On 01/18/2014 02:47 AM, Dan Egli wrote: > It's primarily a personal preference. I personally started (like I'm sure > most of us did) with Sendmail since that was what was included in my Linux > Distro (RedHat 8.0, before they dropped their free version). After finding > many issues with Sendmail, I looked for an alternative. When I found that > XMission, who was (and I think still is) the biggest ISP in Utah was using > Exim on their mail servers, I decided I'd try it. I've used it ever since.
What issues did you have with Sendmail, other than it's horrid m4 config system? I tend to think of Sendmail configs like perl scripts or C socket code. You never write one from scratch, but just tweak the one you've been using for 20 years. In my professional life, on enterprise mail systems, I've always stuck with Sendmail because it was the most widely supported MTA and was an enterprise standard (yes I understand Exchange is a "standard" too, and used for similar reasons as I give. shudder, but that's enterprise for you). Sendmail's one redeeming feature is that it has these pluggable filters called "milters." If you run an enterprise mail server, milters can be a powerful tool. I wrote one milter filter in Python once. Powerful concept. In the years I've been using it professionally, it has not had any more security issues than any other MTA, and I've never been compromised via sendmail. Postfix now supports milters, though maybe not quite as fully as sendmail yet. If milter support were exactly the same I'd definitely take Postfix just for ease of configuring. > As to why I don't use PostFix or Qmail, they have the same problem (to me > it's a problem, not to others). They split functionality off into multiple > binaries. So you have the listener binary that will in turn spawn off a > recipient binary when incoming connections occur. And it spins off a queue > manager binary when it runs through it's queue. That binary in turn splits > off another binary that actually tries to deliver the message. While this > approach obviously works, I prefer the one binary method. Exim does that. Would not the multiple binaries approach have security advantages? Nothing but the final delivery agent (say, procmail) needs to have special privileges. Each binary does one thing and has only enough privileges to do its thing before handing it off via IPC to another. > Qmail ... > > I won't even consider starting a flame war by saying Exim is better than > any other MTA (except for Sendmail and I don't think anyone will argue in > sendmail's favor), but it's better _for me_ than any other MTA. I also like > the ability of Exim to run in debug mode. If you want to watch and see why > it's making a decision it is, you can run it in debug mode (exim -d) and > watch it go through all it's decision tree, spitting the logic out to > stdout in nice, plain english. That makes it VERY easy to diagnose issues. I'll argue in sendmail's favor (see milters above). And Sendmail also has a mode for analyzing how and why it's doing things based on email address. Handy for debugging rules. Though it's most definitely not plain english! > I've yet to see any similar programs for PostFix or Qmail, but I'm not > exactly looking. I settled on Exim and liked it, so I left it there. :) Most postfix users use Amavisd, which works about like you describe. And you can do things like graylisting with postfix easily as well. > As to security, any properly configured MTA is secure against spammers. And > except for sendmail, most are fairly secure against hackers. sendmail is no more or less secure against hackers than any other MTA. I've not had any security issues with sendmail (keeping it updated as security issues were found) in almost 15 years. One can argue that it's architecture being monolithic is inherently less secure than Postfix. Any MTA is vulnerable to spammers, at least those wanting to send spam to you. > It looses some > of that security (not enough to become unacceptable, though) when you > include database patches or Mbox patches or SMTP Authentication patches and > what not. Yes this is the biggest drawback to Qmail. To make Qmail do anything useful you have to patch it with patch collections to add features you need. This seems to be rather fragile to me, and despite the famous, long-standing bug bounty the author offers, I'm never sure of Qmail's actual security. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
