Slashdot Mirror

← Back to Stories (view on slashdot.org)

Postfix: A Secure and Easy-to-Use MTA

Posted by Hemos on from the learn-more-about-it dept.

BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."

21 of 374 comments (clear)

  1. Milters? by itsjpr · · Score: 5, Insightful

    Does postfix have milters? Sendmail is popular for a reason.

    1. Re:Milters? by Anonymous Coward · · Score: 5, Informative

      content_filter is the equivalent of Milter for Postfix.

      This is quite powerful. For example, you can have some regular expression (around header or body), that sent to the content_filter.

      If you want to switch and have milter in mind, please consult the documentation about content_filter...

    2. Re:Milters? by cloudmaster · · Score: 5, Informative

      Yes, postfix has mail filters. They're just not *called* "milters", and they're readable by people who don't have M4 parsers built into their reading glasses. Grumble grumble crummy sendmail configuration grumble.

      In fact, most of the things you can do with sendmail through external additions are already in postfix. I'm pretty sure that Postfix is also overall "faster" than Sendmail, and it upgrades easier, and the config system is useful, etc...

  2. Or try qmail - unbroken since v1.03 (1998) by KeithH · · Score: 5, Informative

    Qmail is rock-solid. The best proof I can offer is that fact that no security flaw has been found since 1.03 was released in 1998. The man is a cryptographer and designed it for security.

    There is also an enormous amount of support for the product available. Check out qmail.org and cr.yp.to/qmail.html

    1. Re:Or try qmail - unbroken since v1.03 (1998) by KeithH · · Score: 5, Insightful

      What can you do with sendmail that you can't to with qmail? There is a a very large set of mature additions and patches to qmail that permit just about anything you may wish to undertake with your mail server.

      On the point of qmail being cumbersome: I disagree - what could be simpler than adding a single line to your rcpthosts file? Maintaining qmail is trivial. However, I'll agree that the author's terse documentation makes it seem quite foreign but compared to sendmail it is positively didactic. There are also many other resources available which supplement the original docs.

    2. Re:Or try qmail - unbroken since v1.03 (1998) by Anonymous Coward · · Score: 5, Insightful

      I've considered qmail a few times, but Dan is such an abrasive prick that I just couldn't bring myself to use his software (the same can be said of Theo and OpenBSD). Check back through the qmail archives for some of his abusive responses to participants in the various qmail lists. Wietse, on the other hand, is easy to get along with, fixes things in a timely manner and operates in a much more respectful manner. Postfix is simple, secure, and well supported. Also, it doesn't require that you install all the author's other tools in order to have a functioning MTA.

    3. Re:Or try qmail - unbroken since v1.03 (1998) by The+Original+Yama · · Score: 5, Insightful

      qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?

      --
      OLPC Australia
    4. Re:Or try qmail - unbroken since v1.03 (1998) by KeithH · · Score: 5, Informative

      The DoS problem doesn't lie with qmail itself. That particular issue is best addressed through thresholding which is supported by ucspi-tcp's tcpserver (a replacement for inetd or xinetd).

      If you are using ucspi-tcp already, then it is probably as simple as modifying the contents of /var/qmail/control/concurrencyincoming.

      ucspi-tcp is not *required* but much of the qmail documentation assumes that you are using it. ucspi-tcp is also written by Dan Berstein (cr.yp.to/ucspi-tcp.html)

  3. Use Qmail by The+Original+Yama · · Score: 5, Informative

    The Qmail author offers money for any holes found. So far he hasn't had to pay a cent.

    --
    OLPC Australia
  4. I've switched one box to postfix.. by brentlaminack · · Score: 5, Informative

    In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail. Ordinary aliases were just as easy (read identical). My sites don't do enough volume to tell any difference in performance. The build/install process was probably a bit easier for postfix, i.e. didn't have to monkey around with M4. So as a sendmail admin of more years than I care to think about, postfix seems about as easy to administer as sendmail on a day-to-day basis.

  5. I can feel the flames... by Crayon+Kid · · Score: 5, Insightful

    ...because the article poster had to mention Postfix. Now someone's gonna say "qmail", someone else will say "exim", someone will say "fuck you, sendmail all the way" and what could have been a nice debate about the full-of-security-holes-dinosaurs of open source will be spent in 500 messages worth of flamewar. Sigh.

    --
    i ate crayons when i was a kid and now i have two braincells and the blue ones taste nicer
  6. sendmail for legacy by Harald+Paulsen · · Score: 5, Insightful
    I can see that some ISPs have a need for sendmail due to legacy UUCP-customers (yes, someone still uses UUCP), but the world should really move on with regards to MTAs. Postfix, qmail and Exim are all good alternatives. Perhaps linux-distributions should offer other mailers as standard, that would probably get the ball rolling.

    As for myself, I switched to postfix several years ago and haven't looked back even once.

    --
    Harald
  7. Lucky I'm on windows by Mhumble · · Score: 5, Funny

    Phew lucky I'm running exchange and don't have these damn sendmail SECURITY fixes to worry about ;)

  8. Re:heh. by capt.Hij · · Score: 5, Funny

    the department of homeland security is issuing security advisories now?

    Do they do anything else?

  9. Courier by dusanv · · Score: 5, Informative

    I have been using Courier for over two years now. No remote roots ever or problems of any kind (I am amazed!). It's open sourced and a full package (esmtp, pop, imap, webmail and a thousand other things). It gets my vote.

  10. Re:Qmail just works by InsaneGeek · · Score: 5, Informative

    What you talking about Willis?

    Sendmail & Postfix support virtual domains with no problems.

    Postfix: http://www.postfix.org/faq.html#virtual_domains

    Sendmail you can do it extremely easily with the virtualusertable (and I have for years and years)

  11. Re:heh. by autechre · · Score: 5, Insightful

    Is this the same Department of Homeland Security that recently signed a contract with Microsoft to provide their software? And they're complaining about Sendmail?

    http://slashdot.org/article.pl?sid=03/07/16/1634 25 0&mode=thread&tid=103&tid=99

    On the other hand, maybe they'll train their sights on BIND next.

    --
    WMBC freeform/independent online radio.
  12. Re:Stupid question... by Basje · · Score: 5, Informative

    No it doesn't. Debian has Exim as it's default MTA.

    --
    the pun is mightier than the sword
  13. MTAs for desktop/client installations by Florian · · Score: 5, Interesting
    For running an MTA on a desktop/client PC, I strongly recommend solutions like Nullmailer or, for computers with permanent Internet connectivity, ssmtp. Both work as just local gateways/bouncers to a remote SMTP server; they don't open any network ports and thus prevent remote exploits/attacks/spam relaying by design. Nullmailer offers local spooling (important for dialup connections) while ssmtp bounces everything immediately to the smarthost. Both are very small (ssmtp: 22k, nullmailer-send: 25k), ridiculously simple to configure even for people with low administration skills, both provide sendmail-compatibility to work with MUAs like mutt.

    (Offtopic: A similarly nice, elegant solution for desktop/clients PC printing is pdq, which unlike lpd and cups runs only as a local spooler without opening a network port, and is lean (65k), dead-simple and functional. With nullmailer/ssmtp & pdq, I managed to close all ports (except of course SSH) on my two desktop PCs under Debian GNU/Linux without any firewalling. AFAIK, Debian is the only OS offering all the aforementioned pieces of software as part of its main distribution.)

    --
    gopher://cramer.plaintext.cc http://cramer.plaintext.cc:70
  14. Re:Its look like Qmail Vs Postfix war by slushpupie · · Score: 5, Interesting

    We handle roughly 1.5million pieces of mail daily, and found major performance problems with qmail. In particular, qmail would tend to start slowing down, for no apparent reason, which would make the queue size even larger; and well, it was a slipery slope. We found by switching to postfix not only did we eliminate the issues, but since this is a cluster of mail servers, the postconf command made admining the boxes much easier.

    (this was on stock redhat 7.2 installs with scsi raid 5 disk arrays)

  15. This is all just FUD by BrokenHalo · · Score: 5, Insightful
    Sure, sendmail has had holes found in it from time to time. But we should remember that it has been a very *long* time, and for most people it has been stable as a rock. And I have never yet met anyone whose system has been compromised as a result of these holes. We also shouldn't forget that whenever bugs have been found, they have been fixed immediately (if not before).

    Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.