Slashdot Mirror
Postfix: A Secure and Easy-to-Use MTA
BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."
the department of homeland security is issuing security advisories now? did anyone know we're paying them to audit code?
I wonder if they'll start trolling on bugtraq.
-blak
Does postfix have milters? Sendmail is popular for a reason.
...because the article poster had to mention Postfix. Now someone's gonna say "qmail", someone else will say "exim", someone will say "fuck you, sendmail all the way" and what could have been a nice debate about the full-of-security-holes-dinosaurs of open source will be spent in 500 messages worth of flamewar. Sigh.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
As for myself, I switched to postfix several years ago and haven't looked back even once.
Harald
Yeah, but OpenBSD is including an ancient version that they spent tons of time audding.
After using qmail for 4 years, I can't see why anyone would touch sendmail.
What can you do with sendmail that you can't to with qmail? There is a a very large set of mature additions and patches to qmail that permit just about anything you may wish to undertake with your mail server.
On the point of qmail being cumbersome: I disagree - what could be simpler than adding a single line to your rcpthosts file? Maintaining qmail is trivial. However, I'll agree that the author's terse documentation makes it seem quite foreign but compared to sendmail it is positively didactic. There are also many other resources available which supplement the original docs.
I've considered qmail a few times, but Dan is such an abrasive prick that I just couldn't bring myself to use his software (the same can be said of Theo and OpenBSD). Check back through the qmail archives for some of his abusive responses to participants in the various qmail lists. Wietse, on the other hand, is easy to get along with, fixes things in a timely manner and operates in a much more respectful manner. Postfix is simple, secure, and well supported. Also, it doesn't require that you install all the author's other tools in order to have a functioning MTA.
There are two main things about qmail that gives it the edge.
1) It is a collection of small daemons. In the UNIX spirit. This cuts on the bugs and allows injection of emails into various stages, and developing addons much easier.
2) It has a structured config file system. Again thats truly like UNIX. You just go to one file, open it in an editor, usually has less than a screenfull of lines, edit it, close and reHUP the daemon. Imagine the same for sendmail. At the least you have to run make for it.
To be fair, I havent tried postfix, but after qmail, Ive kinda lost motivation to try anything else.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?
OLPC Australia
This article was really about a hole in sendmail. However, with all the so-called "Microsoft holes" Slashdot has been reporting non-stop about, they needed to immediately offer a working alternative so they can say, "It's not that big a deal; here are well-known alternatives," and play down the hypocrisy a bit. Meanwhile, there are just as many alternatives to Outlook, but that doesn't stop people from declaring Windows unsafe (never mind that SoBig is a user-transmitted worm). They were just trying to play down the seriousness of it. "You should have been using postfix!"
Just had to say it. Mod me down if you disagree.
"Sufferin' succotash."
That's a good point and one that should be considered whenever one patches the source. However some of the patches are trivial and "obviously" safe while others are additions that don't actually require changes to the qmail source itself.
Because of qmail's design, it is very resistent to compromise, even if one of the components is modified.
I believe that the strict partitioning of function in qmail lends itself better to extension than a constantly evolving package such as sendmail.
I'm not in a position to compare it to Postfix.
This configurability honestly isn't needed today in 99% of cases. The number of people I know who need a bang-path to get mail to them (uucp) is now down to two.
But the ability to do things dynamically in sendmail through its configuration file isn't necessarily a weakness, the regex abilities are often used for other things today.
Especially large, complex pieces of software originally written over a decade ago. BIND, Sendmail, and WU-ftpd have all been major problems over the past decade because they were written at a time when security wasn't important. They've tried to upgrade them and incorporate security into these products since then, but you can't easily patch a rusty ship at sea. At least with BIND 9 they did a rewrite and got it audited by an external group and it's been fairly secure.
All it demonstrates is that large complex pieces of software are inherently more difficult to secure than smaller simpler ones.
What happens to this when it's Windows, and it's suddenly "WINDOWS WAS DESIGNED FROM THE BEGINNING WITHOUT SECURITY IN MIND!!1." You know, the standard hysterical absolutes.
Oh? You mean nothing is 100% secure? You mean Linux has more monthly than Windows? People need to get off their high horse and gain some perspective.
"Sufferin' succotash."
That is the reason I use qmail. The qmail list doesn't have the "I haven't RTFM" idiots posting and getting answers to the same questions day in day out like the postfix list. People like that deserve to get picked on. qmail was so easy to install, if you have problems then you only have yourself to blame for not planning and researching what you are doing first.
1 52 5130257&w=2
q &m=10601867 7502632&w=2
Postfix, on the other hand, suffers from the windows design pardigim. One big package to do it all. Very poor design choise this Wietse guy has made. Even just recently there was a remote DOS in some versions of postfix.
http://marc.theaimsgroup.com/?l=bugtraq&m=10600
Even Wietse doesn't trust his own software.
http://marc.theaimsgroup.com/?l=bugtra
At least DJB does.
qmail is by far the easiest SMTP server to setup on *nix. It makes sense in its configuration and is well documented and stable. Postfix on the other hand is still underdevelopment, suffers from a poor design, and probably will include the kitchen sink by next year.
This is a security problem from March. Sendmail 8.12.9 was released on March 31st, correcting this problem.
Why is this being posted nearly half a year later? Solely to advertise Postfix?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
This is good info... Always be sure to read the docs fully before saying X feature doesn't exist in Y product.
This is exactly the problem with the OpenBSD, qmail (and the rest of DJB's software) and any other system that claims security through simplicity, but then refuses to either add features or accept code changes for the feature set that is needed in the real world. I respect this software, as I respect all functioning software that is contributed to the community (though qmail is contributed with some heavy provisos on what you are allowed to do in terms of modification and distribution).
However, you get the "unsupported majority" who run a modified/patched/extended version that might well have security flaws that no one knows about. Worse, when an exploit is found in one of those changes, the maintainer of the central package usually makes a point of saying, "look, see! My software was secure, it was just those icky add-ons that were broken!" (as OpenBSD did with apache).
Bottom line: if you run OpenBSD or qmail or any other like service, don't patch it, or add unsupported features.
If that's not a good enough feature-set for you, choose a platform that embraces the feature-set that you need.
Now, on to the myths of sendmail:
Recent sendmail holes have been found because careful security auditing by programmers who have no goal other than to find such problems is being PAID for on sendmail. Companies like Red Hat have found such bugs in the Linux kernel, sendmail, apache, samba, etc, etc because they are looking for them, fixing them, and patching their user-base proactively.
I'm not saying that this is a first. Many companies that can afford it perform such audits, and it's still not as helpful, IMHO, as the benefit of being open source in the first place. However, saying that software is "insecure" because paid auditors have discovered and fixed the problems is... questionable.
I like sendmail. It has its quirks and problems, but I've yet to see a replacement that doesn't insist on proving that it's "better than sendmail" by imposing some strange restriction on the users (e.g. exim's B&D approach to RFC-compliance; postfix's convoluted incoming vs outgoing filtering; qmail's B&D approach to software distribution).
I like these other packages too, but I don't see a role for them as-is in my environments. Perhaps someday someone will write a simple sendmail replacement that is feature-for-feature compatible, but simply has simpler code and a more straight-forward config syntax (the only two real failings of sendmail).
Considering that other open source MTAs (postfix, qmail, exim, courier) have a better security history, it's a problem very much specific to sendmail.
Sendmail would benefit considerably from a redesign. But that probably isn't going to happen, because sendmail is used by those who want it to work the way it always has. Better alternatives are already available for those who are comfortable with something slightly different.
qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?
I agree partly with you, it bothers me to have to patch my vanilla qmail to get all the functionality that I need. But on the other hand you only install the patchs that you need, so you're still more secure than if all the features/patchs we're allready bundled with qmail.
The idea is to keep your installation as small as possible and to install only well-known patchs.
Sendmail is old, and suffers from bad old coding habits of people who have been around since before buffer overflows were considered a problem.
Besides, a problem with any server-like program, independent of the protocol and service is fact that they handle data from an untrusted remote source which may be malicious. Good, security conscious programmers always treat data carefully, especially if it is from an outside source, but bad programming habits are common.
Both were designed as insecure -- sendmail because the net was so small in those days that you could trust it, windows because it was intended for single-user off-net PCs.
Neither is securable. Both need to be replaced while maintaining backwards compatibility. Windows got Windows NT, Sendmail got qmail, postfix, exim and others.
Windows NT is still terribly insecure, qmail/postfix/exim are rock solid. Why?
Because the mail compatibility relies on a well thought out open standard (RFC822) whereas Windows relies on an entire slapped-together API.
So stop being overly critical and learn something! :-)
Sig:Why copyright isn't a fundamental human right
Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.
why would I want to use a system that requires you to preprocess your configuration file, and gives you an obfuscated but still legible configuration file as an output? Does the arcane syntax of the .cf file really make it that much faster for sendmail to parse the configuration file?
I understand sendmail is just fine for people who are used to it, I used it for four years and got by with few problems. I also understand why people shy away from sendmail and the attraction to alternative mailers like postfix and qmail. For the past year I've used postfix and feel infinitely more comfortable with its configuration, design philosphy, and inner working than I ever did with sendmail.
Maybe I should spend my time RTFMing and doing online research into sendmail to make myself feel more comfortable with it. Nah, I'd rather just install Postfix and get on with my life.
A radio maverick jumps to internet only. The Future of Rock n Roll
>Also, it doesn't require that you install all the author's other tools in order to have a functioning MTA.
This one does it for me. I currently use Exim, which also drops in for sendmail and is reasonably secure. If/when I want more security, I'll probably go Postfix because of the simple drop-in.
Security is never unimportant, but for an internal-only MTA for a family of four that accepts no external connections, it's secondary. I will however agree that had I been running Sendmail, the March problem would have had me.
The living have better things to do than to continue hating the dead.
Which is exactly why I won't use it. Dr Berstein is brilliant, and writes good code, but he wants me to replace half my system with his stuff. But until someone delivers DJB Linux, where everything runs under his model, I'll be sticking with the existing stuff. I DO NOT want to have two init programs running, two ways of controlling daemons, two ways of logging, etc.
I'm using his DNScache software on a few systems, I'm impressed with its performance, but am constantly frustated by its non-conformity.
You are in a maze of twisted little posts, all alike.
If your config language is Turing-complete, and needs a parsing tool to be useful even to "gurus", something is very, very wrong.
PHEM - party like it's 1997-2003!
I looked at qmail two years ago, and I have to say that qmail is the most confusing MESS I have even seen. NOTHING is in its right default place! NOTHING! Everything has this strange directory structure, and it doesn't even use the default LOGGER. Yes, you have to install this dumb logger daemon, solely for the purpose of logging stuff for your qmail.
/etc, and I want syslog to manage my e-mail logging.
Sorry, but I'd perfer a mail program that puts stuff in the right place. I want my configuration files in
Zodiac Survey
Given that sendmail is rather rich in features, which one of those do you honestly use on a day to day basis? The truth is, its very complex, archaic, and outdated. That's where Postfix comes into play. Its more secure and easy to configure.
I use postfix because of the simple fact that its VERY easy to configure, more secure, and just plain better. As for sendmail, after reading the manual for hours, I still had no idea where to begin thinking about how to modify the configuration files.
If security is important to you, try using Qmail. It is so secure (so the author claims) that he is willing to offer a cash reward to anyone who can find an exploit in a stock distribution. I must say, its not very robust in features, and has a number of limitations to maintain its securty. Postfix turns out to be a good combination of both security and features, as well as ease of use.
You show 'em! Maybe those bartards'll think next time they do something that you don't agree with. Ya know, they're not selling commercial products, so they're not taking on any financial losses from your boycott. Chances are that they're not developing software to make friends, or otherwise gain popularity with the Slashdot/Usenet/etc crowd.
Seriously though...that seems like an impractical attitude. Does that mean that because I don't agree with RMS' principles and goals, that I shouldn't use any GNU software?
Also, there's no need to have any contact with DJB, or DeRaadt to use their software. There's a decent support community out there. If one of these guys does write software that you need, and you use something inferior (or inappropriate) because you don't like them -- it's like cutting off your nose to spite your face.
I use qmail (and in some cases, OpenBSD) not because of whether or not I like the authors, but because they are practical for some uses. If I choose a product for work because I like the author, and not based on other merits, I'd likely get fired.
However, your point about timely patches was not missed...It just seems like the larger point was that DJB and DeRaadt are pricks, and because of it, you don't want to use their stuff. It may do you good to consider using a "product" based on it's merits next time.
Just a thought
-Turkey
Assuming each e-mail passes on average 3 MTAs, and sendmail is used on 50% of those servers, that gives:
- .50 (probability first server rung sendmail)
- .50*.50 = 0.25 (probability second server runs sendmail, if first didn't)
- .50*.50*.50 = 0.125 (probability third server runs sendmail if first two didn't)
Summarizing: in 87,5% of cases, the e-mail was handled (= routed through) by at least one MTA running sendmail.If sendmail is deployed on 40% of the servers, the same reasoning gives a total of 62,4%. So the newspaper talking about "routing" and not about the percentage of servers running sendmail, may be correct.
My 2c.
The reason qmail is cumbersome is because the license is needless pain. You cannot adapt qmail to the particular OS you are using and distribute binaries. For example DJB insists on the /services directory whereas FreeBSD insists this directory belongs in /var/services. As a result FreeBSD cannot distribute packages for qmail or any of DJB's code.
What you have to ask yourself if you chose to use DJB's software is, what happens when DJB dies. He should release his code as BSD or GPL so that we don't have to live with this hive of incompatable patches.
DJB claims his desire is to influence all systems to "look the same", but in reality he is forcing every system to run a locally modified program that is extensify customized differently at each site. Which is worse.
Setting this up was suprisingly painless: