On January 14, 2014, S. Dale Morrey wrote: > Just curious by why Exim vs PostFix? Is it like the whole emacs vs vi
> debate, or are there capability, security or performance reasons for > choosing one over the other. I'm not married to any as long as it sends > mail like it's supposed to and doesn't whore itself out to spammers :) This is going to be a LONG answer. :S It's primarily a personal preference. I personally started (like I'm sure most of us did) with Sendmail since that was what was included in my Linux Distro (RedHat 8.0, before they dropped their free version). After finding many issues with Sendmail, I looked for an alternative. When I found that XMission, who was (and I think still is) the biggest ISP in Utah was using Exim on their mail servers, I decided I'd try it. I've used it ever since. As to why I don't use PostFix or Qmail, they have the same problem (to me it's a problem, not to others). They split functionality off into multiple binaries. So you have the listener binary that will in turn spawn off a recipient binary when incoming connections occur. And it spins off a queue manager binary when it runs through it's queue. That binary in turn splits off another binary that actually tries to deliver the message. While this approach obviously works, I prefer the one binary method. Exim does that. Qmail is a great system if you want to do nothing but what the author designed it for, which is handle mail in MailDir format with no database work or virus scanning or anything. But to get any of that functionality you need to download 3rd party patches. Exim beats that because it's all self contained. The Makefile determines whether you deliver mail in Mbox format or MailDir or one of a couple others. It determines whether or not you have any database drivers built into it, etc... I just really like it. I'm sure much of the same (build wise) can be said for PostFix, but then PostFix has that multiple binary thing. Exim uses one binary for all, and the command line parameters determine what the functionality is. That I like. I can glance as a ps list (or top or whatever) and can tell exactly at a glance what each process is doing without having to remember each binary name. I can even grep a ps list to get all running instances of exim (i.e. ps -ax | grep exim | grep -v grep) to get a quick idea of exactly what's happening with regards to mail delivery. I won't even consider starting a flame war by saying Exim is better than any other MTA (except for Sendmail and I don't think anyone will argue in sendmail's favor), but it's better _for me_ than any other MTA. I also like the ability of Exim to run in debug mode. If you want to watch and see why it's making a decision it is, you can run it in debug mode (exim -d) and watch it go through all it's decision tree, spitting the logic out to stdout in nice, plain english. That makes it VERY easy to diagnose issues. Of course, one other thing I really love about Exim is two "patches" that have been developed, namely exiscan and sa-exim. Exiscan is a virus scanner for Exim. It causes Exim to hold the message for virus scanning and only deliver it if the virus scan passed. It works great for most things. I personally don't use it because I'm paranoid and it doesn't extract archives (at least, I'm not aware of it doing so). I use a separate program instead called amavisd-new that does the same thing, but also extracts archives first so they can be scanned. It rather simple and plugs into Exim nicely. Of course you can also plug it into PostFix I'm sure, and with some work probably into Qmail. The second patch is one I absolutely adore. sa-exim is a patch to get Exim to call SpamAssassin at SMTP time before accepting a message. You configure the spam score levels at one of two points. Teergrube and Reject. Anything LESS than Reject is accepted. Anything Reject or higher but less than Teergrube is rejected (SMTP 5xx error). The vicious part (for spammers) is the Teergrube mode (I believe that's german for Tarpit). Any message that is HEAVY spam (score >= Teergrube) will be TEMPORARILY rejected (SMTP 4xx error), but at the same time Exim will try to hold the connection open for up to 15 minutes (SMTP continuation messages, i.e. "430- Your Spam Score was WAY to high, Spammer!" every 30 seconds. The - indicates to any MTA that follows standard that more of the message is coming because the text of the error couldn't fit on one line), denying the spammers that connection for sending out their spam. The idea was that if everyone did something similar then spammers would quickly run out of resources for quickly sending their spam. If a spammer's primary SMTP server is configured to use 30 connections a second and 20 of those are blocked for 15 minutes, it seriously hurts their bottom line. :) I've yet to see any similar programs for PostFix or Qmail, but I'm not exactly looking. I settled on Exim and liked it, so I left it there. :) I know people will love Qmail too, but to me it's too big of a headache. The only reason I'd ever use Qmail is if we had need of a massive distribution list (a one way list where I could post to it, but other posts are rejected). Then I'd use Qmail and ez-mlm. I really don't LIKE Qmail, but Mailman doesn't handle one-way distribution properly (at least, last I tried it didn't), and it's the only open source, free mailing list manager that's compatible with Exim that I'm aware of (as far as I understand it, ez-mlm is Qmail specific). As to security, any properly configured MTA is secure against spammers. And except for sendmail, most are fairly secure against hackers. I think that Qmail has the greatest anti-hacker security record, when in vanilla form (no other patches, just the code that the author released). It looses some of that security (not enough to become unacceptable, though) when you include database patches or Mbox patches or SMTP Authentication patches and what not. After Qmail I think it's a tossup between PostFix and Exim. Both work well, but the multiple binary approach that both Qmail and PostFix use really turns me off. If you have PostFix running properly and you're happy with the job it's doing, there's really no need to change out to another MTA. Especially for what is basically just a relay point. Now if you were going to be setting up a whole system with multiple users being delivered to, then I'd say you may want to consider moving to Exim. But for what I believe this AWS instance does, a simply setup PostFix, once properly configured and all DNS issues are resolved, will be quite sufficient, I believe. If you're more curious about Exim, I'd say check out the FAQs and the mailing list archives for the exim-users list at exim.org. They will give you a fair idea of what Exim is capable of, and what are common issues people have in setting it up. :) --- Dan On Thu, Jan 16, 2014 at 4:18 PM, S. Dale Morrey <[email protected]>wrote: > Just curious by why Exim vs PostFix? Is it like the whole emacs vs vi > debate, or are there capability, security or performance reasons for > choosing one over the other? I'm not married to any as long as it sends > mail like it's supposed to and doesn't whore itself out to spammers :) > > > On Thu, Jan 16, 2014 at 12:32 AM, Dan Egli <[email protected]> wrote: > > > On January 14, 2014, S. Dale Morrey wrote: > > > > > > > > > You are correct. I changed it and that worked. > > > > Glad to hear it. :) > > > > > > > > > Now oddly enough I'm not receiving any email on the domain. DNS Tools > is > > > > > showing I now have no MX record set. My registrar on the otherhand > shows > > > > > it as being set correctly. This is true even after a logout, clearing > my > > > > > cookies and cache, rebooting the computer, etc. Something is clearly > > stuck > > > > > on their end and I'm working with support to resolve it. > > > > > > > > Sounds like a corrupted DNS record somehow. Probably the issue is that it > > hasn't expired from your DNS SERVER yet. Clearing your cache and > rebooting > > only clears the local cache. The next time you request the domain it goes > > directly to the indicated name server and asks for the records. If the > > records are incorrect, but haven't passed the TTL, then you'll get the > same > > info back and caching name server won't ask for other info. If I was you, > > I'd try using dig to determine where the records are wrong. i.e., > > > > $ dig mx mydomain.com > > > > will ask the local nameserver that you use, and > > > > $ dig mx mydomain.com @<hosting provider's DNS svr> > > > > will specifically ask the hosting provider's DNS server for the > > information. Dig can really be your friend in this time. Once you > > determine if it's just Amazon's DNS cache (you did say this was on an AWS > > node, right?) that is goofed, or is a fault of your provider's DNS you > can > > take steps to correct it. Easiest step that I know if is to simply update > > the serial number (assuming a BIND style nameserver and not something > else) > > of the domain on the hosting provider's DNS server. Once the serial # is > > increased (or extremely decreased, i.e. going from 2014011001 to 1) then > > subsequent queries by other DNS servers (once the TTL value has been > > reached anyway) will (or should) automatically re-grab the domain zone > > information, including MX records. Naturally your hosting provider has to > > do this, but I'd think they'd be willing to try something so simple to > see > > if it helps fix the records. Also find out how long their TTL is in the > > zone record. I've seen some providers that set like a one week TTL, and > > frankly I find that a bad idea unless you're SURE everything works > > correctly (which it obviously doesn't) and nothing is going to change > > within that week. One week expire, sure. But I'd recommend no more than > six > > to twelve hours of TTL on a development stage server/record. > > > > > > > > Meanwhile, one thing you could consider is forcing postfix to deliver > mail > > for mydomain.com to a specific server rather than relying on mx dns > > queries. This is often referred to as a smart host (especially in > sendmail > > logic). I don't have any idea HOW to do this in postfix. I said before > I'm > > an EXIM person myself. But I would be shocked if it wasn't possible. Then > > you wouldn't have to worry about DNS MX problems on you end. Now, of > > course, others would be unable to email you except from the site, but > it's > > a step in the right direction anyway. > > > > > > > > Good luck! > > > > > > --- Dan > > > > > > On Tue, Jan 14, 2014 at 12:59 PM, S. Dale Morrey <[email protected] > > >wrote: > > > > > You're correct. I changed it and that worked. > > > Now oddly enough I'm not recieving any email on the domain. DNS Tools > is > > > showing I now have no MX record set. My registrar on the otherhand > shows > > > it as being set correctly. This is true even after a logout, clearing > my > > > cookies and cache, rebooting the computer etc. Something is clearly > > stuck > > > on their end and I'm working with support to resolve it. > > > > > > These problems are unrelated since the DNS records are with the > > registrar. > > > Still it's an odd coincidence. > > > FYI I did have my MX records set to the hosted email provider I > mentioned > > > earlier. > > > > > > Just, odd :( > > > > > > > > > On Tue, Jan 14, 2014 at 12:25 AM, Dan Egli <[email protected]> > wrote: > > > > > > > On Sunday, Jan 12, 2013, S. Dale Morrey wrote: > > > > > > > > > No it's just supposed to send from the website. The destination is > > the > > > > > > > > > hosted provider I mentioned earlier. > > > > > > > > > > > > > > > > I think others will have mentioned this one too, but from what I can > > > read, > > > > Postfix is trying to deliver mydomain.com to the local system, which > > is > > > > the > > > > problem. Somehow Postfix has determined that it's an authorized mail > > end > > > > point for mydomain.com. So it receives a message for > > > > <anyone>@mydomain.comand accepts it, then tries to look up the user > so > > > > it knows where to > > > > actually write the message to disk. But these users don't exist on > the > > > > server, so it bounces the messages instead. > > > > > > > > > > > > > > > > I don't know where to tell you to look since I always use Exim as my > > MTA, > > > > but somewhere in the Postfix config is a list of domains that it is > > > > configured to accept mail for. You want to make sure mydomain.com is > > NOT > > > > in > > > > that list. If you want to contact me off list, I'd be happy to help > you > > > > plug in Exim instead. Then I can guide you through any problems, and > > show > > > > you some tricks to help diagnose these issues yourself. :) > > > > > > > > > > > > > > > > I suspect what you did is set this up thinking that you needed to > > > configure > > > > Postfix to allow messages for mydomain.com to be processed since > they > > > are > > > > being generated by the Drupal instance on that server. But that's not > > > quite > > > > correct. Again, I don't know how to separate the two in Postfix, > being > > a > > > > long time Exim user myself. But what you need to do is configure your > > > > server so that it knows nothing about mydomain.com, but does accept > > mail > > > > from localhost (127.0.0.1), or possibly from the IP address of that > AWS > > > > instance. That is the best way I can think of. > > > > > > > > > > > > > > > > Good luck! > > > > > > > > --- Dan > > > > > > > > > > > > On Tue, Jan 14, 2014 at 3:41 AM, Kyle Waters <[email protected]> wrote: > > > > > > > > > On 01/12/2014 09:43 PM, S. Dale Morrey wrote: > > > > > > > > > >> No it's just supposed to send from the website. The destination > is > > > the > > > > >> hosted provider I mentioned earlier. > > > > >> > > > > >> > > > > > > > > > > I ran into this in reverse recently. I'm hosting the email and the > > > > > website is hosted by the people who developed it. They were trying > > to > > > > send > > > > > an email to the people who the site is for and kept getting their > > mail > > > > sent > > > > > back to them, since their server didn't have those usernames. I > was > > > > > contacted because they thought it was an error on my side with my > > > server > > > > > bouncing the emails back. So at least you realized it was your > > > > > configuration and you didn't contact the admin of the proper email > > > > server :) > > > > > > > > > > Kyle > > > > > > > > > > > > > > > /* > > > > > PLUG: http://plug.org, #utah on irc.freenode.net > > > > > Unsubscribe: http://plug.org/mailman/options/plug > > > > > Don't fear the penguin. > > > > > */ > > > > > > > > > > > > > /* > > > > PLUG: http://plug.org, #utah on irc.freenode.net > > > > Unsubscribe: http://plug.org/mailman/options/plug > > > > Don't fear the penguin. > > > > */ > > > > > > > > > > /* > > > PLUG: http://plug.org, #utah on irc.freenode.net > > > Unsubscribe: http://plug.org/mailman/options/plug > > > Don't fear the penguin. > > > */ > > > > > > > /* > > PLUG: http://plug.org, #utah on irc.freenode.net > > Unsubscribe: http://plug.org/mailman/options/plug > > Don't fear the penguin. > > */ > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
