Slashdot Mirror

← Back to Stories (view on slashdot.org)

Postfix: A Secure and Easy-to-Use MTA

Posted by Hemos on from the learn-more-about-it dept.

BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."

11 of 374 comments (clear)

  1. Mmmm...postfix by ender- · · Score: 4, Interesting

    I for one have used sendmail and postfix, and have tried qmail in the past [sorry, didn't like it].
    I finally settled on Postifx. I really like it. I feel I don't have to jump through nearly as many hoops to get it running well as I did with sendmail. I certainly didn't need a 900 page 'bat' book to get postfix running. :)

    With that said, to each his/her own. Use what you want, I'm sure people love qmail for reasons that make sense to them, and the same with exim and sendmail. Those of you who would flame me or others because of our choice of email servers all I can say is "Get over it..."

    Ender

    --
    Nothing to see here
  2. Stupid question... by Skirwan · · Score: 4, Interesting
    Is Sendmail still used because it ships as the default mailer with almost every flavor of Unix?
    Yes. Yes it is.

    Just like Internet Explorer is still used because it ships as the default browser with every flavor of Windows, and Apple Mail is still used because it ships as the default mail client with every flavor of Mac OS X, and so on. This surprises you because...?

    --
    Damn the Emperor!
  3. Re:I've switched one box to postfix.. by segment · · Score: 4, Interesting
    I've run heavy sites with postfix when I worked at a service access provider once. We had about 5k domains (notice I typed domains... users = ? don't have an idea) on each server (back then was a VAR501) running on postfix without a problem. QMail is alright but I notice the load gets heavy a bit so it's not good for like legacy systems at least in my opinion.

    Sendmail.. ugh. Remember that old comment, if you've got nothing nice to say? At least they gave out free sendmail swiss army knives once!

    --
    MoFscker
  4. Re:What's wrong with sendmail? by satch89450 · · Score: 4, Interesting
    Don't get me wrong, postfix is a nice MTA. Yes, it is easier to set up depending on what you think is "easy", but still, it's a nice MTA, but no reason to not use Sendmail if you can help it.

    I ditched SendMail because it made me uncomfortable as an administrator. Yes, I could get it working "good enough" that I wasn't a relay, but because of the arcane command file structure I wasn't satisfied that it was tuned the way I wanted it. (BTW, I had hand-coded a sendmail.cf from scratch before, and made it work, but that was when I had a whole day to spend on the project.)

    Back in the days when there weren't a hoard of people trying to crack your system, SendMail was OK. Nowadays, you want to make absolutely sure there are zero holes in your system -- arguably you want to PROVE there are no holes, which is an impossibility -- and SendMail makes that very hard to do.

    With PostFix, I can get a configuration file, sort it, and check each parameter against the manual. In fact, PostFix can get me EVERY setting (using postconf) so that I can verify I like the defaults, too.

    In the current Internet environment, "good enough" isn't good enough.

  5. Qmail just works by esconsult1 · · Score: 3, Interesting
    The combination of Qmail and Vpopmail is perfect for our company with multiple virtual domains. No other solution comes close.

    If you run virtual domains, Postfix or Sendmail is not an option, especially if you dont want to deliver john@d1.com and john@d2.com to john@localhost. Heck, with virtual domains, you don't want to have user accounts anyway.

    I wish there were other easy to use open source options, because Qmail really suffers under Sobig at this point.

    --

    Newsfollow.com

  6. And this isn't an advertisement how? by Apostata · · Score: 3, Interesting

    Sorry for the flamebait, but how would it seem if an "objective" news-headline site said the following:

    "The Dodge Ram has had a number of documented problems over the years. However, for less problems, try the Ford Explorer."

    Come on...

    --

    This wasn't just plain terrible, this was fancy terrible. This was terrible with raisins in it. - Dorothy Parker
  7. MTAs for desktop/client installations by Florian · · Score: 5, Interesting
    For running an MTA on a desktop/client PC, I strongly recommend solutions like Nullmailer or, for computers with permanent Internet connectivity, ssmtp. Both work as just local gateways/bouncers to a remote SMTP server; they don't open any network ports and thus prevent remote exploits/attacks/spam relaying by design. Nullmailer offers local spooling (important for dialup connections) while ssmtp bounces everything immediately to the smarthost. Both are very small (ssmtp: 22k, nullmailer-send: 25k), ridiculously simple to configure even for people with low administration skills, both provide sendmail-compatibility to work with MUAs like mutt.

    (Offtopic: A similarly nice, elegant solution for desktop/clients PC printing is pdq, which unlike lpd and cups runs only as a local spooler without opening a network port, and is lean (65k), dead-simple and functional. With nullmailer/ssmtp & pdq, I managed to close all ports (except of course SSH) on my two desktop PCs under Debian GNU/Linux without any firewalling. AFAIK, Debian is the only OS offering all the aforementioned pieces of software as part of its main distribution.)

    --
    gopher://cramer.plaintext.cc http://cramer.plaintext.cc:70
  8. Re:Don't forget BIND. by shoppa · · Score: 4, Interesting
    My information that the GNU alpha.gnu.org compromise was due to wu-ftpd came from this quote posted to slashdot after the compromise:
    iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.

    BIND was originally was an implementation in C of Jeeves, which was the original PDP-10 DNS implementation. This explains some of the cruft (but in fact I don't feel that BIND has all that much cruft).

  9. Re:Its look like Qmail Vs Postfix war by slushpupie · · Score: 5, Interesting

    We handle roughly 1.5million pieces of mail daily, and found major performance problems with qmail. In particular, qmail would tend to start slowing down, for no apparent reason, which would make the queue size even larger; and well, it was a slipery slope. We found by switching to postfix not only did we eliminate the issues, but since this is a cluster of mail servers, the postconf command made admining the boxes much easier.

    (this was on stock redhat 7.2 installs with scsi raid 5 disk arrays)

  10. sendmail is NOT that popular by ChrisCampbell47 · · Score: 3, Interesting
    While Sendmail runs half the mail servers in the world

    According to http://cr.yp.to/surveys/sendmail.html and http://cr.yp.to/surveys/smtpsoftware6.txt, Sendmail has long been trending towards less and less hosts running it. As of his last survey two years ago, it was at 42%. And if you look only at "serious" MTAs, those for sites that have heavy mail volumes, you'll probably see even less Sendmail.

    --
    One simple rule for its versus it's
  11. Re:Or try qmail - unbroken since v1.03 (1998) by JamieF · · Score: 3, Interesting

    >Postfix, on the other hand, suffers from the windows design pardigim.
    >One big package to do it all.

    I guess if you define "one big package" to be modularized like this and "do it all" to mean "be an MTA" then you're right. Are you saying that qmail does less, with more than 36 different executables (which is how many postfix uses), and that that's better?

    >Even Wietse doesn't trust his own software.
    >http://marc.theaimsgroup.com/?l=bugtra q&m=1060186 77502632&w=2

    Riiight. So you're saying that when Dan ships a bug fix, all qmail installations are magically updated, and all distributions out there on FTP servers and CDs are updated too. No? That's all that Wietse was lamenting - read the message again. He's saying that you can fix a bug in the current code but you can't make it go away retroactively. He doesn't say he doesn't use or trust his own software.

    >Postfix on the other hand is still underdevelopment,

    I guess you would prefer an abandoned product? Or are you saying it's not ready for production use yet? IBM released it FIVE YEARS AGO as the IBM Secure Mailer. It does get updated, though. Horrors! Do you use an OS that is "done" too, because not ever being updated is a good thing?

    >suffers from a poor design,

    According to you. How exactly is the design poor in your opinion? Hint: You can't just say "it's like Windows". What are some specific design choices and examples of why that's bad? Or are you just hand-waving?

    >and probably will include the kitchen sink by next year.

    Based on what, exactly? Please explain why you think Postfix is adding all sorts of non-MTA features lately, and preferrably show a link to a message by Wietse where he says he's going to do so in the future.