Slashdot Mirror
Postfix: A Secure and Easy-to-Use MTA
BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."
the department of homeland security is issuing security advisories now? did anyone know we're paying them to audit code?
I wonder if they'll start trolling on bugtraq.
-blak
Does postfix have milters? Sendmail is popular for a reason.
...because the article poster had to mention Postfix. Now someone's gonna say "qmail", someone else will say "exim", someone will say "fuck you, sendmail all the way" and what could have been a nice debate about the full-of-security-holes-dinosaurs of open source will be spent in 500 messages worth of flamewar. Sigh.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
As for myself, I switched to postfix several years ago and haven't looked back even once.
Harald
What can you do with sendmail that you can't to with qmail? There is a a very large set of mature additions and patches to qmail that permit just about anything you may wish to undertake with your mail server.
On the point of qmail being cumbersome: I disagree - what could be simpler than adding a single line to your rcpthosts file? Maintaining qmail is trivial. However, I'll agree that the author's terse documentation makes it seem quite foreign but compared to sendmail it is positively didactic. There are also many other resources available which supplement the original docs.
I've considered qmail a few times, but Dan is such an abrasive prick that I just couldn't bring myself to use his software (the same can be said of Theo and OpenBSD). Check back through the qmail archives for some of his abusive responses to participants in the various qmail lists. Wietse, on the other hand, is easy to get along with, fixes things in a timely manner and operates in a much more respectful manner. Postfix is simple, secure, and well supported. Also, it doesn't require that you install all the author's other tools in order to have a functioning MTA.
There are two main things about qmail that gives it the edge.
1) It is a collection of small daemons. In the UNIX spirit. This cuts on the bugs and allows injection of emails into various stages, and developing addons much easier.
2) It has a structured config file system. Again thats truly like UNIX. You just go to one file, open it in an editor, usually has less than a screenfull of lines, edit it, close and reHUP the daemon. Imagine the same for sendmail. At the least you have to run make for it.
To be fair, I havent tried postfix, but after qmail, Ive kinda lost motivation to try anything else.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?
OLPC Australia
This article was really about a hole in sendmail. However, with all the so-called "Microsoft holes" Slashdot has been reporting non-stop about, they needed to immediately offer a working alternative so they can say, "It's not that big a deal; here are well-known alternatives," and play down the hypocrisy a bit. Meanwhile, there are just as many alternatives to Outlook, but that doesn't stop people from declaring Windows unsafe (never mind that SoBig is a user-transmitted worm). They were just trying to play down the seriousness of it. "You should have been using postfix!"
Just had to say it. Mod me down if you disagree.
"Sufferin' succotash."
That's a good point and one that should be considered whenever one patches the source. However some of the patches are trivial and "obviously" safe while others are additions that don't actually require changes to the qmail source itself.
Because of qmail's design, it is very resistent to compromise, even if one of the components is modified.
I believe that the strict partitioning of function in qmail lends itself better to extension than a constantly evolving package such as sendmail.
I'm not in a position to compare it to Postfix.
This configurability honestly isn't needed today in 99% of cases. The number of people I know who need a bang-path to get mail to them (uucp) is now down to two.
But the ability to do things dynamically in sendmail through its configuration file isn't necessarily a weakness, the regex abilities are often used for other things today.
This is a security problem from March. Sendmail 8.12.9 was released on March 31st, correcting this problem.
Why is this being posted nearly half a year later? Solely to advertise Postfix?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
This is exactly the problem with the OpenBSD, qmail (and the rest of DJB's software) and any other system that claims security through simplicity, but then refuses to either add features or accept code changes for the feature set that is needed in the real world. I respect this software, as I respect all functioning software that is contributed to the community (though qmail is contributed with some heavy provisos on what you are allowed to do in terms of modification and distribution).
However, you get the "unsupported majority" who run a modified/patched/extended version that might well have security flaws that no one knows about. Worse, when an exploit is found in one of those changes, the maintainer of the central package usually makes a point of saying, "look, see! My software was secure, it was just those icky add-ons that were broken!" (as OpenBSD did with apache).
Bottom line: if you run OpenBSD or qmail or any other like service, don't patch it, or add unsupported features.
If that's not a good enough feature-set for you, choose a platform that embraces the feature-set that you need.
Now, on to the myths of sendmail:
Recent sendmail holes have been found because careful security auditing by programmers who have no goal other than to find such problems is being PAID for on sendmail. Companies like Red Hat have found such bugs in the Linux kernel, sendmail, apache, samba, etc, etc because they are looking for them, fixing them, and patching their user-base proactively.
I'm not saying that this is a first. Many companies that can afford it perform such audits, and it's still not as helpful, IMHO, as the benefit of being open source in the first place. However, saying that software is "insecure" because paid auditors have discovered and fixed the problems is... questionable.
I like sendmail. It has its quirks and problems, but I've yet to see a replacement that doesn't insist on proving that it's "better than sendmail" by imposing some strange restriction on the users (e.g. exim's B&D approach to RFC-compliance; postfix's convoluted incoming vs outgoing filtering; qmail's B&D approach to software distribution).
I like these other packages too, but I don't see a role for them as-is in my environments. Perhaps someday someone will write a simple sendmail replacement that is feature-for-feature compatible, but simply has simpler code and a more straight-forward config syntax (the only two real failings of sendmail).
qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?
I agree partly with you, it bothers me to have to patch my vanilla qmail to get all the functionality that I need. But on the other hand you only install the patchs that you need, so you're still more secure than if all the features/patchs we're allready bundled with qmail.
The idea is to keep your installation as small as possible and to install only well-known patchs.
Both were designed as insecure -- sendmail because the net was so small in those days that you could trust it, windows because it was intended for single-user off-net PCs.
Neither is securable. Both need to be replaced while maintaining backwards compatibility. Windows got Windows NT, Sendmail got qmail, postfix, exim and others.
Windows NT is still terribly insecure, qmail/postfix/exim are rock solid. Why?
Because the mail compatibility relies on a well thought out open standard (RFC822) whereas Windows relies on an entire slapped-together API.
So stop being overly critical and learn something! :-)
Sig:Why copyright isn't a fundamental human right
Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.
why would I want to use a system that requires you to preprocess your configuration file, and gives you an obfuscated but still legible configuration file as an output? Does the arcane syntax of the .cf file really make it that much faster for sendmail to parse the configuration file?
I understand sendmail is just fine for people who are used to it, I used it for four years and got by with few problems. I also understand why people shy away from sendmail and the attraction to alternative mailers like postfix and qmail. For the past year I've used postfix and feel infinitely more comfortable with its configuration, design philosphy, and inner working than I ever did with sendmail.
Maybe I should spend my time RTFMing and doing online research into sendmail to make myself feel more comfortable with it. Nah, I'd rather just install Postfix and get on with my life.
A radio maverick jumps to internet only. The Future of Rock n Roll
If your config language is Turing-complete, and needs a parsing tool to be useful even to "gurus", something is very, very wrong.
PHEM - party like it's 1997-2003!
Assuming each e-mail passes on average 3 MTAs, and sendmail is used on 50% of those servers, that gives:
- .50 (probability first server rung sendmail)
- .50*.50 = 0.25 (probability second server runs sendmail, if first didn't)
- .50*.50*.50 = 0.125 (probability third server runs sendmail if first two didn't)
Summarizing: in 87,5% of cases, the e-mail was handled (= routed through) by at least one MTA running sendmail.If sendmail is deployed on 40% of the servers, the same reasoning gives a total of 62,4%. So the newspaper talking about "routing" and not about the percentage of servers running sendmail, may be correct.
My 2c.