Postfix: A Secure and Easy-to-Use MTA

BSD Forums writes "On March 3rd, 2003, Internet Security Systems, in cooperation with the Department of Homeland Security, issued a warning regarding a hole found in Sendmail. The warning, echoed by CERT, warned system admins that any version lower than 8.12.8 was vulnerable to a serious root exploit. Sendmail has a long history of security holes, most of which have been thoroughly documented on security sites. While Sendmail runs half the mail servers in the world, there are smaller and easier-to-use mail transfer agents (MTAs). Network administrator Glenn Graham demonstrates how Postfix gives you most of the power with a fraction of the pain."

heh.

the department of homeland security is issuing security advisories now? did anyone know we're paying them to audit code?

I wonder if they'll start trolling on bugtraq.

-blak

Re:heh.

the department of homeland security is issuing security advisories now?

Do they do anything else?

Re:heh.

Is this the same Department of Homeland Security that recently signed a contract with Microsoft to provide their software? And they're complaining about Sendmail?

http://slashdot.org/article.pl?sid=03/07/16/1634 25 0&mode=thread&tid=103&tid=99

On the other hand, maybe they'll train their sights on BIND next.

Re:heh.

yeap, and it's the same homeland security that after buying that issued this warning [nipc.gov]. I suppose I should be glad they're looking out, because you and I both know that the terrorists might come into the country next through the finger exploit.

This is all just FUD

Sure, sendmail has had holes found in it from time to time. But we should remember that it has been a very *long* time, and for most people it has been stable as a rock. And I have never yet met anyone whose system has been compromised as a result of these holes. We also shouldn't forget that whenever bugs have been found, they have been fixed immediately (if not before).

Compare this to the antics of "that corporation" who is quite content to leave bugs as "undocumented features". Could be this FUD is just a reaction to that "insecure by design" mudslinging.

Re:This is all just FUD

Actually, it hasn't been that long [sendmail.com]. The latest security problems in sendmail were found in March.

Sendmail isn't awful - but some of its code is old, it's complicated, and it's richly-featured. All of these things contribute to an increased risk of bugs and vulnerabilities. In those respects, it's similar to some of those products by "that corporation," except that sendmail issues timely patches and the current developers, at least, care about security from the outset versus considering it as an afterthought.

Milters?

Does postfix have milters? Sendmail is popular for a reason.

Re:Milters?

No, postfix has no milters. A shame really, since milter is a nice way to control how your mail flows (and to filter/reject/bounce when needed).

Milter is one of the things that's keeping me with sendmail.

Re:Milters?

content_filter is the equivalent of Milter for Postfix.

This is quite powerful. For example, you can have some regular expression (around header or body), that sent to the content_filter.

If you want to switch and have milter in mind, please consult the documentation about content_filter...

Re:Milters?

Yes, postfix has mail filters. They're just not *called* "milters", and they're readable by people who don't have M4 parsers built into their reading glasses. Grumble grumble crummy sendmail configuration grumble.

In fact, most of the things you can do with sendmail through external additions are already in postfix. I'm pretty sure that Postfix is also overall "faster" than Sendmail, and it upgrades easier, and the config system is useful, etc...

Re:Milters?

No one will answer you....

Probably because nobody can be bothered to respond to such an imbecilic remark. Sendmail and postfix are Mail Transport Agents, not Groupware. If you wanted to compare Exchange with a Linux equivalent, then there have been umpteen threads here in the past on the topic. This one [slashdot.org], for example. Personally, I like this one [suse.com] but it isn't free. (At least not free as in beer. It's built on top of similar software to the free ones though.)

But do go on comparing apples with oranges if you wish. It doesn't hurt anyone, and it gives many of us a sense of smug superiority.

I can not complain about having to patch sendmail for the same

I'm so sorry, but you seem to be reading an imaginary slashdot thread in your own head, as opposed to this one, which is about the security holes in Sendmail and how using Postfix may be a better approach because of what a pain it is to keep it updated?

Perhaps you'd like to share your imaginary one with the rest of us and entertain us all some more?

Or try qmail - unbroken since v1.03 (1998)

Qmail is rock-solid. The best proof I can offer is that fact that no security flaw has been found since 1.03 was released in 1998. The man is a cryptographer and designed it for security.

There is also an enormous amount of support for the product available. Check out qmail.org and cr.yp.to/qmail.html

Re:Or try qmail - unbroken since v1.03 (1998)

More info is definetely needed before +5 interesting. Which OS, Filesystem, mountoptions and queue disk setup did you use for qmail to act like this.

I've had qmail experience the behavior you are talking about using Solaris/ufs/noasync (single scsi disk) but using ext3/async,noatime (single scsi) under Linux X86 has proven to be very nice.

Reiser would probably do a good job here too.

Setting up mailservers is more science then just telling what sucks and what does not.

Re:Or try qmail - unbroken since v1.03 (1998)

The DoS problem doesn't lie with qmail itself. That particular issue is best addressed through thresholding which is supported by ucspi-tcp's tcpserver (a replacement for inetd or xinetd).

If you are using ucspi-tcp already, then it is probably as simple as modifying the contents of /var/qmail/control/concurrencyincoming.

ucspi-tcp is not *required* but much of the qmail documentation assumes that you are using it. ucspi-tcp is also written by Dan Berstein (cr.yp.to/ucspi-tcp.html)

Re:Or try qmail - unbroken since v1.03 (1998)

What can you do with sendmail that you can't to with qmail? There is a a very large set of mature additions and patches to qmail that permit just about anything you may wish to undertake with your mail server.

On the point of qmail being cumbersome: I disagree - what could be simpler than adding a single line to your rcpthosts file? Maintaining qmail is trivial. However, I'll agree that the author's terse documentation makes it seem quite foreign but compared to sendmail it is positively didactic. There are also many other resources available which supplement the original docs.

Re:Or try qmail - unbroken since v1.03 (1998)

qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?

Re:Or try qmail - unbroken since v1.03 (1998)

That's a good point and one that should be considered whenever one patches the source. However some of the patches are trivial and "obviously" safe while others are additions that don't actually require changes to the qmail source itself.

Because of qmail's design, it is very resistent to compromise, even if one of the components is modified.

I believe that the strict partitioning of function in qmail lends itself better to extension than a constantly evolving package such as sendmail.

I'm not in a position to compare it to Postfix.

Re:Or try qmail - unbroken since v1.03 (1998)

This is exactly the problem with the OpenBSD, qmail (and the rest of DJB's software) and any other system that claims security through simplicity, but then refuses to either add features or accept code changes for the feature set that is needed in the real world. I respect this software, as I respect all functioning software that is contributed to the community (though qmail is contributed with some heavy provisos on what you are allowed to do in terms of modification and distribution).

However, you get the "unsupported majority" who run a modified/patched/extended version that might well have security flaws that no one knows about. Worse, when an exploit is found in one of those changes, the maintainer of the central package usually makes a point of saying, "look, see! My software was secure, it was just those icky add-ons that were broken!" (as OpenBSD did with apache).

Bottom line: if you run OpenBSD or qmail or any other like service, don't patch it, or add unsupported features.

If that's not a good enough feature-set for you, choose a platform that embraces the feature-set that you need.

Now, on to the myths of sendmail:

Recent sendmail holes have been found because careful security auditing by programmers who have no goal other than to find such problems is being PAID for on sendmail. Companies like Red Hat have found such bugs in the Linux kernel, sendmail, apache, samba, etc, etc because they are looking for them, fixing them, and patching their user-base proactively.

I'm not saying that this is a first. Many companies that can afford it perform such audits, and it's still not as helpful, IMHO, as the benefit of being open source in the first place. However, saying that software is "insecure" because paid auditors have discovered and fixed the problems is... questionable.

I like sendmail. It has its quirks and problems, but I've yet to see a replacement that doesn't insist on proving that it's "better than sendmail" by imposing some strange restriction on the users (e.g. exim's B&D approach to RFC-compliance; postfix's convoluted incoming vs outgoing filtering; qmail's B&D approach to software distribution).

I like these other packages too, but I don't see a role for them as-is in my environments. Perhaps someday someone will write a simple sendmail replacement that is feature-for-feature compatible, but simply has simpler code and a more straight-forward config syntax (the only two real failings of sendmail).

Re:Or try qmail - unbroken since v1.03 (1998)

qmail is supposedly very secure in its default state. Aren't you compromising that security when you add third-party patches? I would think that these patches, since they are not part of qmail proper, have received nowhere near the scrutiny that sendmail (or postfix, exim, etc.) have received. Doesn't that defeat the main reason for using qmail?

I agree partly with you, it bothers me to have to patch my vanilla qmail to get all the functionality that I need. But on the other hand you only install the patchs that you need, so you're still more secure than if all the features/patchs we're allready bundled with qmail.

The idea is to keep your installation as small as possible and to install only well-known patchs.

Re:Or try qmail - unbroken since v1.03 (1998)

I've considered qmail a few times, but Dan is such an abrasive prick that I just couldn't bring myself to use his software (the same can be said of Theo and OpenBSD). Check back through the qmail archives for some of his abusive responses to participants in the various qmail lists. Wietse, on the other hand, is easy to get along with, fixes things in a timely manner and operates in a much more respectful manner. Postfix is simple, secure, and well supported. Also, it doesn't require that you install all the author's other tools in order to have a functioning MTA.

Re:Or try qmail - unbroken since v1.03 (1998)

>Postfix, on the other hand, suffers from the windows design pardigim.
>One big package to do it all.

I guess if you define "one big package" to be modularized like this [porcupine.org] and "do it all" to mean "be an MTA" then you're right. Are you saying that qmail does less, with more than 36 different executables (which is how many postfix uses), and that that's better?

>Even Wietse doesn't trust his own software.
>http://marc.theaimsgroup.com/?l=bugtra q&m=1060186 77502632&w=2

Riiight. So you're saying that when Dan ships a bug fix, all qmail installations are magically updated, and all distributions out there on FTP servers and CDs are updated too. No? That's all that Wietse was lamenting - read the message again. He's saying that you can fix a bug in the current code but you can't make it go away retroactively. He doesn't say he doesn't use or trust his own software.

>Postfix on the other hand is still underdevelopment,

I guess you would prefer an abandoned product? Or are you saying it's not ready for production use yet? IBM released it FIVE YEARS AGO as the IBM Secure Mailer. It does get updated, though. Horrors! Do you use an OS that is "done" too, because not ever being updated is a good thing?

>suffers from a poor design,

According to you. How exactly is the design poor in your opinion? Hint: You can't just say "it's like Windows". What are some specific design choices and examples of why that's bad? Or are you just hand-waving?

>and probably will include the kitchen sink by next year.

Based on what, exactly? Please explain why you think Postfix is adding all sorts of non-MTA features lately, and preferrably show a link to a message by Wietse where he says he's going to do so in the future.

Re:Or try qmail - unbroken since v1.03 (1998)

There are two main things about qmail that gives it the edge.

1) It is a collection of small daemons. In the UNIX spirit. This cuts on the bugs and allows injection of emails into various stages, and developing addons much easier.

2) It has a structured config file system. Again thats truly like UNIX. You just go to one file, open it in an editor, usually has less than a screenfull of lines, edit it, close and reHUP the daemon. Imagine the same for sendmail. At the least you have to run make for it.

To be fair, I havent tried postfix, but after qmail, Ive kinda lost motivation to try anything else.

Re:Or try qmail - unbroken since v1.03 (1998)

At the risk of sounding like one of those infomercial testimonials...

I ran qmail for a year or so, then ended up switching to Postfix. At this point, you couldn't pay me to switch back to qmail.

It's not that qmail's a "bad" program. It's certainly not! Dave B. did a heck of a job with it, and I know it's in service as a Sendmail replacement at thousands of sites.

My gripes with qmail are that you practically need to be a programmer to implement it "properly" (at least that's my impression), and that, in order to have an ideal working environment for it, you have to replace the inetd daemon, and add in other tools that are far from simple for non-programmers to implement and use.

My biggest gripe with qmail was how it implemented spam blocking. Complex and clumsy (to my view), with no way that I found to "whitelist" a given domain name or IP, and no way to block on domain name lookup either.

Postfix solved all the problems listed above, and it came pre-installed with NetBSD [netbsd.org] (my Internet server OS of choice). As for its blocking/whitelist syntax, it couldn't be simpler. Examples...

For blocking: some.host 554 Access denied.
For whiteliesting: some.host OK

You simply replace 'some.host' with an IP address or host name, and the three-digit error code with anything you want. qmail was limited to two error codes. The best part is that you can, if you wish, block entire countries that have become spam sewers simply by doing things like this in the blocklist:

.cn 554 Access denied. China's a spammer paradise.

With qmail, you'd have to go through and enter every single IP range assigned to China, manually. I know -- I did this at one time for qmail, and it was two hours plus worth of work! What's even worse is that you have no control over what error message text is sent back. Postfix lets you put in anything you want.

While I will admit that Postfix's default blocking file cannot directly accomodate CIDR notation or IP ranges, Rahul Dhesi, one of the nice folks who inhabits news.admin.net-abuse.email, wrote a handy script [rahul.net] to take a source blockfile, complete with said CIDR notations and specific syntax to indicate a range, and convert it into a form usable with Postfix. He also has a bunch of other handy tools [rahul.net] for use with Postfix on his site.

I may not know what a "milter" is, but I do know that postfix can block or pass mail on just about anything you want. It supports regular expressions, hashes, etc.

I guess I do sound like a testimonial... Well, the heck with it! I like Postfix. ;-) The info at Postfix's home site [postfix.org] speaks for itself.

Keep the peace(es).

Use Qmail

The Qmail author offers money for any holes found. So far he hasn't had to pay a cent.

Re:Use Qmail

Qmail is a little tricky to set up, but it's also small, has some awesome optional features (virtualhosts and the .qmail aliasing system are wierd, but once you get them down you'll appreciate the flexibility they offer) and once you're done it's worth it. It's nice to have a service that you can say, "This is done. I no longer have to worry about it."

Of course, since I use DJBDNS and qmail-pop3, I have 3 services I can mostly ignore. And it only took me 8 hours curled up with lifewithqmail.org to do it.

Re:What's wrong with sendmail?

Don't get me wrong, postfix is a nice MTA. Yes, it is easier to set up depending on what you think is "easy", but still, it's a nice MTA, but no reason to not use Sendmail if you can help it.

I ditched SendMail because it made me uncomfortable as an administrator. Yes, I could get it working "good enough" that I wasn't a relay, but because of the arcane command file structure I wasn't satisfied that it was tuned the way I wanted it. (BTW, I had hand-coded a sendmail.cf from scratch before, and made it work, but that was when I had a whole day to spend on the project.)

Back in the days when there weren't a hoard of people trying to crack your system, SendMail was OK. Nowadays, you want to make absolutely sure there are zero holes in your system -- arguably you want to PROVE there are no holes, which is an impossibility -- and SendMail makes that very hard to do.

With PostFix, I can get a configuration file, sort it, and check each parameter against the manual. In fact, PostFix can get me EVERY setting (using postconf) so that I can verify I like the defaults, too.

In the current Internet environment, "good enough" isn't good enough.

Re:What's wrong with sendmail?

If you coded a sendmail.cf from scratch then you are a damned fool. There's no other way to put it. YOU DO NOT CODE THE CF BY HAND. YOU DO NOT EVEN TOUCH THE CF! The Sendmail gurus have been saying this for years and there is NO excuse for not heeding their warnings. You use the M4 macros to build your CF. There is rarely, and I do mean rarely, any reason to directly edit the cf. You can do everything you need to do in the M4 macro file. Even the Sendmail gurus themselves don't touch the CF.

This is something that really pisses me off. People bitch and moan about Sendmail being so hard to configure when really they haven't done the tiniest bit of research or RTFM. If they had they would have known not to edit the CF. "Don't touch the CF" is the most common answer on comp.mail.sendmail. Yet these novices still feel knowledgeable enough to make claims about how hard it is to configure Sendmail. I swear the quality of sysadm nowadays is somewhere in the crapper. I've been using Sendmail since 8.8.7. I have never had an unusual configuration I couldn't quickly create with a minimal amount of online research. It's not rocket science folks.

Re:What's wrong with sendmail?

why would I want to use a system that requires you to preprocess your configuration file, and gives you an obfuscated but still legible configuration file as an output? Does the arcane syntax of the .cf file really make it that much faster for sendmail to parse the configuration file?

I understand sendmail is just fine for people who are used to it, I used it for four years and got by with few problems. I also understand why people shy away from sendmail and the attraction to alternative mailers like postfix and qmail. For the past year I've used postfix and feel infinitely more comfortable with its configuration, design philosphy, and inner working than I ever did with sendmail.

Maybe I should spend my time RTFMing and doing online research into sendmail to make myself feel more comfortable with it. Nah, I'd rather just install Postfix and get on with my life.

Re:What's wrong with sendmail?

YOU DO NOT CODE THE CF BY HAND. YOU DO NOT EVEN TOUCH THE CF! The Sendmail gurus have been saying this for years and there is NO excuse for not heeding their warnings. You use the M4 macros to build your CF.

If your config language is Turing-complete, and needs a parsing tool to be useful even to "gurus", something is very, very wrong.

I've switched one box to postfix..

In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail. Ordinary aliases were just as easy (read identical). My sites don't do enough volume to tell any difference in performance. The build/install process was probably a bit easier for postfix, i.e. didn't have to monkey around with M4. So as a sendmail admin of more years than I care to think about, postfix seems about as easy to administer as sendmail on a day-to-day basis.

Re:I've switched one box to postfix..

I've run heavy sites with postfix when I worked at a service access provider once. We had about 5k domains (notice I typed domains... users = ? don't have an idea) on each server (back then was a VAR501) running on postfix without a problem. QMail is alright but I notice the load gets heavy a bit so it's not good for like legacy systems at least in my opinion.

Sendmail.. ugh. Remember that old comment, if you've got nothing nice to say? At least they gave out free sendmail swiss army knives once!

Re:I've switched one box to postfix..

In general I found that virtual domains were a bit trickier to set up in postfix than in sendmail

postfix used to have a different way to do virtual domains (in fact, it was called the "sendmail-style" virtual domains). These were a pain. Now it is very easy to set up virtual domains. There are 3 steps, and it will take you all of 2 minutes to set this up. I kid you not...

1. Make sure 'virtual_maps' directive is in postfix.conf; e.g. virtual_maps = hash:/etc/postfix/virtual
2. Edit the file 'virtual' making sure you include the "Virtual domain" as the first line of a group. Include as many as of these blocks as you want, multiple domains.
   example.com Virtual domain
   ad1@example.com destuser1
   ad2@example.com destuser2
   
3. Run 'postmap /etc/postfix/virtual'

I can feel the flames...

...because the article poster had to mention Postfix. Now someone's gonna say "qmail", someone else will say "exim", someone will say "fuck you, sendmail all the way" and what could have been a nice debate about the full-of-security-holes-dinosaurs of open source will be spent in 500 messages worth of flamewar. Sigh.

The reason why

This article was really about a hole in sendmail. However, with all the so-called "Microsoft holes" Slashdot has been reporting non-stop about, they needed to immediately offer a working alternative so they can say, "It's not that big a deal; here are well-known alternatives," and play down the hypocrisy a bit. Meanwhile, there are just as many alternatives to Outlook, but that doesn't stop people from declaring Windows unsafe (never mind that SoBig is a user-transmitted worm). They were just trying to play down the seriousness of it. "You should have been using postfix!"

Just had to say it. Mod me down if you disagree.

sendmail for legacy

I can see that some ISPs have a need for sendmail due to legacy UUCP-customers (yes, someone still uses UUCP), but the world should really move on with regards to MTAs. Postfix, qmail and Exim are all good alternatives. Perhaps linux-distributions should offer other mailers as standard, that would probably get the ball rolling.

As for myself, I switched to postfix several years ago and haven't looked back even once.

Lucky I'm on windows

Phew lucky I'm running exchange and don't have these damn sendmail SECURITY fixes to worry about ;)

Panther / Mac OS X 10.3 (11?) will use Postfix

Just as a heads up to Mac users... the next major revision of Mac OS X, Panther, will be changing from Sendmail to Postfix. [macbuyersguide.com] So if you use Mac OS X, you don't need to do anything special other than buy Panther when it becomes available.

Personally, that's what is pushing me over the edge to learn Postfix and use it on my OpenBSD servers. In a nostalgic way, it's too bad... I once made some seriously good money writing custom sendmail.cf files on a consulting basis.

Re:Its look like Qmail Vs Postfix war

We handle roughly 1.5million pieces of mail daily, and found major performance problems with qmail. In particular, qmail would tend to start slowing down, for no apparent reason, which would make the queue size even larger; and well, it was a slipery slope. We found by switching to postfix not only did we eliminate the issues, but since this is a cluster of mail servers, the postconf command made admining the boxes much easier.

(this was on stock redhat 7.2 installs with scsi raid 5 disk arrays)

Courier

I have been using Courier [courier-mta.org] for over two years now. No remote roots ever or problems of any kind (I am amazed!). It's open sourced and a full package (esmtp, pop, imap, webmail and a thousand other things). It gets my vote.

Mmmm...postfix

I for one have used sendmail and postfix, and have tried qmail in the past [sorry, didn't like it].
I finally settled on Postifx. I really like it. I feel I don't have to jump through nearly as many hoops to get it running well as I did with sendmail. I certainly didn't need a 900 page 'bat' book to get postfix running. :)

With that said, to each his/her own. Use what you want, I'm sure people love qmail for reasons that make sense to them, and the same with exim and sendmail. Those of you who would flame me or others because of our choice of email servers all I can say is "Get over it..."

Ender

Stupid question...

Is Sendmail still used because it ships as the default mailer with almost every flavor of Unix?

Yes. Yes it is.

Just like Internet Explorer is still used because it ships as the default browser with every flavor of Windows, and Apple Mail is still used because it ships as the default mail client with every flavor of Mac OS X, and so on. This surprises you because...?

--
Damn the Emperor!

Re:Stupid question...

No it doesn't. Debian has Exim as it's default MTA.

Re:Stupid question...

Yes, I prefer postfix myself.

The only thing missing with postfix is native authenticated smtp. One needs to authenticate through sasl to use it, and I don't trust sasl. I'm not implying that sasl is an insecure product by virtue of bugs, but there are too many variables to make me confident that I can configure and deploy it securely.

Not Debian

I think they switched which MTA was installed by default between Potato and Woody, but neither one was Sendmail. And of course, they have you configure it when it's installed, and you can just tell it to not run the daemon and deliver local mail only (so you still get important stuff sent to root).

I've used Postfix, and like it very much. Currently, the email server for which I'm responsible runs Sendmail, because I haven't had time to figure out how to port the virtusertable over to Postfix.

As for hackstraw's comment, Debian makes it easy because packages depend on "an MTA", and all of the MTAs conflict, so you just use APT to install your MTA of choice, and it replaces the existing one.

Debian may switch

Debian has been installing exim [exim.org] by default forever now. It's also remarkably easy to use and configure, and it's just as versatile as sendmail.

There's been discussion about switching to postfix as the default for new installs however, and it may even be a done deal. A lot of arguments have been tossed about for this, however the biggie seems to be its simplicity: with something as complex as exim or sendmail, there are just more opportunities for something to go wrong. Postfix is quite enough for most users.

Alternatives

Postfix is cool and words but so does Exim, Qmail et al. Sendmail is a large code base that has devloped over many years but its secret is its ability to do alomst anything required. Of course its almost impenterable if you don't want to learn rule sets but you can just get the Orielly book which is only about 1000 pages long :)

Rus

Qmail just works

The combination of Qmail and Vpopmail is perfect for our company with multiple virtual domains. No other solution comes close.

If you run virtual domains, Postfix or Sendmail is not an option, especially if you dont want to deliver john@d1.com and john@d2.com to john@localhost. Heck, with virtual domains, you don't want to have user accounts anyway.

I wish there were other easy to use open source options, because Qmail really suffers under Sobig at this point.

Re:Qmail just works

What you talking about Willis?

Sendmail & Postfix support virtual domains with no problems.

Postfix: http://www.postfix.org/faq.html#virtual_domains

Sendmail you can do it extremely easily with the virtualusertable (and I have for years and years)

Wait for the "backlash"

I'm expecting certain people to make much of this news, citing the "insecurity that comes with open source".

All it demonstrates is that large complex pieces of software are inherently more difficult to secure than smaller simpler ones.

Sendmail is great but we switched to another MTA about four years ago, also because Sendmail had exploits.

Re:Wait for the "backlash"

Sendmail vs Windows makes an interesting comparison.

Both were designed as insecure -- sendmail because the net was so small in those days that you could trust it, windows because it was intended for single-user off-net PCs.

Neither is securable. Both need to be replaced while maintaining backwards compatibility. Windows got Windows NT, Sendmail got qmail, postfix, exim and others.

Windows NT is still terribly insecure, qmail/postfix/exim are rock solid. Why?

Because the mail compatibility relies on a well thought out open standard (RFC822) whereas Windows relies on an entire slapped-together API.

So stop being overly critical and learn something! :-)

aMy postfix is extremely secure

My postfix installation is extremely secure, I can't get it to receive any email at all. If anyone could help me unsecure it by teaching it to deliver mail to my computer, could they shoot me an email? (bassettgabriel @qwest.net). I'm not a system administrator, just a guy w/ linux at home and the simple setup just isn't working for some reason.

And this isn't an advertisement how?

Sorry for the flamebait, but how would it seem if an "objective" news-headline site said the following:

"The Dodge Ram has had a number of documented problems over the years. However, for less problems, try the Ford Explorer."

Come on...

Popular open-source packages with security holes

Citing a long history of security holes and patches is one way of justifying going with a less-populare but maybe more secure package. Right off the top of my head are these long-standing open-source packages with long histories of security holes:

• wu-ftpd. Most recently known for the crack of alpha.gnu.org.
• sendmail. "Not having sendmail is like not having VD", according to popular wisdom
• vixie-cron. I don't even know of a "virgin" distribution of this, which is probably a good thing; all the Linux vendors have their own set of extensive patches to vixie-cron.

There are multiple choices for replacing each of these, most of them a written-from-scratch replacement. Not all of these are perfect, either, but at least they're less popular, so (hopefully?) less likely to get hacked.

I personally run fcron, postfix, and proftpd instead of the more popular packages. I don't honestly claim that they're any more secure, in all cases they were mostly personal choices having to do with cleanness/installation ease.

Re:Don't forget BIND.

My information that the GNU alpha.gnu.org compromise was due to wu-ftpd came from this quote posted to slashdot after the compromise:

iSEC Security Research reports that wu-ftpd contains an off-by-one bug in the fb_realpath function which could be exploited by a logged-in user (local or anonymous) to gain root privileges. A demonstration exploit is reportedly available.

BIND was originally was an implementation in C of Jeeves, which was the original PDP-10 DNS implementation. This explains some of the cruft (but in fact I don't feel that BIND has all that much cruft).

Re:Don't forget BIND.

It turns out that the wu-ftpd report for the crack of alpha.gnu.org on slashdot was in fact wrong, and in fact alpha.gnu.org wasn't even running wuftpd. It was "just" the linux kernel ptrace vulnerability and a local user.

SMTP

SMTP is a fairly simple protocol, so why are there so many security problems with mail servers? Am I missing something obvious?

Re:SMTP

Sendmail started out with lots of regex ability because it was designed from the start to route mail not only through SMTP but into/out-of other mail systems - i.e. uucp mail, bang paths, corporate-internal mail systems, etc. So it needed to be able to dynamically rewrite and forward mail to non-SMTP systems.

This configurability honestly isn't needed today in 99% of cases. The number of people I know who need a bang-path to get mail to them (uucp) is now down to two.

But the ability to do things dynamically in sendmail through its configuration file isn't necessarily a weakness, the regex abilities are often used for other things today.

Old News

This is a security problem from March. Sendmail 8.12.9 was released on March 31st, correcting this problem.

Why is this being posted nearly half a year later? Solely to advertise Postfix?

Postfix virus filter

I love postfix. A while ago I added a filter to
stop executable (ie virus) content. And nobody
in my company got the recent SoBig virus. Here's the line:

/(filename|name)=".*\.(asd|chm|dll|com|exe|hlp|hta |js|ocx|pif|lnk)"/i REJECT Executable content not allowed

Re:Postfix virus filter

Even more fun than than that (in newer versions o' postfix) is this one:

/^Content-(Type|Disposition):.*(file)?name=.*\.(as d|bat|chm|cmd|dll|exe|hlp|hta|jse|lnk|ocx|pif|scr| shb|shm|shs|vb|vbe|vbs|vbx|vxd|wsf|wsh)/ REJECT Sorry, we do not accept .${3} file types.

Mostly I like that because you include the actual extension in the return message and it allows the string "file=blah.exe" in headers other than those two that might cause a problem

Note that I left .com out of the list because that one also catches messages with URLs attached (like, http://domain.com/). Since we mail URLs a lot where I work, that's not so good to block.

MTAs for desktop/client installations

For running an MTA on a desktop/client PC, I strongly recommend solutions like Nullmailer [untroubled.org] or, for computers with permanent Internet connectivity, ssmtp [debian.org]. Both work as just local gateways/bouncers to a remote SMTP server; they don't open any network ports and thus prevent remote exploits/attacks/spam relaying by design. Nullmailer offers local spooling (important for dialup connections) while ssmtp bounces everything immediately to the smarthost. Both are very small (ssmtp: 22k, nullmailer-send: 25k), ridiculously simple to configure even for people with low administration skills, both provide sendmail-compatibility to work with MUAs like mutt.

(Offtopic: A similarly nice, elegant solution for desktop/clients PC printing is pdq [sourceforge.net], which unlike lpd and cups runs only as a local spooler without opening a network port, and is lean (65k), dead-simple and functional. With nullmailer/ssmtp & pdq, I managed to close all ports (except of course SSH) on my two desktop PCs under Debian GNU/Linux without any firewalling. AFAIK, Debian is the only OS offering all the aforementioned pieces of software as part of its main distribution.)

Re:.. in scripts?

postfix is sommand-line compatible with sendmail, even going so far as to include a binary named "sendmail" for just that reason. I've got several CGIs that use that, just because they're no important enough for me to rewrite them.

I can't comment on other MTAs in that regard.

sendmail is NOT that popular

While Sendmail runs half the mail servers in the world

According to http://cr.yp.to/surveys/sendmail.html [cr.yp.to] and http://cr.yp.to/surveys/smtpsoftware6.txt [cr.yp.to], Sendmail has long been trending towards less and less hosts running it. As of his last survey two years ago, it was at 42%. And if you look only at "serious" MTAs, those for sites that have heavy mail volumes, you'll probably see even less Sendmail.

Newspapers not so wrong?

Sendmail "handles an estimated 75 percent of the Internet's email traffic."

Assuming each e-mail passes on average 3 MTAs, and sendmail is used on 50% of those servers, that gives:

• .50 (probability first server rung sendmail)
• .50*.50 = 0.25 (probability second server runs sendmail, if first didn't)
• .50*.50*.50 = 0.125 (probability third server runs sendmail if first two didn't)

Summarizing: in 87,5% of cases, the e-mail was handled (= routed through) by at least one MTA running sendmail.

If sendmail is deployed on 40% of the servers, the same reasoning gives a total of 62,4%. So the newspaper talking about "routing" and not about the percentage of servers running sendmail, may be correct.

My 2c.

a good comparison of all the major mailers

http://www.mailsoftware.cjb.net/ [cjb.net]

"major" being: courier, sendmail, postfix, exim and qmail.

it looks like it's about a year old, and has some missing information, but it's a place to start for anyone looking to switch MTAs.

The article didn't mention the best feature

If you need to run a backup MX for a lot of domains, you don't have to configure them all manually. You can just tell Postfix that it's allowed to backup domains that have MXes on specific networks. For instance, my Postfix main.cf includes:

smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, reject
permit_mx_backup_networks = 64.15.260.112/27, 282.66.92.0/22, 67.91.305.33/32

(specific addresses changed to protect the innocent, and yes, I know that a byte can't exceed 255, that was deliberate)

This tells Postfix to accept mail for any domain that has an MX in one of the specified networks. So whenever I add a new domain to one of my primary MX servers, I don't have to change the configuration on my backup MX servers at all.

Re:I use

Really? If you don't have any MTA on your workstation, how do you get all of the email messages to root telling you that things are wrong with your system? Or might that be why you are reinstalling all the time? :)

You could try Debian; not only does it not install Sendmail by default (I think they're on Exim now; used to be smail, IIRC), but it's designed to only have to be installed once, ever, which solves your other problem.