[linux-elitists] MTA roundup

Marc MERLIN marc@merlins.org
Sun Apr 28 17:37:58 PDT 2002 

LJ asked me for a writeup on a variety of subjects, and I picked an MTA
roundup.
While I wrote  about sendmail, qmail, postfix, and exim,  I only really know
sendmail (and not  even the recent stuff) and exim. My  knowledge of postfix
and qmail is limited.

If you have a little time to correct/complete this, it would be appreciated

Thanks,
Marc

----------------------------------------------------------------------------
Choosing a free mail transport agent, by Marc MERLIN
If you're  looking for an open  source solution for a  mail transport agent,
here are your most widely used choices:

Sendmail
Sendmail is the well known former de-facto standard. It has a shady security
history because it  was written in days where security  and crackers weren't
an  issue. While the  code hasn't  yet  been completely  rewritten from  the
ground up  to be secure, it's  been a while  since the last root  exploit in
sendmail, and the sendmail engineering team has been hard at work to salvage
the current code base, and make it reasonably secure.
Sendmail has  been known for being  slow and having the  worst configuration
file of  any program. Sendmail  is probably  still slower  than some  of the
alternatives, but  some efforts have  been made  to make it  more efficient,
like multiple queue. The  configuration file should be generated  from an M4
file, which  is easier to edit,  but on the  whole, sendmail is still  a lot
harder to configure than the alternatives
As far  as features  go, sendmail  does have  a lot. Its  configuration file
allows for  very fine grained configuration,  and with MILTERS, you  have an
API to add custom checks and rejects any time during the SMTP transaction.


Qmail
Qmail is  listed here since  it is well  known, but while  it is free  as in
beer, it is not open source compliant
It was the most  common MTA people would pick when they  needed to move away
from sendmail,  either for  security reasons,  because of  the configuration
file, or because of the need for more speed.
Qmail has been put in use in some  major site from back when it was the only
decent alternative  to sendmail. It's probably  the MTA written in  the most
secure fashion,  and its author,  Dan Bernstein, is  known to be  a talented
programmer who takes security very seriously.
Qmail is  also known to be  very fast, especially compared  to sendmail, and
it's also been deployed in many  places in conjunction with ezmlm, and smart
mailing list manager which uses VERP (variable envelope return path) to know
who is bouncing in a mailing list and handle this automatically.
The  problems  with   qmail  however,  are  its  very   unorthodox  ways  of
doing  things, like  filenames  for each  alias or  no  default support  for
/var/spool/mail/user or  ~user/.forward. In most  cases the reasons  for the
alternatives are sound, but the author being opinionated doesn't necessarily
give you the choice.  You can find an example here:
http://www.qmail.org/qmail-manual-html/misc/INSTALL.mbox.html
This wouldn't  be a problem  per se, since  patches exist to  support things
that Dan doesn't  agree with and won't  include in his source  tree, but you
are  not allowed,  among other  things to  redistribute binaries  of patched
qmail  source. For that  matter, you  are also  forced to  compile qmail  to
reside in /var/qmail, conflicting with  the Filesystem Hierachy Standard, if
you want to redistribute binaries.
The  list grows  longer,  the  arbitrary, and  in  my  opinion, plain  silly
licensing restrictions on qmail, make  qmail non open source compliant among
other  things, and  makes one  wonder why  we should  bother with  all these
restrictions when there are fine alternatives available nowadays. 
If you are interested, you can find some more details by Rick Moen here:
http://www.linuxmafia.com/~rick/faq/#djb
My personal opinion  is that while qmail is actually  good software, life is
too  short to  have  to deal  with Dan  Bernstein's  exentricities, and  the
very unclear  licensing in  his software, again,  especially when  there are
fine alternatives available.


Postfix
Postfix, formerly known as VMailer, was  written by Wietse Venema as another
replacement  for  sendmail. It  has  also been  written  from  scratch  with
security and speed in mind.
Just like  qmail, postfix is modular,  however it's much closer  to sendmail
with  regards  to  supporting  alias   files,  .forwards,  or  the  de-facto
/var/spool/mail/mailbox standard.
Of  course, there  are other  more powerful  options available,  and postfix
supports those too.
Postfix has a sane configuration file, and is also known to be very fast.
For people who like the modular approach  for MTAs, and people who like some
of the features of qmail, postfix should definitely be the MTA of choice.

exim
Exim was  meant to be  an improved version of  the defunct smail  and Philip
Hazel wrote it to  fix some of the shortcomings of smail  and use it locally
in his university.  In  turned out to be used by more  and more people until
it became the widely known MTA it is today.
This means however  that it wasn't initially  meant to be what  it is today,
and it unfortunately uses the monolithic  approach (one big daemon that does
most of the work), which is a bad thing security-wise.
That said,  Philip has written  exim carefully, and  it has a  good security
record considering. However, If  security is your topmost  concern, exim can
be run without root priviledges and do  most of its work, but if you're just
uneasy about this anyway, you should consider postfix instead.
Exim has a very clear configuration file, and loads of configuration options
allowing you do  extensive rewritting without needing  to speak sendmail.cf.
It  can also  do things  like  integrate with  mailman and  accept mail  for
reciepients on the fly by checking  if there is a corresponding mailman list
on your filesystem (in other words, no need to have a 10,000 line alias file
if you have a few thousand lists)
While it's hard  to say that one  MTA is faster than another  because it all
depends  on  what  part  of  the MTA's  speed  you're  checking,  exim  also
noticeably faster than sendmail in most configurations, although it might be
a tad slower than postfix
Exim seems to be  the MTA of choice for many mailman  users, just because of
its magic rule that lets you forget  about the alias file you'd need for all
your lists,  but it does much  more than that. Exim  is the only MTA  I know
that can  do SMTP callbacks  (checks the actual  server of the  envelope and
header sender before  accepting an Email), a truely  magnificient hack which
justifies switching to exim just for that feature.
You can look here for more details on the checks that exim can do:
http://sourceforge.net/docman/display_doc.php?docid=6747&group_id=1
Philip is also known to be very useful and helpful on the exim-users list.

Conclusion:
To anyone looking for an MTA today,  I recommend postfix or exim. Exim is my
MTA of choice because of its configurability, but if postfix's functionality 
is enough for you, and you like the security model, then you should probably
pick it.
----------------------------------------------------------------------------
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
  
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key

More information about the linux-elitists mailing list