Slashdot Mirror
Postfix: A Secure and Easy-to-Use MTA
BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."
the department of homeland security is issuing security advisories now? did anyone know we're paying them to audit code?
I wonder if they'll start trolling on bugtraq.
-blak
Does postfix have milters? Sendmail is popular for a reason.
Qmail is rock-solid. The best proof I can offer is that fact that no security flaw has been found since 1.03 was released in 1998. The man is a cryptographer and designed it for security.
There is also an enormous amount of support for the product available. Check out qmail.org and cr.yp.to/qmail.html
The Qmail author offers money for any holes found. So far he hasn't had to pay a cent.
OLPC Australia
In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail. Ordinary aliases were just as easy (read identical). My sites don't do enough volume to tell any difference in performance. The build/install process was probably a bit easier for postfix, i.e. didn't have to monkey around with M4. So as a sendmail admin of more years than I care to think about, postfix seems about as easy to administer as sendmail on a day-to-day basis.
...because the article poster had to mention Postfix. Now someone's gonna say "qmail", someone else will say "exim", someone will say "fuck you, sendmail all the way" and what could have been a nice debate about the full-of-security-holes-dinosaurs of open source will be spent in 500 messages worth of flamewar. Sigh.
i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
As for myself, I switched to postfix several years ago and haven't looked back even once.
Harald
Phew lucky I'm running exchange and don't have these damn sendmail SECURITY fixes to worry about ;)
Just as a heads up to Mac users... the next major revision of Mac OS X, Panther, will be changing from Sendmail to Postfix. So if you use Mac OS X, you don't need to do anything special other than buy Panther when it becomes available.
Personally, that's what is pushing me over the edge to learn Postfix and use it on my OpenBSD servers. In a nostalgic way, it's too bad... I once made some seriously good money writing custom sendmail.cf files on a consulting basis.
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
I have been using Courier for over two years now. No remote roots ever or problems of any kind (I am amazed!). It's open sourced and a full package (esmtp, pop, imap, webmail and a thousand other things). It gets my vote.
I for one have used sendmail and postfix, and have tried qmail in the past [sorry, didn't like it]. :)
I finally settled on Postifx. I really like it. I feel I don't have to jump through nearly as many hoops to get it running well as I did with sendmail. I certainly didn't need a 900 page 'bat' book to get postfix running.
With that said, to each his/her own. Use what you want, I'm sure people love qmail for reasons that make sense to them, and the same with exim and sendmail. Those of you who would flame me or others because of our choice of email servers all I can say is "Get over it..."
Ender
Nothing to see here
Just like Internet Explorer is still used because it ships as the default browser with every flavor of Windows, and Apple Mail is still used because it ships as the default mail client with every flavor of Mac OS X, and so on. This surprises you because...?
--
Damn the Emperor!
There's been discussion about switching to postfix as the default for new installs however, and it may even be a done deal. A lot of arguments have been tossed about for this, however the biggie seems to be its simplicity: with something as complex as exim or sendmail, there are just more opportunities for something to go wrong. Postfix is quite enough for most users.
I ditched SendMail because it made me uncomfortable as an administrator. Yes, I could get it working "good enough" that I wasn't a relay, but because of the arcane command file structure I wasn't satisfied that it was tuned the way I wanted it. (BTW, I had hand-coded a sendmail.cf from scratch before, and made it work, but that was when I had a whole day to spend on the project.)
Back in the days when there weren't a hoard of people trying to crack your system, SendMail was OK. Nowadays, you want to make absolutely sure there are zero holes in your system -- arguably you want to PROVE there are no holes, which is an impossibility -- and SendMail makes that very hard to do.
With PostFix, I can get a configuration file, sort it, and check each parameter against the manual. In fact, PostFix can get me EVERY setting (using postconf) so that I can verify I like the defaults, too.
In the current Internet environment, "good enough" isn't good enough.
If you run virtual domains, Postfix or Sendmail is not an option, especially if you dont want to deliver john@d1.com and john@d2.com to john@localhost. Heck, with virtual domains, you don't want to have user accounts anyway.
I wish there were other easy to use open source options, because Qmail really suffers under Sobig at this point.
Newsfollow.com
My postfix installation is extremely secure, I can't get it to receive any email at all. If anyone could help me unsecure it by teaching it to deliver mail to my computer, could they shoot me an email? (bassettgabriel @qwest.net). I'm not a system administrator, just a guy w/ linux at home and the simple setup just isn't working for some reason.
I do security
Sorry for the flamebait, but how would it seem if an "objective" news-headline site said the following:
"The Dodge Ram has had a number of documented problems over the years. However, for less problems, try the Ford Explorer."
Come on...
This wasn't just plain terrible, this was fancy terrible. This was terrible with raisins in it. - Dorothy Parker
- wu-ftpd. Most recently known for the crack of alpha.gnu.org.
- sendmail. "Not having sendmail is like not having VD", according to popular wisdom
- vixie-cron. I don't even know of a "virgin" distribution of this, which is probably a good thing; all the Linux vendors have their own set of extensive patches to vixie-cron.
There are multiple choices for replacing each of these, most of them a written-from-scratch replacement. Not all of these are perfect, either, but at least they're less popular, so (hopefully?) less likely to get hacked.I personally run fcron, postfix, and proftpd instead of the more popular packages. I don't honestly claim that they're any more secure, in all cases they were mostly personal choices having to do with cleanness/installation ease.
This article was really about a hole in sendmail. However, with all the so-called "Microsoft holes" Slashdot has been reporting non-stop about, they needed to immediately offer a working alternative so they can say, "It's not that big a deal; here are well-known alternatives," and play down the hypocrisy a bit. Meanwhile, there are just as many alternatives to Outlook, but that doesn't stop people from declaring Windows unsafe (never mind that SoBig is a user-transmitted worm). They were just trying to play down the seriousness of it. "You should have been using postfix!"
Just had to say it. Mod me down if you disagree.
"Sufferin' succotash."
This configurability honestly isn't needed today in 99% of cases. The number of people I know who need a bang-path to get mail to them (uucp) is now down to two.
But the ability to do things dynamically in sendmail through its configuration file isn't necessarily a weakness, the regex abilities are often used for other things today.
I think they switched which MTA was installed by default between Potato and Woody, but neither one was Sendmail. And of course, they have you configure it when it's installed, and you can just tell it to not run the daemon and deliver local mail only (so you still get important stuff sent to root).
I've used Postfix, and like it very much. Currently, the email server for which I'm responsible runs Sendmail, because I haven't had time to figure out how to port the virtusertable over to Postfix.
As for hackstraw's comment, Debian makes it easy because packages depend on "an MTA", and all of the MTAs conflict, so you just use APT to install your MTA of choice, and it replaces the existing one.
WMBC freeform/independent online radio.
This is a security problem from March. Sendmail 8.12.9 was released on March 31st, correcting this problem.
Why is this being posted nearly half a year later? Solely to advertise Postfix?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
stop executable (ie virus) content. And nobody
in my company got the recent SoBig virus. Here's the line:
(Offtopic: A similarly nice, elegant solution for desktop/clients PC printing is pdq, which unlike lpd and cups runs only as a local spooler without opening a network port, and is lean (65k), dead-simple and functional. With nullmailer/ssmtp & pdq, I managed to close all ports (except of course SSH) on my two desktop PCs under Debian GNU/Linux without any firewalling. AFAIK, Debian is the only OS offering all the aforementioned pieces of software as part of its main distribution.)
gopher://cramer.plaintext.cc http://cramer.plaintext.cc:70
This is something that really pisses me off. People bitch and moan about Sendmail being so hard to configure when really they haven't done the tiniest bit of research or RTFM. If they had they would have known not to edit the CF. "Don't touch the CF" is the most common answer on comp.mail.sendmail. Yet these novices still feel knowledgeable enough to make claims about how hard it is to configure Sendmail. I swear the quality of sysadm nowadays is somewhere in the crapper. I've been using Sendmail since 8.8.7. I have never had an unusual configuration I couldn't quickly create with a minimal amount of online research. It's not rocket science folks.
BIND was originally was an implementation in C of Jeeves, which was the original PDP-10 DNS implementation. This explains some of the cruft (but in fact I don't feel that BIND has all that much cruft).
We handle roughly 1.5million pieces of mail daily, and found major performance problems with qmail. In particular, qmail would tend to start slowing down, for no apparent reason, which would make the queue size even larger; and well, it was a slipery slope. We found by switching to postfix not only did we eliminate the issues, but since this is a cluster of mail servers, the postconf command made admining the boxes much easier.
(this was on stock redhat 7.2 installs with scsi raid 5 disk arrays)
Both were designed as insecure -- sendmail because the net was so small in those days that you could trust it, windows because it was intended for single-user off-net PCs.
Neither is securable. Both need to be replaced while maintaining backwards compatibility. Windows got Windows NT, Sendmail got qmail, postfix, exim and others.
Windows NT is still terribly insecure, qmail/postfix/exim are rock solid. Why?
Because the mail compatibility relies on a well thought out open standard (RFC822) whereas Windows relies on an entire slapped-together API.
So stop being overly critical and learn something! :-)
Sig:Why copyright isn't a fundamental human right
It turns out that the wu-ftpd report for the crack of alpha.gnu.org on slashdot was in fact wrong, and in fact alpha.gnu.org wasn't even running wuftpd. It was "just" the linux kernel ptrace vulnerability and a local user.
Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.
why would I want to use a system that requires you to preprocess your configuration file, and gives you an obfuscated but still legible configuration file as an output? Does the arcane syntax of the .cf file really make it that much faster for sendmail to parse the configuration file?
I understand sendmail is just fine for people who are used to it, I used it for four years and got by with few problems. I also understand why people shy away from sendmail and the attraction to alternative mailers like postfix and qmail. For the past year I've used postfix and feel infinitely more comfortable with its configuration, design philosphy, and inner working than I ever did with sendmail.
Maybe I should spend my time RTFMing and doing online research into sendmail to make myself feel more comfortable with it. Nah, I'd rather just install Postfix and get on with my life.
A radio maverick jumps to internet only. The Future of Rock n Roll
According to http://cr.yp.to/surveys/sendmail.html and http://cr.yp.to/surveys/smtpsoftware6.txt, Sendmail has long been trending towards less and less hosts running it. As of his last survey two years ago, it was at 42%. And if you look only at "serious" MTAs, those for sites that have heavy mail volumes, you'll probably see even less Sendmail.
One simple rule for its versus it's
postfix is sommand-line compatible with sendmail, even going so far as to include a binary named "sendmail" for just that reason. I've got several CGIs that use that, just because they're no important enough for me to rewrite them.
I can't comment on other MTAs in that regard.
If your config language is Turing-complete, and needs a parsing tool to be useful even to "gurus", something is very, very wrong.
PHEM - party like it's 1997-2003!
"major" being: courier, sendmail, postfix, exim and qmail.
it looks like it's about a year old, and has some missing information, but it's a place to start for anyone looking to switch MTAs.
smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, reject
permit_mx_backup_networks = 64.15.260.112/27, 282.66.92.0/22, 67.91.305.33/32
(specific addresses changed to protect the innocent, and yes, I know that a byte can't exceed 255, that was deliberate)
This tells Postfix to accept mail for any domain that has an MX in one of the specified networks. So whenever I add a new domain to one of my primary MX servers, I don't have to change the configuration on my backup MX servers at all.
Assuming each e-mail passes on average 3 MTAs, and sendmail is used on 50% of those servers, that gives:
- .50 (probability first server rung sendmail)
- .50*.50 = 0.25 (probability second server runs sendmail, if first didn't)
- .50*.50*.50 = 0.125 (probability third server runs sendmail if first two didn't)
Summarizing: in 87,5% of cases, the e-mail was handled (= routed through) by at least one MTA running sendmail.If sendmail is deployed on 40% of the servers, the same reasoning gives a total of 62,4%. So the newspaper talking about "routing" and not about the percentage of servers running sendmail, may be correct.
My 2c.