Postfix: A Secure and Easy-to-Use MTA

BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."

Or try qmail - unbroken since v1.03 (1998)

[KeithH]

Qmail is rock-solid. The best proof I can offer is that fact that no security flaw has been found since 1.03 was released in 1998. The man is a cryptographer and designed it for security.

There is also an enormous amount of support for the product available. Check out qmail.org and cr.yp.to/qmail.html

Re:Or try qmail - unbroken since v1.03 (1998)

[Lussarn]

More info is definetely needed before +5 interesting. Which OS, Filesystem, mountoptions and queue disk setup did you use for qmail to act like this.

I've had qmail experience the behavior you are talking about using Solaris/ufs/noasync (single scsi disk) but using ext3/async,noatime (single scsi) under Linux X86 has proven to be very nice.

Reiser would probably do a good job here too.

Setting up mailservers is more science then just telling what sucks and what does not.

Re:Or try qmail - unbroken since v1.03 (1998)

[KeithH]

The DoS problem doesn't lie with qmail itself. That particular issue is best addressed through thresholding which is supported by ucspi-tcp's tcpserver (a replacement for inetd or xinetd).

If you are using ucspi-tcp already, then it is probably as simple as modifying the contents of /var/qmail/control/concurrencyincoming.

ucspi-tcp is not *required* but much of the qmail documentation assumes that you are using it. ucspi-tcp is also written by Dan Berstein (cr.yp.to/ucspi-tcp.html)

Re:Or try qmail - unbroken since v1.03 (1998)

[KC7GR]

At the risk of sounding like one of those infomercial testimonials...

I ran qmail for a year or so, then ended up switching to Postfix. At this point, you couldn't pay me to switch back to qmail.

It's not that qmail's a "bad" program. It's certainly not! Dave B. did a heck of a job with it, and I know it's in service as a Sendmail replacement at thousands of sites.

My gripes with qmail are that you practically need to be a programmer to implement it "properly" (at least that's my impression), and that, in order to have an ideal working environment for it, you have to replace the inetd daemon, and add in other tools that are far from simple for non-programmers to implement and use.

My biggest gripe with qmail was how it implemented spam blocking. Complex and clumsy (to my view), with no way that I found to "whitelist" a given domain name or IP, and no way to block on domain name lookup either.

Postfix solved all the problems listed above, and it came pre-installed with NetBSD (my Internet server OS of choice). As for its blocking/whitelist syntax, it couldn't be simpler. Examples...

For blocking: some.host 554 Access denied.
For whiteliesting: some.host OK

You simply replace 'some.host' with an IP address or host name, and the three-digit error code with anything you want. qmail was limited to two error codes. The best part is that you can, if you wish, block entire countries that have become spam sewers simply by doing things like this in the blocklist:

.cn 554 Access denied. China's a spammer paradise.

With qmail, you'd have to go through and enter every single IP range assigned to China, manually. I know -- I did this at one time for qmail, and it was two hours plus worth of work! What's even worse is that you have no control over what error message text is sent back. Postfix lets you put in anything you want.

While I will admit that Postfix's default blocking file cannot directly accomodate CIDR notation or IP ranges, Rahul Dhesi, one of the nice folks who inhabits news.admin.net-abuse.email, wrote a handy script to take a source blockfile, complete with said CIDR notations and specific syntax to indicate a range, and convert it into a form usable with Postfix. He also has a bunch of other handy tools for use with Postfix on his site.

I may not know what a "milter" is, but I do know that postfix can block or pass mail on just about anything you want. It supports regular expressions, hashes, etc.

I guess I do sound like a testimonial... Well, the heck with it! I like Postfix. ;-) The info at Postfix's home site speaks for itself.

Keep the peace(es).

Use Qmail

[The+Original+Yama]

The Qmail author offers money for any holes found. So far he hasn't had to pay a cent.

Re:Use Qmail

[dasmegabyte]

Qmail is a little tricky to set up, but it's also small, has some awesome optional features (virtualhosts and the .qmail aliasing system are wierd, but once you get them down you'll appreciate the flexibility they offer) and once you're done it's worth it. It's nice to have a service that you can say, "This is done. I no longer have to worry about it."

Of course, since I use DJBDNS and qmail-pop3, I have 3 services I can mostly ignore. And it only took me 8 hours curled up with lifewithqmail.org to do it.

I've switched one box to postfix..

[brentlaminack]

In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail. Ordinary aliases were just as easy (read identical). My sites don't do enough volume to tell any difference in performance. The build/install process was probably a bit easier for postfix, i.e. didn't have to monkey around with M4. So as a sendmail admin of more years than I care to think about, postfix seems about as easy to administer as sendmail on a day-to-day basis.

Re:I've switched one box to postfix..

[bigberk]

In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail

postfix used to have a different way to do virtual domains (in fact, it was called the "sendmail-style" virtual domains). These were a pain. Now it is very easy to set up virtual domains. There are 3 steps, and it will take you all of 2 minutes to set this up. I kid you not...

1. Make sure 'virtual_maps' directive is in postfix.conf; e.g. virtual_maps = hash:/etc/postfix/virtual
2. Edit the file 'virtual' making sure you include the "Virtual domain" as the first line of a group. Include as many as of these blocks as you want, multiple domains.
   example.com Virtual domain
   ad1@example.com destuser1
   ad2@example.com destuser2
   
3. Run 'postmap /etc/postfix/virtual'

Panther / Mac OS X 10.3 (11?) will use Postfix

[tm2b]

Just as a heads up to Mac users... the next major revision of Mac OS X, Panther, will be changing from Sendmail to Postfix. So if you use Mac OS X, you don't need to do anything special other than buy Panther when it becomes available.

Personally, that's what is pushing me over the edge to learn Postfix and use it on my OpenBSD servers. In a nostalgic way, it's too bad... I once made some seriously good money writing custom sendmail.cf files on a consulting basis.

Courier

[dusanv]

I have been using Courier for over two years now. No remote roots ever or problems of any kind (I am amazed!). It's open sourced and a full package (esmtp, pop, imap, webmail and a thousand other things). It gets my vote.

Debian may switch

[mcgroarty]

Debian has been installing exim by default forever now. It's also remarkably easy to use and configure, and it's just as versatile as sendmail.

There's been discussion about switching to postfix as the default for new installs however, and it may even be a done deal. A lot of arguments have been tossed about for this, however the biggie seems to be its simplicity: with something as complex as exim or sendmail, there are just more opportunities for something to go wrong. Postfix is quite enough for most users.

Popular open-source packages with security holes

[shoppa]

Citing a long history of security holes and patches is one way of justifying going with a less-populare but maybe more secure package. Right off the top of my head are these long-standing open-source packages with long histories of security holes:

• wu-ftpd. Most recently known for the crack of alpha.gnu.org.
• sendmail. "Not having sendmail is like not having VD", according to popular wisdom
• vixie-cron. I don't even know of a "virgin" distribution of this, which is probably a good thing; all the Linux vendors have their own set of extensive patches to vixie-cron.

There are multiple choices for replacing each of these, most of them a written-from-scratch replacement. Not all of these are perfect, either, but at least they're less popular, so (hopefully?) less likely to get hacked.

I personally run fcron, postfix, and proftpd instead of the more popular packages. I don't honestly claim that they're any more secure, in all cases they were mostly personal choices having to do with cleanness/installation ease.

Re:Qmail just works

[InsaneGeek]

What you talking about Willis?

Sendmail & Postfix support virtual domains with no problems.

Postfix: http://www.postfix.org/faq.html#virtual_domains

Sendmail you can do it extremely easily with the virtualusertable (and I have for years and years)

Re:Stupid question...

[Basje]

No it doesn't. Debian has Exim as it's default MTA.

Re:Milters?

content_filter is the equivalent of Milter for Postfix.

This is quite powerful. For example, you can have some regular expression (around header or body), that sent to the content_filter.

If you want to switch and have milter in mind, please consult the documentation about content_filter...

Not Debian

[autechre]

I think they switched which MTA was installed by default between Potato and Woody, but neither one was Sendmail. And of course, they have you configure it when it's installed, and you can just tell it to not run the daemon and deliver local mail only (so you still get important stuff sent to root).

I've used Postfix, and like it very much. Currently, the email server for which I'm responsible runs Sendmail, because I haven't had time to figure out how to port the virtusertable over to Postfix.

As for hackstraw's comment, Debian makes it easy because packages depend on "an MTA", and all of the MTAs conflict, so you just use APT to install your MTA of choice, and it replaces the existing one.

Re:What's wrong with sendmail?

[macdaddy]

If you coded a sendmail.cf from scratch then you are a damned fool. There's no other way to put it. YOU DO NOT CODE THE CF BY HAND. YOU DO NOT EVEN TOUCH THE CF! The Sendmail gurus have been saying this for years and there is NO excuse for not heeding their warnings. You use the M4 macros to build your CF. There is rarely, and I do mean rarely, any reason to directly edit the cf. You can do everything you need to do in the M4 macro file. Even the Sendmail gurus themselves don't touch the CF.

This is something that really pisses me off. People bitch and moan about Sendmail being so hard to configure when really they haven't done the tiniest bit of research or RTFM. If they had they would have known not to edit the CF. "Don't touch the CF" is the most common answer on comp.mail.sendmail. Yet these novices still feel knowledgeable enough to make claims about how hard it is to configure Sendmail. I swear the quality of sysadm nowadays is somewhere in the crapper. I've been using Sendmail since 8.8.7. I have never had an unusual configuration I couldn't quickly create with a minimal amount of online research. It's not rocket science folks.

Re:Milters?

[cloudmaster]

Yes, postfix has mail filters. They're just not *called* "milters", and they're readable by people who don't have M4 parsers built into their reading glasses. Grumble grumble crummy sendmail configuration grumble.

In fact, most of the things you can do with sendmail through external additions are already in postfix. I'm pretty sure that Postfix is also overall "faster" than Sendmail, and it upgrades easier, and the config system is useful, etc...

Re:Postfix virus filter

[cloudmaster]

Even more fun than than that (in newer versions o' postfix) is this one:

/^Content-(Type|Disposition):.*(file)?name=.*\.(as d|bat|chm|cmd|dll|exe|hlp|hta|jse|lnk|ocx|pif|scr| shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/ REJECT Sorry, we do not accept .${3} file types.

Mostly I like that because you include the actual extension in the return message and it allows the string "file=blah.exe" in headers other than those two that might cause a problem

Note that I left .com out of the list because that one also catches messages with URLs attached (like, http://domain.com/). Since we mail URLs a lot where I work, that's not so good to block.

Re:.. in scripts?

[cloudmaster]

postfix is sommand-line compatible with sendmail, even going so far as to include a binary named "sendmail" for just that reason. I've got several CGIs that use that, just because they're no important enough for me to rewrite them.

I can't comment on other MTAs in that regard.

The article didn't mention the best feature

[Eric+Smith]

If you need to run a backup MX for a lot of domains, you don't have to configure them all manually. You can just tell Postfix that it's allowed to backup domains that have MXes on specific networks. For instance, my Postfix main.cf includes:

smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, reject
permit_mx_backup_networks = 64.15.260.112/27, 282.66.92.0/22, 67.91.305.33/32

(specific addresses changed to protect the innocent, and yes, I know that a byte can't exceed 255, that was deliberate)

This tells Postfix to accept mail for any domain that has an MX in one of the specified networks. So whenever I add a new domain to one of my primary MX servers, I don't have to change the configuration on my backup MX servers at all.