or better to debug.

How can you claim that one needs procmail with qmail? One of the reasons I switch to qmail in the first place was to get rid of procmail. It is an evil kludge around broken designs like sendmail, it is not needed with qmail any more.

So, in conclusion, please keep the FUD to yourself and bring us some real arguments here.

Re:Exim's design is bad for security

[asdfghjklqwertyuiop]

now Postfix needs temp files for virus scanners and whatnot,

That's a lie. I am setting up a postfix system right now for virus & spam scanning such that no temporary files are needed. How to do this is documented clearly in README_FILES/FILTER_README in the postfix source distribution.

Re:Exim's design is bad for security

Seems someone doesn't know the difference between a "security model" and a buffer overrun...

If you are as unfamiliar with sendmail 8.12's queuing featuers as you appear to be, I very much recommend "sendmail Performance Tuning" by Nick Christenson (ISBN: 0-321-11570-8). In particular, you may wish to read about queue groups and multiple queues, just to start with... heck, start with the 8.12 README...

qmail /is/ outdated. It hasn't been touched for over five years, and lacks a number of features now used in Enterprise settings. Just to start with, using LDAP already puts the administrator in the awkward position of requiring unsupported 3rd-party patches...

Re:Exim's design is bad for security

[rar]

but the license forbids people from distributing patched releases...

Actually, I think the license is the major reason qmail is so secure. It avoids making qmail a patchwork of "features" coded by all these people who fail to perform even the most basic validation of user-data. Sure, in the mail servers with more open licenses, such bugs are eventually removed by the community; but that also means you really have to watch out for upcoming patches...

So, if you prioritize features and "all free open source"-styled license over not having to patch your mail server, there are other mail servers available providing this. Just don't complain over the license of qmail: it is one of the things making it what it is! (that is: a very secure mail server)

how do I get all mail going through my qmail system [...] to go through SpamAssassin, but with per-user settings - i.e. after the decision has been made on who to deliver the mail to - without losing the ability to use .qmail files?

Why not provide users with default .qmail files for a fully per-user opt-in/opt-out:able filtering soultion? We use a setup like this on our systems, and it should work on a completly unpatched qmail setup:

.qmail:
| bash -c "/usr/bin/spamassassin -e | forward $LOCAL-spam;if [ \"\${PIPESTATUS[0]}\" != \"0\" ];then exit 99;else exit 0;fi"
./Maildir/

.qmail-spam:
| grep "X-Spam-Flag: YES" > /dev/null;ISSPAM="$?"; if [ "$ISSPAM" = "1" ]; then exit 99; fi; exit 0;
./Maildir/.spam/

Re:Exim's design is bad for security

[Fefe]

Seems someone doesn't know the difference between a "security model" and a buffer overrun...

Yeah, a security model is what you implement to make sure buffer overruns don't matter. In qmail, for example, the security model has the smtp daemon run with just enough permissions to write incoming mails in the incoming queue.

you may wish to read about queue groups and multiple queues

You really believe this marketing crap, do you? Wohoo, "queue groups", I bet it's almost as great and innovative a feature as thread pools.

using LDAP already puts the administrator in the awkward position of requiring unsupported 3rd-party patches

Actually, no. Not at all. I implemented a qmail with all-virtual LDAP users and did not have to touch the qmail source code once. I did not even have to replace or overwrite any binaries.

qmail is modular enough that you can specify other delivery and the password authentication modules, in my case LDAP speaking onces. That's it. Partial sources are here.

Get your facts straight next time, FUDster.

Re:Exim's design is bad for security

[Fefe]

With postfix, stdin for filters is non-seekable. The reason is the funky queue file layout that Wietse chose.

Virus scanners need to seek around in the mail files (or they buffer the whole mail in memory, which is even worse performance-wise). All modern virus scanners are running as daemons and are given a file name over a unix domain socket. To be able to give a file name of a file that contains the mail (and not some other postfix queue junk as well) to the virus scanner, you need to write a temp file. There simply is no way around that.

Please get your facts straight next time.

Re:Exim's design is bad for security

[Dicky]

Okay, so you sound like you have what I need... the problem is that I'm not a qmail guru, and I have absolutely no interest in becoming one. So how do I do this? To be honest, I'd just prefer to go over to exim - not for any specific reason, apart from not having enjoyed my experience with qmail, and having met Phil Hazel a couple of times and heard him speak on exim - and him sounding sane and, frankly, being a nice bloke :-)

So tell me, what do I need in which of the various config files - I'm talking system-wide, on a real multi-user system with lots of virtual domains - to get SpamAssissin run with per-user settings while mail is delivered. It should hopefully go without saying that changing individual .qmail files is unacceptable, since there are already over 100 of them on the system.

I do have the QMAILQUEUE patch applied... To be honest - if you've got all this working, I'd really appreciate it if you'd drop me a line (I'd mail you, but you've not published your address) and let me know in detail what you had to do to get this stuff working...

Re:Exim's design is bad for security

There are no licensing restrictions on qmail, because it is not distributed under a license. To quote Professor Bernstein, "[o]nce you've legally downloaded a program, you can compile it. You can run it. You can modify it. You can distribute your patches for other people to use. If you think you need a license from the copyright holder, you've been bamboozled by Microsoft."

Re:Exim's design is bad for security

[asdfghjklqwertyuiop]

With postfix, stdin for filters is non-seekable. The reason is the funky queue file layout that Wietse chose.

The queue has nothing to do with postfix advanced filters. The message to be scanned won't be queued at all unless the filter is unavailable or too busy or something like that. Under normal conditions it will only be written to disk by your filter (if your filter does so).

Please get your facts straight next time.

Re:Exim's design is bad for security

[rsax]

If I wanted a more secure architecture than sendmail's (did I mention I run sendmail chrooted as an unprivileged user?) I would use Wietse Venema's Postfix, which also has a segmented architecture and more congenial licensing. If I wanted maildirs instead of mbox, and I didn't feel competent to hack them into my sendmail.mc, I'd run Courier.

Postfix supports delivery to maildirs natively.

Re:Exim's design is bad for security

I agree with the readability of Dan's source code. the average length of a source file in qmail is between 50 and 75 lines of code(depending on how you count). I think that many people have been brainwashed into believing that comments are an acceptable way of making up for unreadable code. They then use the logical fallacy of assuming that this must imply that source with few comments must be unreadable.

Re:Exim's design is bad for security

[PapaZit]

If you have a choice, go for qmail instead.

The problem with qmail is that the author is a screaming loony (albeit a very smart one).

We all know how support works for open source products: you use the mailing lists, IRC channels, mail to the author, etc. Woe be unto you if you ask a qmail question that was answered 3 years ago (and is thus archived somewhere), or worse yet, you ask for functionality that qmail doesn't have and DJB deems "inessential".

I've not even asked questions, but I've read the archives. A surlier, more user-hostile community would be hard to find.

Re:Exim's design is bad for security

[Fefe]

Ah, you are talking about the filter method where you pipe your mail through another smtp daemon. Since that is obviously trivial to do with any other MTA as well, I didn't think anyone would sink so low as to actually mention this as feature, let alone "advanced filtering".

Heck, MS Exchange can do that!

ROTFL

Re:Exim's design is bad for security

[sigwinch]

I think that many people have been brainwashed into believing that comments are an acceptable way of making up for unreadable code.

While it is true that indiscriminant comments do not necessarily improve a codebase, the qmail source has **ZERO** useful comments [1]. Literally zero. Worse, variables are randomly named. My first impression on looking at it was "Why was an open source release run through a shrouded-source processor?"

A maintenance programmer confronted with this codebase is screwed . The semantics and types of data structures are a complete mystery. The maintainer has to either (1) guess blindly, or (2) reverse engineer the codebase. Ditto for auditors/reviewers. And that is a recipe for insecurity.

[1] IIRC there are only two comments at all, both of which are utterly useless.

Re:Exim's design is bad for security

[asdfghjklqwertyuiop]

I didn't think anyone would sink so low as to actually mention this as feature,

Well what the hell did you think I was talking about for the past 3 posts? There are only two documented ways of filtering in postfix, and I obviously wasn't talking about spooling the mail to temp files.

Re:Exim's design is bad for security

[cjsnell]

Yes, the daemon needs to be root initially

Actually, that's not true. I run all my Exim mail servers as a non-root user on a high port (like 51025) and use FreeBSD's IPFilter (ipnat, actually) to forward port 25 to this high port. It works like a champ.

To boot, none of my mail accounts are real unix accounts. They exist only in a PostgreSQL database (also running as non-root). To provide client access, we use Courier IMAP, also running as (you guessed it) a non-root user.

Nothing is setuid, nothing uses uid 0 for even a moment.

It rocks.

Chris

Re:Exim's design is bad for security

There are no licensing restrictions on qmail

That's funny, this page at Dan Berstein's site says you may not distribute any modified versions of the program without his explicit permission. Here's the relevant section:

If you want to distribute modified versions of qmail (including ports, no matter how minor the changes are) you'll have to get my approval. This does not mean approval of your distribution method, your intentions, your e-mail address, your haircut, or any other irrelevant information. It means a detailed review of the exact package that you want to distribute.

Looks you've been bamboozled by Professor Bernstein.

Re:Exim's design is bad for security

[macdaddy]

If I wanted maildirs instead of mbox, and I didn't feel competent to hack them into my sendmail.mc, I'd run Courier.

Sendmail could care less if you use mbox, maildir, or some proprietary format. MTAs don't care. Writing to disk is the LDA's job. Then again IIRC QMail wants to do everything and therefore writes to disk as well (bad security model IMHO). Procmail can write maildir if you want. That's the only LDA I ever use but I know there are others and I'm sure some of them can write maildir as well.

BTW, the other points were good ones. The licensing point was answered by other folks so I won't mention it here.

Re:Exim's design is bad for security

[Medievalist]

Sendmail could care less if you use mbox, maildir, or some proprietary format. MTAs don't care. Writing to disk is the LDA's job.

Good point, since sendmail ships with procmail these days. I don't know of anyone using the the old /bin/mail with sendmail any more.

But you will recall I said "If I wanted maildirs instead of mbox, and I didn't feel competent to hack them into my sendmail.mc, I'd run Courier".

I'm pretty sure that you have to modify sendmail.mc or sendmail.cf to get a procmail configuration that uses maildir format instead of mbox. It's not something you'd want to do in users' individual .procmailrc files; I would think it would be best addressed at the procmail/sendmail interface which comes from sendmail.mc (or sendmail.cf if you like pain). Feel free to post the relevant configuration bits and prove me wrong! :)

Re:Exim's design is bad for security

[macdaddy]

Sorry for the delay in replying. I've been AFK for a while.

Again (not to be redudant be reassuring :), Sendmail doesn't care about the inbox format. It simply hands the entire envelope to the LDA (usually Procmail) which then decides what to do from there. Now the easiest way to make Procmail write mailDirs is to write a short recipe that drops a copy of a message in a folder. For example, say you wanted to sort mail from the SpamAssassin mailing list into a mbox called "spamassassin." You'd simply have a recipe like this one:

:0 H:
* ^Sender: spamassassin-talk-admin@lists.sourceforge.net
spamassassin

To put that mail into a mailDir instead of a mbox, you'd make a minor change to the recipe:

:0 H:
* ^Sender: spamassassin-talk-admin@lists.sourceforge.net
spamassassin/

See the change? It's a small but important one. It's the trailing slash on the target directory (was a mbox, now a directory or mailDir). I can't think of a particularly good way to write mailDirs systemwide. I really haven't done much of anything with mailDir. I know it's possible and quite easy to do, even if I don't know how to do it. It's probably something simple that involves $USER in the system procmailrc. Since mailDir is almost always written to a user's $HOME instead of a mail volume, I'd bet this simple idea for a script is probably what you'd want to do:

:0:
$USER/$MAILDIR/inbox/

That would probably do it right there. If you're using DROPPRIVS then you could probably lose the $USER as well, I think. Test it just to be sure.

I'm dinking around with mailDir on my mailing list account right now. I'm using the simple recipe below to drop a copy of all incoming mail into a directory for all my mailDir stuff:

:0 c:
$MAILDIR/maildir/

I'd love to have the time to learn more about mailDir. I hear it's quite useful, especially in IMAP and Webmail applications. One of these days I'll learn what I need to know. Till then mbox will do nicely. :-)

BTW, Procmail and Sendmail aren't related packages. Neither include the other. Distributions do however almost always pair the two up when they choose a MTA/LDA combo since they compliment each other so well. Because of that editing the sendmail.cf/mc won't have any effect on Procmail, assuming of course that you don't change "MAILER(procmail)," "PROCMAIL_MAILER_PATH," or "FEATURE(local_procmail)." :-) Procmail is configured by the system procmailrc commonly found in /etc/procmailrc.

Re:Exim's design is bad for security

[Medievalist]

I was specifically thinking of the FEATURE(local_procmail) line in sendmail.mc (as shipped by the major distributions -- for example Red Hat has FEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u') in their 7.x releases). I guess I sort of assumed that would be the logical place to write in maildir support.

I think most software distributions that contain sendmail binarys also include procmail. Eric Allman personally recommends it and links to it from sendmail.org (he also gives at least one procmail "recipe" on the same site). So I would consider them pretty strongly related, myself, even though you are right that the sources are separately developed, distributed, and maintained. I didn't mean to overstate the connection, apologies for the sloppy composition.

An interesting thing you could do with maildirs is put each mail message in a /PMAIL subdirectory of a users' home directory, and then publish the homes with samba. That would let end-users run Pegasus Email for Windows in native mode without having any Novell stuff or resorting to POP3. You'd need to name the messages [messageid].CNM to pull it off, so they looked like they'd been delivered by the old Charon mail gateway.

Thank you for the excellent and informative post!

Re:Exim is hefty hefty hefty

Exim is secure... Find one exploit for it that has been published in the past two years!?!?

Millions

[selderrr]

At my organization we use it to relay around half a million messages per day

Yo Ralsky ! Loong time no see buddy !

All jokes aside, half a million messages/day isn't really that much. Does anyone know which software the spammers use ?

Re:Millions

Software spammers use to send messages has pretty much nothing to do with relays like Exim.

Spammers tend to exploit open relays or trusting ISP relays. Why would they need to set up their own server?

Re:Millions

Lyris. They are the all time king of spam software. They can send over Million messages per hour. http://www.lyris.com

Exchange

Sorry, I have to post this as an AC..

My employer has ~5000 employees across Canada. We have 8 or 10 MS-Exchange racks around the country (one per location and a big one in Ontario).

Two dual Xeons for primary and backup and another for the domain controller. I *know* how much traffic we have and this is gross overkill. Mind you, Exchange needs a lot of horsepower for the bloat. Anyhow, some rough numbers showed that we could eliminate all the Exchange servers with a *single* dual CPU FreeBSD 5.x box running Postfix.

Would the bureaucrats listen? No, in fact one fellow gave an ultimatum that if we didn't run Exchange, he'd quit.

So around the country we have little Unix systems popping up that act more reliably and without the spam (we use blackhole lists)

Re:Exchange

If I had to manage and administrate 5000 users, I'd vastly prefer Exchange to sendmail.conf.

You have to realize that your couple-thousand dollars saved is peanuts to your employers. The xerox machine is probably worth three times your 'savings'.

Re:Exchange

Right. 'Cause some SMTP/POP3 relayer will give you all the same functionality as Exchange.

Sorry, I have to post this as an AC.. My employer has ~5000 employees across Canada. We have 8 or 10 MS-Exchange racks around the country (one per location and a big one in Ontario). Two dual Xeons for primary and backup and another for the domain controller. I *know* how much traffic we have and this is gross overkill. Mind you, Exchange needs a lot of horsepower for the bloat. Anyhow, some rough numbers showed that we could eliminate all the Exchange servers with a *single* dual CPU FreeBSD 5.x box running Postfix. Would the bureaucrats listen? No, in fact one fellow gave an ultimatum that if we didn't run Exchange, he'd quit. So around the country we have little Unix systems popping up that act more reliably and without the spam (we use blackhole lists)

Re:Exchange

let him quit. That would save the company at least 50k a year. And if Exchange is one of his key areas then he is doing nothing but burning up the companies money anyway.

Re:Exchange

[mkelley]

That's nice and all, but it's just half of what Exchange does. What about the calendars? Would something like PHPGroupware or one of the additional groupware scripts work with Outlook with Postfix for email?

Plus, if Outlook didn't work. They would have to reeducate the employees for the new system. You have to look at the big picture, to see the costs system wide.

Re:Exchange

[Malc]

Exchange does more than just email. What were you going to replace groupware things like calendaring with?

Re:Exchange

[Lennie]

Then buy from Suse, they use postfix if I remember correctly, they have a webinterface that does everything outlook does, if I remember correctly, Outlook works with it too I think.

well, I haven't tried it, have no need for it.

Re:Exchange

TWIG does all that, in a spiffy web interface. It's GPLd.

Re:Exchange

TWIG does all that, in a nice spiffy web interface. It's GPLd.

Re:Exchange

[Malc]

I've seen TWIG before. As web interfaces go, it might be very nice. However, it *is* still just a web interface, which makes it inappropriate. I personally hate web interfaces, so you can imagine the reaction of people married to clients like Outlook.

TWIG is good if you're on the road, but not for everyday use. IMHO

Re:Exchange

What about the calendars?

O lord.. not one of those calendar people again.
Now where's my gun.....

Re:Exchange

[ckuhtz]

Anybody threatening to quit like that, ought to be fired instantly.

Why do you submit to blackmail?

Re:Exchange

[Penguin+Follower]

If I had to manage and administrate 5000 users, I'd vastly prefer Exchange to sendmail.conf.

You might want to reread the parent post. He said he was using Postfix, not Sendmail! Postfix has a much better config file. ;)

Re:Exchange

If I had to manage and administrate 5000 users, I'd vastly prefer Exchange to sendmail.conf.

How do you know that you'd prefer it? It doesn't sound like you've ever actually configured sendmail. The sendmail config file is sendmail.cf, not sendmail.conf. And even then, you don't edit that by hand - you edit sendmail.mc and use that to generate the actual config file.

And even then, the grandparent isn't even using sendmail, he's using postfix.

Re:Exchange

This is not insightful, it is moronic. First of all, you will get a savings at least into the 10's of thousands of dollars by choosing a single FreeBSD+Postfix solution over 10 Windows servers+Exchange. Using very conservative(to my argument) numbers, assume $1,000 for each server, and then $100 for the MS licenses for each server.

Now, the above argument is essentially meaningless, since he already has the Exchange servers running. The real cost savings that you will see will come from consolidating your operations to one site, as well as a single piece of hardware. You save here on staffing and maintenance costs, as well as operations. You will also save on upgrade costs to the software, as well as to the hardware(again since you only have a single box).

As for your peanuts, I find that most companies throw them away by the bushell. So that it is likely that there are many other situations where his company could be saving money but isn't.

Re:Exchange

[Lew+Payne]

Are you kidding? Look at the big picture? Do you really expect the mindless young posters of slashdot to do anything besides toot their own horn?

If instead of complaining so much about Microsoft solutions, they created an equivalent desktop environment that was easy to use, consisted of the same command structure as Win2K, and could run compatible applications (spreadsheet, word processing, presentation manager, group scheduing and appointments, etc, etc, etc) -- then their words might have some credibility.

But so far, that is not the case, and we are stuck with stupid applications that do only half the job -- forcing us to switch to Microsoft to get the job done.

Re:Exchange

[transient]

What about the calendars?

What about them? I'm honestly curious -- not trying to be an ass -- what tangible benefit is provided by having your calendar and email in the same application?

Re:Exchange

[bluGill]

I'd call the fact the there are appllcations that do half the job as proff that you are wrong: someone started to create an equivelent desktop (spreadsheet, word processing, presentation manager, group scheduing and appointments, etc, etc, etc) instead of complaining. They just are not done yet, but they are still working.

And don't try to claim we over estimated the work involved, because those who estimated had no clue, while those who do the work rarely bother with estimates knowing that anything more than a few hours out will be missed wildly anyway.

Remember Microsoft had a head start over open source. Linux began in '91, and took years to get where it is. In some cases Solaris, or AIX beats it. (big systems mostly, and some high reliability stuff), but for most people it is at least good enough, and often better, but this is 12 years latter, compare that to how long KDE had been out, and where KDE is. (KDE is more complex than linux in many ways)

Re:Exchange

[Stillman]

Would the bureaucrats listen? No, in fact one fellow gave an ultimatum that if we didn't run Exchange, he'd quit.

So, the correct response would have been:
Well, we've enjoyed working with you. Don't let the door smack you in the ass on the way out!

Did they actually NEED Exchange for the groupware features? Or was it just a mailchucker? If the latter there is no justification for such a waste of resources.

Re:Exchange

[mkelley]

"Microsoft had a head start over open source"

um, the GNU has been available since 1984.. While Windows 1.0 wasn't out until 1985. GNU had a head start, it's just sad that it took another 7 years for it to mean anything.

Re:Exchange

[mkelley]

Because some people like having their information in one place. And not having multiple apps open. It would be like using Photoshop to only create gifs and using another program to create jpegs. The calendars relate to emails, as meetings are scheduled and such, and allow people to ditch those damn day planners and use a computer instead.

Re:Exchange

[Ewan]

We looked at Suse, unfortunately they charge a per-user licence for clients that is comparable to Exchange, and Exchange Client access licences include the right to use Outlook, not just a web interface.

And in a 5000 user system like the guy above was discussing, licence fees are the number 1 cost by a long long way.

Ewan

Re:Exchange

[Ewan]

The ability to arrange a meeting by email and have it automatically appear in each persons calendar with a little reminder as they accept the invitation is a great feature for distributed offices, especially if one or more people in your company has a secretary who arranges meetings for them - the secretary can accept the request as a designated user in Exchange, and then, voila, the next time the executive checks their email they see a meeting for them to attend.

Ewan

Re:Exchange

www.seasidesw.com Seaside has released HiPerExchange, a utility that enables OWA to behave more like Outlook. It copies a user's email/groupware data to a local disk, and then serves that data using OWA (or similar). As such, it allows rapid data access regardless of network environment, local storage, offline use, etc.

Exim on a Home Network

[dochood]

I use Exim on my home network. It runs on my firewall machine (yeah, I know... probably not the safest thing to do, but port 25 is blocked from coming in... it's local only) so that my wife, kids and I can use it as our SMTP server, to quickly send stuff out. I also use Fetchmail, SpamAssassin, and Procmail to filter spam and nasty attachments. We use IMAP, so everything gets backed up from one place.

I use Exim, because when I installed it with Debian, it asked about 5 reasonable questions, and then it just ran. That's it. There's no point in trying to learn Sendmail's complex file format, when we only need to serve 4 users. It's a great way to get an e-mail server up and running quickly for a small network. I was quite surprised, though, about the post above that said they use it for 1/2 million messages a day! I didn't know it could handle such a big load!

dochood

Re:Exim on a Home Network

[Osty]

yeah, I know... probably not the safest thing to do, but port 25 is blocked from coming in... it's local only

Why bother with the firewall rule? Bind exim to your local interfaces only (127.0.0.1, whatever private IP you use for your internal LAN). If no service is running on a port, you don't need to worry. Firewall it anyway, if you like, but that's just redundant.

I also use Exim 3 on Debian, coming from using Postfix for the longest time. In fact, the only reason why I switched from Postfix to Exim is because I switched ISPs (no DSL at my new house) and couldn't run my own mail server anymore. Because of that, I moved my domain to a hosting company and needed to use SASL to send mail through their smtp servers. Well, setting up SASL with Postfix in Debian was a major pain in the ass. I never got it working quite right (always ended up with it saying there was no valid mech or some such), so I blew away postfix and installed Exim. Guess what? Exim did SASL right out of the box (.deb), and all I had to do was make one or two very minor changes to a (highly readable) config file. I thought Postfix was great for ease of use, and it certainly is compared to Sendmail. However, Exim is another step beyond that.

A couple of years ago, I wouldn't have switched. I'd have spent as much time as necessary banging on Postfix to make it work with SASL. Now, I switched because it was much easier than wasting time on Postfix.

Props to exim!

[larry+bagina]

Honestly, I don't know why Red Hat and others include sendmail. This isn't the 1980s anymore, and there are better (as in, fewer bugs, root exploits, easier to configure) options. Like exim and qmail (which I prefer, though I use exim at work).

We used to use sendmail at work. The justification being that's what we always used, and that's what the support contracts listed.

Then the mail admin was on vacation for a week, and nobody noticed the security alert for the remote relay exploit. A spammer found us, and we had to shut down all mail for 6 hours until we could figure out what happened. And are still trying to get our IP off some spam lists.

Since then, we've gone to exim, and it justs works.

If anybody needs half a dozen sendmail books, let me know :)

Re:Props to exim!

[damiangerous]

Honestly, I don't know why Red Hat and others include sendmail.

Mandrake 9.1 defaults to postfix. I didn't look to see if sendmail was even an option.

Re:Props to exim!

[TheRaven64]

If anybody needs half a dozen sendmail books, let me know :)

Swansea University Computer Society is happy to accept book donations... (and other donations, if anyone wants to buy us some new kit :)

Re:Props to exim!

When I installed FreeBSD 4.6, there was an option for sendmail. I chose not to use it. It installed anyhow. It started up anyhow (and halted startup for a minute while trying to resolve the hostname). I had to dig around for sometime to find how to disable it for real.

Re:Props to exim!

[lunenburg]

Honestly, I don't know why Red Hat and others include sendmail.

Red Hat includes both Sendmail and Postfix on their CDs - sendmail is just the default.

You can install Postfix, and then use "redhat-switch-mail" to activate Postfix. And with that, you're running a not-Sendmail mailer.

Re:Props to exim!

[FattMattP]

I don't know why Red Hat and others include sendmail.

Red Hat also includes Postfix. Look at the redhat-switch-mail package.

Re:Props to exim!

[DNS-and-BIND]

I don't know why a home user linux box even NEEDS a mail server.

Re:Props to exim!

[r00tarded]

geek-- to you!

Re:Props to exim!

[caluml]

Is that the same Swansea University Computer Society as in:

Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039

Sounds like a worthy cause to me.

Re:Props to exim!

[oohp]

Nullmailer is okay for most of the workstations. Yes, you have a point.

Re:Props to exim!

[pla]

I don't know why a home user linux box even NEEDS a mail server.

Assuming you didn't mean that sarcastically, in a "why would anyone need more than 640k of RAM" manner...

Because some of us don't like having our personal email stored on (or ever even passing unencrypted through) our ISP's systems.

A decade ago, well over half of my friends worked (mostly in some network admin style position) for local ISPs. Let's just say that I found this... "enlightening". Do not trust the privacy of ANYTHING stored on or passing over the net unencrypted. I don't say this out of paranoia, but real, concrete experience.

One friend (an extreme example, but probably more common than we'd like to believe) had a "stalkee of the week". He'd pick a random user, and read all their mail, check out what web sites they visited and what they downloaded, scan through their telnet, IRC, and any other unencrypted sessions... By the end of the week, he'd know more about them than their wives did.

Legal? Probably not (without a lot of evidence, he could have just claimed that he only monitored a suspected intruder). But could anyone catch him? Very unlikely, even if they knew about his "hobby".

My point with this little anecdote... Basically, you most certainly do have a good reason to run your own mail server, assuming you have even a passing interest in privacy.

Re:Props to exim!

[Xerithane]

I don't know why a home user linux box even NEEDS a mail server.

I don't know why people drive in the left lane with their signal on going 10 miles an hour under the speed limit.

I don't know why people still are plagued by email viruses.

I don't know why a home user needs a 2.4Ghz CPU to check their email.

I don't know why you need to know why a home user needs an email server.

Re:Props to exim!

[Kunta+Kinte]

Then the mail admin was on vacation for a week,...

Um..., that could happen to any mail server.

An exim exploit could come out and only the untrained admins are in.

I use sendmail in a pretty complex setup. ISP-type virtual domain setup, LDAP datastore, and I have about 2, yes 2 exploits for the last year or so for which I was vulnerable.

PS. Configuring sendmail takes some reading, but upgrading sendmail is is simple as running the build script, doing a Build install, and then restart. The hard part was coming up with a decent sendmail.mc and Site.config.m4, both of which you would have had already. So your story sounds a little fishy to me.

Re:Props to exim!

[stickyc]

I don't know why a home user linux box even NEEDS a mail server

Because my ISP doesn't support IMAP or do any spam filtering and I'd like to access all of my substantial read email remotely from anywhere?

I am open to suggestions....

Re:Props to exim!

Hi....

I'd just like to point out that a lot of ISPs (in the UK anyway) transparently proxy port 25 connections.

So, in this case, you deliver your mail to your private SMTP server. But as soon as your box opens a connection to port 25 on (what it thinks) is the destination server, it is actually being proxied by the ISP. So it goes through their server anyway.

You can tell if this is happening by sending a test e-mail and examining the headers.

Re:Props to exim!

[rsax]

Because some of us don't like having our personal email stored on (or ever even passing unencrypted through) our ISP's systems.

If you don't like having your email passed through unencrypted through (any) ISP systems you have two options: 1) send and receive mail only if it has been encrypted using gnupg/pgp or 2) stop using email. That is the nature of SMTP so unless every ISP starts using TLS/SSL and/or every user starts using encryption, you're bound to have your email pass through some mail server unencrypted. Running your own mail server at home isn't going to solve the problem.

Re:Props to exim!

[TheRaven64]

That's the one. Alan Cox and friends wrote a fair whack the Linux TCP/IP stack during their time here (which accounts for Alan only getting a 2.ii) although I suspect it's been re-written a few times since then.

You know....

[cybermace5]

...I think I'll just wait for the movie.

Exim is no-nonsense, no worry

[ArghBlarg]

I'm having trouble understanding why people here are trashing exim; as someone else already said, Debian uses it as their default mail server; it asks a few easy to understand questions, and just works. It's much friendlier than sendmail.

As for security, I haven't audited the code myself (honestly, have you?). However, I *do* subscribe to the BUGTRAQ mailing list, and have seen maybe two advisories on exim over the last two years -- as opposed to literally dozens for sendmail.

Oh, and the configuration file doesn't look like line noise :-).

Re:Exim is no-nonsense, no worry

[PD]

I agree. Exim is sweet, and it just works. I run it as the MTA on my domain, and never have had a relay, or a security problem. And configuration was simple compared to anything else.

Re:Exim is no-nonsense, no worry

On your, and other posters' comments, I'll give exim a whirl.

Is there an imap part to exim, or what imap app should I use together with exim? One that is as easy to setup and run as the legend of exim would be appreciated.

And for webmail, one that is as easy as exim also? Not necessary for a brand name WebMail, just one that allows for browser based mail login/checking.

I'll be using a debian based operating system, and will be using the above apps with multiple web sites/multiple addresses, so virtual mail addressing needs to be supported.

Thanks!

bofh

[erikdotla]

I work at an organization with over 34,000 employees. We tried Linux/Sendmail, it was too complicated and the admin GUI sucked. We switched to Exchange, but the box had pointy edges and was hurty.

Realizing that it was all very complex, we emailed all our employees their final message. It was a link to the SMTP RFC and a short list of instructions on how to use Telnet. Then we shut down the mail server and ate lunch.

Management reported an immediate profit increase projection for that month. While I'm sure this was due to productivity improvements facilitated by my fine IT department, some skeptical colleagues of mine think it was the mass exodus of employee resignations that took place around the time the new "mail system" went into place. I'm sure it was due to the rat problem in the cafeteria but nobody will listen to me.

Actually we've seen it handle...

[mustangsal66]

I seen EXIM handle over 750,000/hr on a little old 450mhz desktop with 265Mb ram. It is very easy to install and configure. We had it handling over 120 domains (5000+ users), with spamfiltering (spamassassin).

I like it. No it's not as configurable as sendmail, but nice and easy to deal with.

Re:Actually we've seen it handle...

This is false. We tested major unix MTA using static relaying and log disabled on a dual PIII 900MHz, 100Mbps Eth and average message size 10Kb. On such machine Exim was handling not even 1/3 of such load. And the (by far) fastest MTA resulted one that is not q*, not s*, not p* and not even e* ...

Re:Actually we've seen it handle...

Sorry pal, but I've gotta call bullshit. Even when you use spamassassin as a daemon, it's still a resource hog. There is no way in hell a machine with 256 MB of RAM was doing everything you say.

Sorry bud, BULLSHIT.

Re:Actually we've seen it handle...

[cnvogel]

I like it. No it's not as configurable as sendmail.

Of course it does not have the rewriting magic that sendmail is so feared for, so it does not support (for example) uucp addressing out of the box, but you can configure exim by it's variable-expansion (and lookups in host/address/domain/...-lists) to do any imaginable mailrouting you would possibly want in that RFC821/822 world of today.

I find the configuration by defining acls, (access control-lists), mailrouters (which convert addresses to methods of delivery) and transports (the different methods of delivery) very logical. And you can add ${lookup_XXX} variables nearly everywhere to have something replaced/rewritten out of LDAP, SQL, text-files, DNS, ... So there is really no practical limit for configuring arbitrary comlicated, obscure, ... rules for you mail-delivery.

Re:Actually we've seen it handle...

[Malc]

Really? You should tell this guy what he was doing wrong.

Re:Actually we've seen it handle...

[mustangsal66]

Actually your right... spamd crapped out about 5 minutes into the attack

To Reveal The War On Iraq Fraud: +1, Patriotic

That was committed by the President of The United States of America et al.

Cheers,
W00t

Re:Exim is hefty hefty hefty

Exim is secure... Find one exploit for it that has been published in the past two years!?!?

As apposed to 3+ ( maybe 4, not sure ) years for qmail.

621 pages?

[FroMan]

I can't be sure, but isn't one of the reasons people hate sendmail is because the bat book is so large?

Yowzers.

Maybe one of these days I'll have to look into Exim.

Postfix

[Zulu]

What's wrong with good old postfix, its been rockin the casbah for me for years now. I've used it in a few production environments and find it to be fastER than hell and fairly flexible. If you're looking for an extremely flexible mail solution, exim is it tho. I don't think there's a single thing you can't change.

Re:Postfix

Yes, Postfix is easily the best Linux/Unix mail server.

sendmail: bloated, bug ridden
Exim: no security compartments
qmail: weird license
postfix: nice license, compartments for security

Re:Postfix

[PD]

There's nothing wrong with Postfix. My experience with it was that it seemed to be well written, solid, and capable. But I never could figure out the configuration files. I looked at the docs and read everything. But I never *grokked* them. On the other hand, Exim was a snap. I understood what I was looking at right away.

There are those who say exactly the opposite: they understand Postfix, but have no clue about Exim's configuration files. So now what I recommend to people is to stay away from Sendmail, then look at both Postfix and Exim. Pick the one that seems most natural to you, and stick with it.

Re:Postfix

[ipjohnson]

>>qmail: weird license

How is that?

Re:Exim is hefty hefty hefty

Like this one from December?

Sendmail

[pubjames]

I've been using Sendmail for a few months on various web sites, and can't say I'm very impressed with it.

A frequent request I get from users is for them to be able to add new pop accounts themselves and set-up their own forwards and auto-responders, but it seems to be increadably difficult to do this via, for instance, PHP. For a package that is so popular I find it amazing that it is so complex and difficult to automate/program.

To summarise, I think sendmail is crap and hope that the sooner it dies the better!

Re:Sendmail

That's because sendmail doesn't handle POP3 or IMAP, it only does SMTP. You can't criticise software for something it wasn't designed to do.

Re:Sendmail

[DNS-and-BIND]

Er, the article here is talking about Exim! Why is your sendmail bashing on-topic?

I hope they get to keep their jobs...

[Photo_Nut]

Microsoft researchers suggesting that there is a place for Linux in the future... My goodness. Bill and Steve will be mad.

Re:I hope they get to keep their jobs...

[Fjord]

Psst.

Wrong article

I prefer xmail

[Angry+White+Guy]

http://xmailserver.org for hosting multiple sites. Small, flexible, easy to set up, and relays mail by default(3 out of 4 ain't bad)...

Review the software, not the docs

[batdog]

This review is of documentation of some software. The only motivation to read the documentation is if one were interested in using the software itself; in that case reading the documentation is mandatory. The review should have been framed as a review of the software, mentioning that one of its main strengths is the extensive and well-written documentation.

I notice that most of the comments are about the tradeoffs of using exim vs qmail, postfix, sendmail, etc. These comments get to the heart of the matter, but the reviewer doesn't provide any insight in this area!

Re:Review the software, not the docs

The Exim on line docs are very good, but it would be nice to have an overview on how to attack problems. It seems the book gives that.

Why I think Exim is good: simple configurations are easy, and the curve to doing more complex thing is smooth. Also things that one wants as an ISP (allow only 1 connection per customer) are there - standard.

For a more complicated subject: what and who is allowed to send mail is handled by ACLs. Separate from how it gets delivered. You get to configure when to reject mail (at connect time, after MAIL, after RCPT, after closing DATA). Usually handling RCPT is enough, but you have the flexibility. Complex setups are possible through the variable expansion mechanism. In lots of places in the config , one can use variables or lookups. So your ACL can use a plain text list, a dbm, a mySQL query, Oracle, LDAP, DNS, a program that listens on a socket, be calculated, or a combination thereof. The same lookups can be applied in other places (to store where the mailbox lives, or a password, to which host to deliver...).

In all it is not less complex than Sendmail, but it is a lot less complicated and can do a lot more out of the box. Philip Hazel seems to keep Exim clean enough with all the features that go in.

Say you'd want to accept only mails to just 1 recipient if a host is on SPEWS, and only after making the sender wait for 15 seconds. You can do this with only using the generic mechanisms, by putting an ACL that accepts if a host is on spews but applies further limits. If the host is not on SPEWS, the next ACL comes into play and normal restrictions apply. Drop the connection after the third unknown recipient? Same idea.

p.s. take a look on http://www.exim.org/ ... look at Exim 4. Pity that Debian still packages Exim 3... much less powerful.

Re:Review the software, not the docs

uhmmm.... this is a BOOK REVIEW, moron, not a software package review in some magazine!

Philip

For those saying that exim code is a crap, Philip is
also the author of PCRE - Perl Compatible Regular Expressions, used in many others GPL softwares, like
postfix and apache.

So i will asassume, after looking the organized and helpfull exim code, that Philip codes very well.

Re:Philip

[RobKow]

Python also uses (used? not following it too closely) the PCRE code for its re module.

Re:Philip

I don't know that authorship of PCRE is very good evidence. I've only had one serious interaction with PCRE, and it's because a friend mailed me with a vexing regular expression problem. He was trying to match some stuff and couldn't figure out why the regex wasn't matching, because it seemed it should. After reviewing it, I agreed that it should be matching, and sure enough when I tried it under Perl, the Perl compiler agreed as well. So, we've got him (a CS prof at a well-respected college), and me (a Perl user for 9 years), and the Perl compiler with one opinion about the regex, and we've got PCRE with a differing opinion.

So, as far as I can tell, the Perl-Compatible Regular Expression library isn't Perl-compatible. Which, I would think, is a negative rather than a positive.

Re: Exchange calendar replacement

[gurubert]

We are using Oracle Collaboration Suite, formerly known as Steltor CorporateTime formerly known as Netscape Calendar.

Server runs on Linux and Windows, clients are running on Linux and Windows. Multiple node ability, i.e. servers across continents are possible.

SPAM

[jbroom]

---
At my organization we use it to relay around half a million messages per day
---

You really should consider installing some spam filters... ;-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Mod parent down... (-1, absolutely ridiculous)

What a steaming pant-load! I work for what you might interpret as a "spammer", we send out millions of messages today. There's no chance in hell that you're getting 750,000 per hour out of a 450mhz desktop PC.

I've built big mail systems in the past four years around qmail and postfix both.

1. You need a sustained ~9 megabits per second link to handle a 5K message at that delivery rate. On top of that, there are tarpits, connection limits per MX host, and all manner of obstacles thrown up by ISPs (both national and local). qmail and postfix do not have the capacity to intelligently handle these sorts of things. Exim is no different. You've tried to pinch it off, but you've failed.

2. Regarding mail IO (gotta store the message somewhere in order to deliver it). And don't give me that "transient" shit - you're not going to queue that much mail in memory since you've only got 256mb. So, you're obviously going to either THINK you're queueing into memory and it's going into swap or you're queueing directly to disk. Your little IDE spindle drive is not fast enough. You'll need, at minimum, a dual-drive SCSI array. Also, remember that each process, thread, and network connection takes RAM! You've got everything in swap at this point! Can you feel it sliming its way down the back of your leg yet?

3. CPU time. So your little 450 is handling bounces and delivery. Yes, there's inbound non-conversational bounces to process. Holy god! Now we have double the disk I/O load on the poor box! Writing to the queue or simply /dev/nulling the inbound bounces -- you're still going to be using disk time since you've gotten your box into swap with all those outbound messages. Has it reached your ankle yet? Oui oui!

4. What's your load average? Even if you dicked with the kernel enough to allow that many inbound connections, I promise you, the source ISP is going to give up since it's going to take 10 minutes for the SMTP connection to respond. You've tarpitted yourself. Your load average is probably well over 200 at this point. Your Linux 450mhz super box is now choking on cocks and you're leaving a nice little shit footprints behind you while you walk into HR to collect your pink slip.

And I do realize you're talking about INCOMING messages. Local delivery or remote delivery, my points above are still valid. Sorry scat head, you lose.

Re:Mod parent down... (-1, absolutely ridiculous)

Local delivery or remote delivery, my points above are still valid.

Wrong. The original poster was full of shit, but your refutation is almost as bad. The problems with delivering remote mail are much bigger than those of local delivery. Also, most mail systems doing remote delivery don't have to deal with intentional rate limiting from remote hosts.

Re:Mod parent down... (-1, absolutely ridiculous)

[JCCyC]

Emphasis mine:

What a steaming pant-load! I work for what you might interpret as a "spammer", we send out millions of messages today. (...) You need a sustained ~9 megabits per second link to handle a 5K message at that delivery rate. On top of that, there are tarpits, connection limits per MX host, and all manner of obstacles thrown up by ISPs (both national and local).

The sad thing is, it seems you are an intelligent individual. Working. For. A. Spammer. And the technical details you describe make your story credible.

Please tell me the alternatives were taking your current job or living under a bridge.

Re:Mod parent down... (-1, absolutely ridiculous)

[rossz]

Of course a spammer can't get that kind of performance from a low end box. You're too busy getting stuck in tarpits and other spam traps. Normal people don't have to worry about them and get much better performance.

My hope is one day your job will be made illegal and with serious prison time attached. Then I might be able to remove the RBLs and SpamAssassin filters.

Re:Mod parent down... (-1, absolutely ridiculous)

[mustangsal66]

To the Prince of Poop (The Anonymous Coward),

I'll even address your points one by one, and I'll use small words so you don't get confused.

1. It had a gigabit eth card on a 45 Mb DS3
2. Who said it used a single IDE drive? No one in their right mind would use IDE in a production environment.
3. Splitting the Queue works wonders, and yes the load was off the charts. I never said this machine is still running, or even how long it ran like that for. It ran like that for about an hour, we then blocked the spammer.
4. You also assume that this is the only machine on the network that handles mail? The load avaerage during that spammers time was well above 600. It also took about 36 hours to get all the mail out of the spool dirs.

So to the Arogant Prince of Poo, I say to thee... Get your head out of your ass and realize weird shit happens. Like I said, I've seen it, neither I nor the Box was very happy about it. And yes it was replaced 2 days later bye a dual proc box.

Re:Mod parent down... (-1, absolutely ridiculous)

[KC7GR]

Ralsky, is that you?

Come to think of it, I don't much care which spammer you are. You're a bottom-feeding thief, without even the courage to post as anything other than an AC, and your crap will never be welcome at any servers I'm in charge of. The sooner you're exposed for what you are, and thrown off the Internet permanently, the better.

Please accept my most cordial invitation to take your parasitical, thieving, spam operation and implode at your earliest convenience.

Re:Mod parent down... (-1, absolutely ridiculous)

[edunbar93]

The sooner you're exposed for what you are, and thrown off the Internet permanently, the better.

You misspelled "have the contents of an entire clip of AK-47 ammunition emptied into you at point blank range."

HTH, HAND. :)

Exim isn't bogus software?

[unfortunateson]

99% of the messages I receive that have automated messages from Exim servers are carriers of the Goldfish family of malware.

I just assumed that Exim was a bogus server name made up by the malware writer.

Re:a few problems i encountered..

[RobKow]

Look into in your director:

suffix = +*
suffix_optional

621 pages

[vasqzr]

Enter the Canon ImageRunner 6500

File->Print->

2 sided printing - Check
Pages per sheet - 2

621/4 = 150.25 pages. All prints in about 4 minutes. Enough for me to enjoy a ice cold can of Pepsi from the fridge.

Excuse me while I go over to the thermal binder. The joys of working in a big office!


Ollyg reviews here the official guide to Exim's current release, which weighs in at a hefty 621 pages

Super!

[CommieBozo]

As opposed to Qmail, which does not require 2 lbs. of paper to describe?

Re:Super!

[Xtifr]

I've been using Exim for years, and I've never looked at any docs for it. Speaking from experience here, Exim is definitely much easier to configure and use than Qmail. This book, it seems, is just for people who want to know all the gory details.

Qmail is light-years ahead of Sendmail, but if you think it's easy to use, you obviously have never even looked at Exim or Postfix!

And I'm sure someone could write a two or three pound book about Qmail if they felt so inspired. Heck, I could probably fill a quarter-pound of paper just complaining about how stupid and annoying (and ineffective) the Qmail license is! :)

Exim Vs Postfix?

The 4 most popular MTAs out there seem to be sendmail, qmail, postfix and exim. We all know the problems that sendmail has, and qmail is shunned by most distributions because it is non-free.

Can anyone list the respective pros/cons of postfix and exim? There doesn't seem to be much to choose between them, so I'm wondering if anyone here can shed some light.

Re:Exim Vs Postfix?

[Xtifr]

Postfix, like Qmail, was designed with security in mind from the start, and uses multiple processes to enforce privilege separation. Basically, you can think of it as Qmail done right (no stupid license, much easier configuration).

Exim, on the other hand, is a small, simple, easy-to-configure, and very flexible little MTA. It's monolithic, so it doesn't have privilege separation, but it makes it very easy to do some things that are either impossible or very difficult with other MTAs. It may not scale as well as the other three, but its combination of simplicity and flexibility can still make it an attractive choice.

I'd probably go with Postfix unless I needed the extra flexibility of Exim. On the other hand, I do (at present) need the extra flexibility of Exim, so that's what I'm currently using. :)

Re:Exim Vs Postfix?

[Koutarou]

I thought qmail was shunned because it was written by Dan Bernstein...

Re:Exim is hefty hefty hefty

[Troed]

The vulnerability can only be exploited by the "admin user" of exim, who is determined by compiled-in values.

Local root exploit, true, but it looks like it was more theoretical than practical.

Comment removed

[account_deleted]

Comment removed based on user account deletion

mmmmm religious wars.....

[Akai]

I've never understood the *nix reaction (although it has spread to windows/regular PC users) that escalates any difference in opinion to a religious war...

That being said, I have experience on three of the "big four" MTA's out there (sendmail, qmail, and exim) and currently use exim on my personal site (which also hosts a number of mailman lists for OpenSource project and friends of mine) and it handle's about 20k messages in/out on a linux box.

I also use qmail on my work servers (cluster of quad-procesor ultrasparcs) and although I can't say I would have chosen qmail if I'd been in charge of building the servers (I inherited them from "the architect") it handles millions of emails a day just fine.

I can't say i miss m4 (although I know real sendmail admins don't bother with wimpy scripting languages), sendmail also served it's purpose back in the day.

Could exim handle the load on the ultasparcs? possibly, I haven't checked. Could I put qmail on my personal box? sure, but if Exim works, why not.

To comment further on one thing, Philip has a good explination of monolithic vs modular on the exim website, which explains why he does things the way he does. At least read it before blindly attacking the system.

Re:mmmmm religious wars.....

[adamy]

We call them religeous wars, but they are healthy disagreements about different approaches to problems.

Most people that speak strongly about VI and emacs have used both. Most people that speak strongly about Exchange versus anything come from a MS background where there is only one main way to do it. If the software is free, there is nothing preventing you from trying it out. If the software costs a couple of grand, you are commited.

Re:mmmmm religious wars.....

[fm6]

I've never understood the *nix reaction (although it has spread to windows/regular PC users) that escalates any difference in opinion to a religious war...

All online discussions have a weird tendency to to escalate into religious wars. Surely you've noticed?

Re:mmmmm religious wars.....

[Osty]

I can't say i miss m4 (although I know real sendmail admins don't bother with wimpy scripting languages), sendmail also served it's purpose back in the day.

M4 got a really bad reputation thanks to Sendmail. It really is a very nice preprocessor once you learn a few of its idiosyncracies (most annoying is that there are separate characters for begin and end quotes). Aside from Sendmail, my main exposure to M4 is using it as a preprocessor for SQL code. It's great being able to include files in my SQL code, and write macros for common operations. Sure, I could've gotten the same functionality by using the CPP or Perl, but in the former case M4 is much more powerful than CPP, and the latter case would require quite a bit more work than just plugging in M4.

The moral of the story? M4 doesn't suck. Sendmail sucks because of its arcane usage of M4.

Simple address rewriting great for home use

[dpilot]

I found Exim's address rewriting to be great for home use. What your ISP gives you for a username mayb not be what you want, nor sufficient userids for family usage, etc. Supposedly sendmail has the same flexibility, but I've only once been able to get it to work right.

As for security, I haven't audited it, either. But at least they say they take pains to attempt to shed capabilities as much as possible being "fully root" as little as possible. Besides, my Exim only receives mail from my LAN - it's send-only to the outside.

Silly question, perhaps?

[peterpi]

Excuse my ignorance (I am a coder, but not in this area), but why do people marvel at how many emails a program can send in a day?

Isn't it just moving data to and from the network device? And wouldn't the network bandwith be the limiting factor?

Re:Silly question, perhaps?

[sharkey]

...why do people marvel at how many emails a program can send in a day?

As every spammer knows, the more you send out, the more $$$s you make!

Re:Silly question, perhaps?

[s3ti]

You *think* like a network engineer, but *are* a coder?

Re:Silly question, perhaps?

You are right. Honestly its simply a marketing term. On another note a high mail throughput requires reasonable tweaking to the underlying filesystem, though with newer FSes this isnt as much of an issue as under say good ol ufs. Also the statement could denote minimal to substantial tweaking of the kernel, with focus on file handles/descriptors, the memory sub system, and the network stack ( altering timeouts on handles and such ). In larger installations where the throughput is sufficiently high there could also be external boxes doing message filtering, and this statement could be a pat on their own back for groking the concept and streamlining the intercommunication between those hosts.

Honestly the statement about how many messages passing through a given MTA is simply another form of chest beating, for whatever purpose. Its along the same lines but in a different vein than comparing the throughput of named pipes on different OSs.

Cheers

Re:Silly question, perhaps?

uhmm, the author probably meant to show that their site had reasonable experience configuring MTA's, rather than chest-beat about Exim.

Re:Silly question, perhaps?

Well, it's more work than just copying data. That's the easy part. Incoming mail messages must be delivered to the correct box. Some local users have mail forwarded elsewhere, which means rewriting some headers (to prevent mail loops and to document the path the message traveled) and stuffing the message back into the queue for delivery again. Other users take their mail locally, which means either appending to a file (which involves locking) or running a program like procmail to filter their mail. Either of these must be done as that user. Do it as root, and you take security risks; do it as some random user (like "nobody"), and you may not have enough permissions. Changing users to deliver a single message means interprocess communication and the creation and destruction of processes.

All messages (inbound and outbound) have another big hurdle to deal with. They must wait on the network. This is both because DNS can take some time and because remote servers can sometimes be very slow, allowing you to transfer only a few kilobytes per minute. Why does this matter? Well, if you hope to do 1000 messages per minute throughput, but each message takes 2 minutes to finish delivery, then you'll have 2000 processes running at once. This means your software damn well better be scalable with the number of concurrent processes! What if each of them uses 1 megabyte of private data? Then, you're going to need 2000 megabytes of RAM for those 2000 processes alone. Normally, it doesn't take a full two minutes to deliver a message, but sometimes servers will leave you hanging for longer than that. You could minimize memory usage by doing this with threads instead, but that makes programming more painful, and you'll need to adopt a dual model (several processes with multiple threads each) so that a threads-per-process limit doesn't cap your total capacity.

Complicating matters further is the queuing. For some applications, it would be OK to say "screw it" when there's a failure. But with mail messages, maybe part of the Internet is down and will be back in 30 minutes. Or maybe just the remote mail server is down. You need to retry, and you need to be intelligent about when you retry. If you retry every 5 minutes, you will crowd out all your other traffic with retries. Information about remote sites that are down ought to be propagated to other queue entries (or some kind of database) so that you don't have 1000 messages going to one remote site and have to learn the same lesson (that the remote server is down) 1000 times, each time tying up resources that could be used for other work that actually has a chance of succeeding in the near future.

Speaking of being intelligent with respect to separate messages that are all going to the same remote mail server, you don't really want to send 1000 messages in 1000 separate processes with 1000 separate TCP connections, do you? It's best to aggregate transfers like that. That's further overhead.

Also, back to queueing: what happens if you've delivered 573 of your 1000 messages to mail-server.example.com, but then suddenly mail-server.example.com breaks the connection in the middle of delivering a message? You want to mark 573 messages as delivered, and defer 427 of them until later (when you either explicity test or otherwise learn that mail-server.example.com is accepting messages again). You don't want to mark 1000 messages as delivered and defer/requeue none of them, nor do you want to mark 0 as delivered and defer/requeue 1000 of them. Nor do you want to mark 574 as delivered because you are counting one that's half-delivered. Oh yeah, and if you've accepted a message (locally or remotely) and promised the sender you have that message and will do your best to deliver it, you can't reasonably make the promise without having written everything to disk because of the possibility of power failure. So, every message sent and received requires at least one disk I/O at the point where you've taken responsibility for it and another w

exchange

works just fine. Unlike Sendmail and other nix flavors, one does not need to read 600 pages of mind numbing data simply to get it to work.

If I have a problem, I can use the TechNet online database which has a wealth of information.

Should I run into a major booboo, I can call M$ and for a few US $, solve the problem for cheaper then the price of one of those "unix consultants"

Nice but...

[Realistic_Dragon]

I ordered the book on Exim version 3 from Amazone, and by the time it turned up (2 months later) Exim 4 was released :o(

If only they upgraded books in a similar fashion to programs - some kind of discount from the previous version would probably encourage more people to keep their library up to date. (Although in this instance the migration from 3 to 4 was pretty painless.)

PDF?

Sir, I would be both privilledged and honored if you could share with me the location of this document.

A good thing

[confusion]

Exim finally getting a guide for the masses is a good thing. It is true that postfix has a leg up in some areas, but I really like the configuration style and the ability for me to process 100,000 messages per hour vs. 50,000 messages per hour just isn't that big of a deal, just as it isn't for most people, since we don't come anywhere near that volume.

Also, when you're connecting it to a database backend to pull all the delivery info as I and many others do, it's going to be orders of magnitude slower on both platforms anyway.

Hopefully in the future exim can polish off some more of the rough edges, but in the mean time, it's still a damn nice tool.

anything is better than sendmail

[oohp]

Yes. I've used qmail, Exim, Postfix and all of them perfomed better and delivered mail faster than sendmail. They're also easier to configure. I'm using Postfix now because I can't cope with /var/qmail and well Exim was pretty damn good too, but I got too used to Postfix. Haven't tried 4.x yet, but I was very pleased with Exim 3.x when I used it. I've also heard that zmailer performs well too. With the recent root compromise bug, Sendmail is not an option. Blah blah, it has new features and everything but it's still the same old crappy sh^H^H sendmail.

Re:anything is better than sendmail

[ipjohnson]

Just out of curiousity why don't you like /var/qmail/ ?

I like qmail because it is very easy to modify/hack for different env. and was easy to plug different programs in. Is the source for postix easy to work with?

Re:anything is better than sendmail

[oohp]

Just my brain quircks I guess. Well, on some systems I have /var mounted as noexec,nosuid,nonothing so, qmail can't execute then and I don't really want to hack-the-path or anything. No, Postfix isn't as flexible as qmail imho but it just works fine for me. Exim seems more flexible as well, as stated above by someone. Plus I really don't like this new DJB fashion with /prog and /admin and /service and a lot of dirs that cripple my standard *nix directory hierarchy. I can understand the reasons, it's a good solution (to have different versions of the same program installed in a logical dir structure) but it doesn't have to be in the root directory, thank you. Kudos to Fefe for not enforcing this in his programs.

Asking /. (was Re:Exim on a Home Network)

[KjetilK]

That's close to what I do, the main difference is that the server is in server hosting somewhere else.

However, I would like the workstation to deliver as much e-mail as it could on it's own, and only resort to the server if it can't.

The workstation is not allways on, it makes quite a lot of noise, so I shut it down if I don't need it.

Consequently, the workstation should relay the message on to the server if it can't deliver it immediately (for some sensible value of immediately), and have the server continue to try to deliver untill the message times out.

Anybody know how to do that?

I'm currently using 3.x on Debian too, but I have considered for a long time using Marc Merlin's 4.x debs (too late, perhaps)

Re:Asking /. (was Re:Exim on a Home Network)

look up fallback hosts in the exim docs.

Re:a few problems i encountered..

[moyix]

For the second problem, look at this page, section 7. Can't help you with the first, sadly...

-Brendan

Doesn't make any sense...

[Manic+Ken]

You have firewall to block incoming port 25? OK
Yet you use it as an outgoing smtp server "to quickly send
stuff out" ok, You can do that with iptables..
I also use Fetchmail, SpamAssassin, and Procmail to filter spam and nasty attachments
Now You lost me, if you deny remote conns to smtp(p25)
How can you get spam?

Re:Doesn't make any sense...

[jasno]

Fetchmail. He's grabbing his mail off of his ISP's POP3 server, and not accepting any with his smtp server. I had a similar setup and it worked quite well. It eliminated the 15 or so emails per day regarding how to lengthen my x-10 camera and refinance my viagra supply. Fetchmail seemed like overkill, though, so I used Getmail. Its written in Python, which should eliminate most/all buffer overflow exploits and its also very easy to configure.

Re:Doesn't make any sense...

[Manic+Ken]

Huh..I get it, I missed the fetchmail part.. So he got a valid mail-address with his ISP and use fetchmail and SA to rip out the spam. ok. Nifty.

Re:Doesn't make any sense...

[dochood]

It gets even better!

I use a Procmail Sanitizer script to detect dangerous attachments, and it quarantines them, or it can strip them off all together. So, if someone sends my kids a potential virus, I get to inspect it myself, rather than trust my 9 and 11 year olds to deal with it!

I have a domain hosted on our company's computer, but rather than bugging the sysadmin (also the President of the company!) for this and that setup, I bring it down to my own computer with Fetchmail, and I can setup my server with whatever controls (SpamAssassin, for instance) I want.

dochood

Re:Doesn't make any sense...

[EverDense]

I get to inspect it myself, rather than trust my 9 and 11 year olds to deal with it!

The PC generation are growing up. Five or six years ago, I would've trusted the 9 and 11
year-olds of the world, NOT to install a virus, more than their parents. ;-)

Let him quit, then...

[aquarian]

...and you'll save even more money.

Re:a few problems i encountered..

I wanted to catch all mail bound to one address to be sent to an IP i specify, and the rest of the hostnames to be looked up. I just couldn't figure out and get my head around the config options on how to do it with exim, though i am sure there's a way to do it. It was very easy to do the same setup in sendmail.

I'm not 100% certain if I understood that correctly, but if you want all email designated to 'fnord@foo.ba' to be sent via SMTP to 128.42.42.64 (regardless of whether or not that box is a MX for 'foo.ba'), you could try to add a router like this to the top of your list of routers:

explicit_delivery:

driver = manualroute
domains = foo.ba
local_parts = fnord
transport = remote_smtp
route_list = * 128.42.42.64

Completely untested, but it just might work. :-) If you wanted a local delivery in addition to the remote delivery, try adding the 'unseen' option.

Secondly, would be nice if exim also directed user+foo@bar.com type names to user@bar.com, as sendmail does..

As someone else mentioned, 'suffix' and 'suffix_optional' is correct, in a way. It was called that in Exim 3, which is deprecated now -- upgrade and be happy. You'll -love- the new shiny ACL's. :)

Anyway, in Exim 4 it's called 'local_part_suffix' and 'local_part_suffix_optional', and it's placed in a router instead of a director (there's no such thing as directors in Exim4, which IMHO makes the configuration file a much more enjoyable read). After having configured those two, you can make ~/.forward-(suffix) files for individual handling of the various local parts.

Hope that helps! --and take care to check the excellent specification if not! ;-)

an random exim fanboy

Re:Exchange the missing part

we are running a 6000 user operation and decided to deploy exchange only with OWA with HiPerExchange .

so we saved the need to deploy and support outlook , users get exchange as web service with offline and caching capabilities too.

and our CFO saved 1mm$ in ongoing support costs ,bandwidth and VPN avoidance. (running SSL mode)

There are dozens of Outlook work-alikes...

[aquarian]

There are dozens of Outlook work-alikes, and they're all alike enough that no "retraining" should be necessary. If people can operate an elevator well enough to get to the right floor, they can operate these programs. Geez.

Re:There are dozens of Outlook work-alikes...

[binner1]

That eliminates just about every PHB I've ever met !

-Ben

Discount Exists

[matthewg]

What, you mean like this? O'Reilly will give you a 30% discount if you own an older version of the book.

Re:Discount Exists

[Realistic_Dragon]

Any international book sales are an exception to this policy.

Damn :o( Thanks anyway.

Why everyone uses Sendmail...

[aquarian]

Honestly, I don't know why Red Hat and others include sendmail.

Because for better or worse, it's "the standard." It's the one most professional sysadmins are familiar with, and it's the one most other internet apps are integrated with.

I've been using Postfix, and it's a lot less complex. Theoretically that makes it easier and better. But every new admin/programmer has to learn it, while they already know Sendmail.

Every organization has one of these...

In the town I grew up in, we had a fireman, a local hero, who insisted on smoking his cigarette at gas stations. Darwin eventually fixed him... he died of lung cancer, but he proved his point that he wasn't going to set the place on fire by smoking his cigarette there.

I agree.

[Penguin+Follower]

IMHO. Exim and Postfix are each remarkable mail systems in their own right and have way simplified the process of setting up a mail server.

I myself have switched to using Postfix both at work and for my home server ;) It is wonderful... especially since the config files make sense (at least, it does to me). I never truly had control of sendmail because I didn't really understand everything in the config file.

Re:I agree.

[Surak]

I'm a postfix fan myself. I've used exim, and have installed it a few places but I feel that postfix is better written as far as security and minimizing bloat goes, which, for my own mailserver usage, are my two key goals. Exim is probably a little more flexible than postfix, but postfix works really well in the vast majority of cases.

Ditto on Postfix.

I've been using sendmail for aeons. Tried qmail, exim, postfix... even ran an exchange shop for half a decade and just migrated that to lotus last month, but for my smtp gateway relay box, I've been running postfix in test mode for three months now, in parallel with a sendmail box, and I'm really liking postfix a lot. It easily handles my multiple domains and convuluted interior-vs-exterior routing and filtering, with amavis, spamassassin and tmda. I like it a lot.

Re: Exchange calendar replacement

[tzanger]

I wI was evaluating this software just before Oracle bought them. Could you email me so I could ask you some questions about it? We're currently looking at SuSE Linux OpenExchange server and you just jogged my memory about Steltor.

half a million?

At my organization we use it to relay around half a million messages per day

goddamn spammer!!

"shared" email box redirection?

[nurb432]

Can it take a shared community mail box ( via POP ) and route messages to individual people via send-from headers?

We have a 'black box' that does that now and would love to get out of that into something under our control..

And no we cant split up the external mail boxes into 'real' individual accounts to get rid of the problem, yet.. thats another year out...

I'll give it a try, but only if...

[mnemotronic]

I'll give it a try, but only if..

• The config file syntax is more cryptic and obscure than sendmail.cf
• It has more features and options than sendmail
• I have to read a 600 pg. manual to understand how the bugger works.

You mean ...

[A+nonymous+Coward]

If it's baroque, postfix it ....

My response...

Please tell me the alternatives were taking your current job or living under a bridge.

The job market is almost that bad!

I originally wrote email systems for large scale webmail sites. All of which, ironically, went with the rest of the dot.gones. The largest install I had was around 150,000 users. While it's not the largest, by far, it was great stuff in '99.

After that, I was hired by a CRM company. I was specifically involved in building their email delivery system. Unforunately, it turns out that their sales people weren't good enough so they bit the big one.

So, where is somebody like myself to go then? My resume was essentially "I built huge distributed mail systems", regardless of how much programming and architecture prowess I have, because I am not a Microsoft fan and don't have a .NET certification there was no work for me outside of the email field.

Oh, and to answer some others who replied... we have technology to get unstuck from and to avoid tarpits. OpenBSD's spamd thing doesn't slow us down at all nor does anything similar to it. Believe it or not, I also have cvs commit privs to at least three different widely used open source anti-spam tools (under assumed names, of course). Of course, this is just to help insure that the mail that we deploy gets through but not the competition. Knowing how the filters work and having legitimate access to commit to their source tree really helps us deliver to the smaller ISPs. Again, I must stress that although I use assumed names to gain access, I am not cracking -- my created persona was given commit access by the project leaders specifically for my contributions to their projects. Although some may view this as particularly devious, remember that everything committed is available for peer review. Thus far, none of my contributions have raised any eyebrows by their respective leadership -- nor should they, as my participation is otherwise completely legitimate. I view it more as a "steering role" in terms of where the tech should go next. I foster it along in a direction that is beneficial to my employer so that we have an easier time creating circumvention tools.

I do scour Monster.com and Dice for resumes of people who may have worked for some smaller or regional ISPs which have demonstrated an extremist view on commercial email. We pay them for insight on how their previous employer's mail systems work and what filtering is done and, of course, at what stage. This type of data has been quite valuable when dealing with stubborn regionals. With the big ISPs, this is naturally not needed as they have legal departments and technical operations groups that understand our business and appreciate its neccessity.

Anyway, I love the job! I get to travel, make great contacts, and I get to dig heavily into technology that directly impacts people's lives. That's a great thing to say about one's career.

My response to rossz...

As I stated in my previous reply to another person who responded to my first posting, tarpits are not an issue if you have written savvy software. Thanks to the open source nature of some of these filters, I am able to quickly determine work arounds. The tarpits do not use my resources, the spam traps do not cause our systems to die. They do not affect us at all because we're smarter than the people who write them. Because they are open source, it makes our jobs that much easier.

Oh, by the way, our mail engine (distributed, running FreeBSD, approximately 16 servers, each capable of delivering 1.5 million messagers per hour) -- we've had the same class C for over two years and have yet to be included on any RBL's. How's that for mud in your eye?

SpamAssassin... well, it's really not an issue for us for reasons that are obviously trade secret.

Touche! Not quite...

Allow me to retort...

1. A gigabit card on a 45 megabit connection. Very clever, grasshopper.

2. You said a desktop system. Desktop means IDE. If you said workstation, one may believe SCSI could possibly be involved. IDE RAID does not count, either.

3. "I never said ... how long it ran like that for. It ran like that for about an hour." What? Come again? Split the queue or split your nuts, it's still a steaming pant-load.

4. So you did 750,000 per hour inbound an hour but then it took 36 hours to empty the spool? What in the hell does that mean? You let the spam go? That's about 20,000 per hour which sounds about right given the circumstances. I can't believe you didn't just rm the whole spool and tell your "users" tought-titty.

Come on, man! Be a part of the solution and not part of the problem!

SHOCK HORROR Linux is monolithic too

... so Linux must be utterly insecure, and BSD and all other O/S's with monolithic kernels must be too. :-)

Keep your FUD to yourself friend, it just shows your incompetence.

By all accounts qmail is pretty reasonable as well, but after years of working with Exim at the country's largest ISP, I can categorically state that Exim is totally excellent, extremely robust, massively configurable, highly secure, completely clear and understandable despite the extreme power of what it can be configured to do, and just generally easy to work with.

So, please let's leave the unfounded criticisms out of it. They are just pure FUD.

Why I use exim

I run exim on over 400+ servers.

I use exim for the following reasons:
Maildir support
Mysql/postgresql/LDAP support for most any query (very flexible)
built in authentication (no wrestling with sasl)
built in nice filter language, but also still easy to tie in procmail.
High preformance compared to sendmail, close to postfix/qmail with split_spool_directory enabled.
The ability to tie on exim_sa or exiscan, and run spamassassin at SMTP time (reject before delivery).
Better security track record than sendmail.
Configuration without M4, or a headache.

web.de

[Britz]

The second largest email provider in Germany has this in the mail headers:

Received: from [216.136.173.219] (helo=web14612.mail.yahoo.com)
by mx07.web.de with smtp (WEB.DE(Exim) 4.75 #2)

They have a Server farm of Linux boxen.
www.web.de

Maybe they are not as big as gmx.de (qmail on Sun), but from guessing the size of web.de (at least several million accounts) I would say it is save to say that exim is scalable.

Configurability

[Charles+Dodgeson]

I like it. No it's not as configurable as sendmail.

Of course it does not have the rewriting magic that sendmail is so feared for

The beauty and horror of sendmail is that its configuration system is a fairly general rewriting system. This has some peculiar consequences. Things that should be hard coded ((2)822 address parsing for example) are done in the configuration and things that should be configurable (eg, time delay in throttling) is hardcoded (or at best compile time options).

I'm not sure that I want an MTA in which it is easy to solve the Towers of Hanoi, but still a pain to fully qualify unqualified domain names.

Sendmail's second greatest advantage (milters) is a consequence of its greatest weakness (some natural things one might want to do being difficult). (The greatest advantage is its enormous user base.)

Anyway, I install exim when I will be running or maintaining the system, but I install sendmail when I know that the client may have to call in someone else down the road to help with the system. That is, an exotic system that is easy to maintain can be harder to maintain than a common system which is difficult to maintain.

My Problem W/ Postfix

[Loki77]

Admittedly, it's kind of a small one- but I wasn't able to find a single document for it online. Evidently you're supposed to look through the sample configs to learn things and read the comments.

For some reason I prefer exim's really incredible online docs to this approach- probably just because I can use the index.

Anyways, I'm not a zealot in this case, but I am an exim guy. While people complain that it 'may be' insecure, it doesn't seem to be that insecure to me where I've used it.

Re:My Problem W/ Postfix

[Surak]

Huh?? If you look right here on the Postfix web pageI think you'll finds tons of documentations, howtos, and FAQs that are all pretty well written and were helpful when I was configuring postfix for the first time. Although, admittedly the sample config files are pretty straightforward for most applications you might not even need to read the docs. (Just don't tell the postfix guy I said that ;)

Re:Exim, I'll try it, need an answer please

Hate to ask here, but since you mention it (Debian default mail server, ask a few questions), I could use help to a question.

I'm (about) a year old newbie. I have experience with red hat, mandrake, and have been using suse from 7.3 on to 8.1. I just switched one suse 7.3 installation to knoppix, installing knoppix on the hard disk. I intend to use it for apache (which I've had running on suse with no problems and year-long uptimes), a mail server, and bind, and possibly more services longer term.

I'm a bit lost with knoppix/debian. I did an apt-get update/install without any major problems, but I did have trouble with Quanta (Plus) which refused to install. I'll have to figure that out myself.

What I could really use an answer to, is what/how do I activate the firewall? I looked for iptables after a long night of installing, but I didn't find it in etc. Maybe I didn't look hard enough? It's not in the knoppix menus.

How do I activate the firewall?

Knoppix is a mix of testing/unstable.

Should I configure apache and the mail server before or after activating the firewall, or doesn't it make a difference?

Once I activate the firewall, do I need to edit the configuration file to open up port 80 for apache, and the port for the mail server? Or is that done automatically if the services are running?

I'd like to just activate apache at least (for now), but I'm afraid of the box getting compromised.

It was easy to configure the server previously using yast, but debian doesn't appear to have anything like yast. I ran apache on suse for about a year and a half on 3 boxes without a break in (as far as I know) because it's fairly easy to set up security with yast. But because suse dropped support for 7.3 in the last few weeks, and because I haven't figured out how to update an older suse installation, I'm going with debian, especially with the great apt package manager.

I'm getting on one of debian's mailing lists. I haven't done it yet because I have to set up another mail account with my isp due to the high volumes, and so that I have a throw away email account. So that should help. I tried the debian documentation, but just about everything I looked at really didn't help, or mentioned packages that are obsolete. I'm also getting on knoppix's mailing list (which I also checked), but that's really low volume.

Any advice you can provide would be greatly appreciated. TIA!

phpgroupware

Would something like PHPGroupware...

/me shudders uncontrolabely with the prospect of being forced to use such a clunky & poorly designed interface.

It's good.

One of the main reasons why we were using it at a major ISP was the easy integration with MySQL. When you handle mail for multiple domains and a couple of thousand users you can't have the server query flatfiles. It supports DB and MySQL and was very,very quick. Sendmail is still my favourite.Postfix and I never really got along.But there is a place for Exim.

And he still has his job?

[edunbar93]

It's not so much as a result of being an asshole and violating the privacy of their customers in such a maniacal way. It's more a function of the fact that he has so much time on his hands that he *can* do things like this.

If the sysadmin at an ISP has nothing to do, it's because he's either lazy, incompetent, or new. The reasons for this have to do with the fact that when all the regular work of server upgrades, efficiency improvements, office automation, server programming and network additions are finished (if they ever actually are), you still have to improve the service to your customers or your competition will do it first and put an end to your job. This in itself is a never ending task. If your sysadmin is wanking on the job like this guy is, he's two steps away from a pink slip one way or another.

Re:And he still has his job?

[pla]

It's more a function of the fact that he has so much time on his hands that he *can* do things like this.

I agree with that completely... Rereading my post, I see that I made him sound like a complete ass, but I really didn't mean to give that impression. Pretty decent guy, actually, just had an odd way of relieving his boredom at work (and his "stalking" never left work or got "creepy", just a way to pass time while there... Kinda like "reality" daytime soaps... "Ah, Mr. Smith, meeting up with the little honey-on-the-side tomorrow, eh? Hmm, maybe not, looks like her husband knows something you'd rather he didn't. Oooh, I'd love to see the look on her face when your wife gets that email!").


If the sysadmin at an ISP has nothing to do, it's because he's either lazy, incompetent, or new

In his particular case, he didn't work as the sysadmin, rather, an overnight "keep the network up at all costs" type admin. So 90% of his time, he had nothing to do (and yes, the other 10% he had to run around frantically trying to solve some problem or another).

However, keep in mind I said "local" ISP... Not the helpdesk at a fortune-500, nor a nationwide like AOL or Adelphia. The sort of place that no longer exists thanks to, for example, AOL and Adelphia. 2-3k dialup customers for "chump change", with a few dozen small corporate contracts that actually pay the bills (and dialup subscribers wonder why they get crappy tech support from ISPs <G>). Even the daytime admins I knew didn't exactly have a heavy work load - You'd more likely see them in a deathmatch than dealing with a network outage.


And he still has his job?

No, but it had nothing to do with his work performance. 5-6 years ago, local ISPs all but ceased to exist, and although one friend managed to take ownership of the ISP fow which he worked (he had literally run it in every regard except the official ownership, so basically just took over that role as well) and make it stay afloat (barely), everyone else I knew who worked at such companies just moved on with their lives.

Re:And he still has his job?

[Tetsujin28]

Pretty decent guy, actually, just had an odd way of relieving his boredom at work (and his "stalking" never left work or got "creepy", just a way to pass time while there... Kinda like "reality" daytime soaps... "Ah, Mr. Smith, meeting up with the little honey-on-the-side tomorrow, eh? Hmm, maybe not, looks like her husband knows something you'd rather he didn't. Oooh, I'd love to see the look on her face when your wife gets that email!").

Man. You and I have very, very different threshholds for "creepy." And different definitions of "decent."

Microsoft S.Africa runs exim!

[fungai]

Check this:

$ nslookup
Default Server: ns
Address: 10.3.0.1

> set type=mx
> microsoft.co.za
Server: ns
Address: 10.3.0.1

Non-authoritative answer:
microsoft.co.za preference = 0, mail exchanger = smtp02.iafrica.com
> exit
$ telnet smtp02.iafrica.com 25
Trying 196.7.0.140...
Connected to mailspool.ops.uunet.co.za.
Escape character is '^]'.
220 mailspool.ops.uunet.co.za ESMTP Exim 3.36 #1 Tue, 03 Jun 2003 10:36:18 +0200

ok sure, it is hosted by some ISP, but still interesting.

Re:Why would I want to use exim? well O/T

[pacman+on+prozac]

And now freeserve is blocked on half the RBL lists around (including my uni, plymouth) so I guess their "substancial" anti-spam features worked about as well as the rest of the company.

as a toll free ISP Freeserve got more than its fair share of mail bombing jerks and didn't really want to end up with the reputation of having the most clueless users

Having worked for the Dixons corp/company/movement/cult I can say without shadow of a doubt that this wasn't the reason. Anyone in that company who spent a single cent for the good of the customers would be sent off for re-education. Remember only about 5-10% of their customers would even know what SPAM is. Most of the freeserve users never chose or signed up for it, it just came pre-installed on their pcworld/dixons/currys PC.

That said if Exim works for them its probably a good advert, maybe get some better filters though :)