[rescue] Mail Server

Ryan Thoryk ryan at tliquest.net
Wed Dec 22 11:29:32 CST 2004 

On Tue, 21 Dec 2004 08:31:42 -0600, Wes Will wrote 
> At 07:18 PM 12/20/2004 -0500, you wrote: 
> >here, so I hope for good reasons. 
> 
> Several very good reasons. 
> 
> 1. Sendmail is a nightmare to configure correctly and all-but-impossible to 
> debug said configuration due to the complexity of the rewrite rules.  That 
> said, if you still have some old, proprietary probably-mainframe-based 
> non-RFC mail system which you have to gateway into or out of, Sendmail 
> probably has a native capacity in the default config to handle it.  Use 
> that config file, and drop in the Postifx binary to do the actual work in 
> "Sendmail Replacement" mode. 

I started out with Sendmail, and I wouldn't recommend it for beginners.  I had
problems with flexibility and security originally (well I was running an old
version of it, with no security patches lol ;) - this was back in '00 i think)

> 
> 2. Sendmail was wrotten before any of the cracker-kiddies had invented 
> themselves.  Security was not one of the original design goals, but has 
> been grafted on as an after-thought, trying to shoehorn some reasonable 
> facsimile of network security ungracefully onto the end product.  Postfix 
> was written after the hacker/cracker explosion, with security one of the 
> primary design goals. 

My sendmail implementation I mentioned above led to a system compromise

> 
> 3.  Postfix runs in smaller memory space and (tends to, in my experience) 
> spawns more quickly to meet rising load than a similar sendmail system. 

I haven't messed around with Postfix that much, but it seems nice.

> 
> 4.  Exim and qmail are quite able programs, and Exim in particular is known 
> for dealing gracefully with very large loads by using some decent parallel 
> queueing strategies.  Both programs (and qmail especially) are difficult to 
> get set up.  It takes some getting used to to blithely put binaries in /var 
> .... In other words, getting either of these things to run will require 
> that you adjust your operating habits considerably to take advantage of 
> their security paradigms. 

I currently use qmail (and have been using it ever since the sendmail security
compromise, which means it's been running production for about 4 years).  It's
very flexible, powerful, and I wrote a few interfacing script for it that
establish a 5-stage custom-made spam filter system.  Oh it's soo nice ;) -
some of the scripts, all stats, and even archived spams are at 
http://www.tliquest.net/spam

> 
> 5.  Postfix can be a drop-in replacement for Sendmail, and if any of the 
> folks already in the organization have Sendmail experience it will help 
> them understand Postfix.  Leverage present knowledge. 

Isn't Exim also a drop-in Sendmail replacement?

> 
> 6.  No matter how well code is written, a careless administrator can still 
> make it unsafe.  Postfix is a little harder to make unsafe by goofing up 
> the config file - no set-uid root binaries.  Exim is also very safe, if you 
> can get it running.  qmail is also quite securable (but I'll be dipped in 
> dookie if I can get it to run in a stable fashion for any length of time, 
> even after putting in all the special users and groups and spool files and 
> directories and weird permissions on twenty thousand different files, all 
> different, and moving things around - and we're back to to the binaries in 
> /var thing... I just don't -like- qmail.). 

well I love it ;) haha - it's running on a Compaq Proliant 6500 machine with 2
p3-xeon 500 cpus (512k), soon to be 4... and 1.8gb ram (just found some more,
so it'll be 2gb soon; a while back a friend of mine worked at my old high
school for tech work, and they were dumping gigabytes of compaq EDO ram).  

> 
> There are some reasons, not too rabid, for Postfix.  If you are needing 
> something in the small-to-medium-huge range, Postfix is your best bet.  If 
> you want to handle massively huge mail queues (tens of thousands of 
> messages per minute), go with Exim and pay close attention to the process 
> and thread limits sections of the config files.  And pray a lot.   (Keep a 
> good big flock of chickens to make dead and wave over the server.  (Any 
> MTA, not just Exim, under that sort of load needs dead chickens, and even 
> the occasional sheep or goat sacrifice.)) 
> 
> Sendmail will do if you have to do weird non-RFC things, but you're still 
> better off with Postfix in Sendmail-compatibility mode, from a security 
> standpoint. 
> 
> >Also, Bill, do you have a writeup of your postfix/amavis/clamAV 
> >installation, and maybe even a business case for it? 
> 
> I have that message archived from the original posting if you want it.  I 
> found the description to be dead useful.  (Ping me off-list for forwarding.) 
> 
> -- 
> wes will 
> _______________________________________________ 
> rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

Ryan Thoryk 
Unix and Network Specialist 
ryan at tliquest.net

More information about the rescue mailing list