• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10393
  • Last Modified:

Linux sendmail vs postfix : stability, robustness & vulnerabilities

We are using a commercial version of sendmail (refer to sendmail.com) in RHEL 5.x

We have seen something like 20k email sent to it within 5 mins & it just hung up or caused
severe delay in delivery.

Is postfix (which is now the default Smtp with RHEL 6.x) more robust ie can take bursts of high
volumes & can handle huge attachments/mails with faster deliveries?

In the past VA scans 5-10years ago, sendmail is always reported as something that should
not be used.  Does postfix has similar issue or it's not vulnerable to most VA scans today?

Was told by our vendor that they set up 'commercial' version of sendmail which has a
separate interface/module GUI for whitelisting & blacklisting.  Is there a commercial
version of 'postfix' which we can get official (eg: supported by RHEL) support with
add-on user-friendly interfaces/GUI?
  • 6
  • 5
  • 3
  • +3
6 Solutions
Steve BinkCommented:
In every platform I've managed, postfix has been the MTA of choice on Linux.  Have you checked out iRedMail?
A1: postfix does much better under heavy load. It has easy to understand configuration files, so you dont have to pay web interface to manage them.
A2: Not VA scans are at fault , but the eighties design of sendmail, e.g. its siblings BIND and DHCPD went through multiple complete rewrites to keep them in technology.
A3: It is just text files, make your own interface, or use webmin...
sunhuxAuthor Commented:
Thanks guys.

I've just read iRedMail's reviews : the interface/GUI is something we'll need but I'm still missing a
few information on iRedMail:

a) does its GUI do whitelisting, blacklisting?
b) does it act as MTA & MUA itself or it still needs postfix & dovecot to complement it ?
c) we have occasional mails blasting, so can it take say 30000 mails in 5 minutes with each mail 100kByte size
d) do we need something like LDAP to store or iRedmail has its own proprietary user-friendly mail indexing/storage?
e) is this product's support based in USA, China, or ...  which country?  We have sensitive projects
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

sunhuxAuthor Commented:
Also, is there any links that provide info on how to migrate from Sendmail to iRedmail?
Jan SpringerCommented:
in every platform I've set up for the past 20 years, i've use sendmail.

having said that, you might want to check out exim.
Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP and CCIPCommented:
if you want *reliable* mail server make sure you run it on robust platform such as Linux or FreeBSD,
I have used all MTA's such as Exim, Qmail, Sendmail, Postfix; My choice still Postfix or Qmail.
If you are looking for a MTA  mail transport agent take the following factors into consideration:
security; easy to manage and configure, active support, interoperability, antivirus, antispam, vacation, speed, logging, TLS implementation  ..etc.

Also have a look at:
Steve BinkCommented:
iRedMail is just the same open-source packages an admin would normally install, but pre-configured to be a closed MTA.   It includes postfix, clamav, spamassassin, fail2ban, and a host of other nifty things you would normally have to install, configure, and integrate yourself.  Take a look at their features page to see all the utility available.

The free admin interface isn't much - it only allows for adding and removing domains and their users.  You can purchase a license for their "pro" interface, which offers much greater functionality.  There is an online demo available from their site for you to check out.  The admin interface is just that though - an admin interface.

As far as MUA packages, it includes RoundCube webmail, though you could also choose any MUA, including remote clients such as Thunderbird or Outlook.

I highly recommend giving it a test run.  It is a breeze to install, and just works.
Exim's architecture is similar to that of sendmail, it is default on Debian, and in turn most popular MTA around. Only web GUI is webmin, though that has more security holes than all versions of sendmail together.

What do you want to migrate? If it is mailboxes for system users, that is default for any mailer out there. You might need to read some documentation where to put normally sendmails virtual mailboxes.

I find qmail and sendmail hard to configure for complex setups.
Exim is handiest to reject mail in SMTP session with antivirus for example.
For exim and sendmail you have single process handling outgoing queue, for others it is as much as needed.

And anything but sendmail can handle 400 mails per  minute or 10 mails per second, even with full AV checks.
sunhuxAuthor Commented:
>And anything but sendmail can handle 400 mails per  minute or 10 mails per second, even with full AV checks
Does Gheist mean any other MTA (except sendmail) can handle that kind of volume ie sendmail (even the
commercial one that we use ie smswitch-3.3.0)  is the only MTA that can't handle that kind of volume.

In our case, the vendor recommends the following setting for the commercial sendmail:
(any comments on improving the setting? ) :

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 2097152

# Controls the default maxmimum size of a message queue
kernel.msgmax = 65536
Sorry, sendmail is a dinosaur, commercial or not. You pay for it much more than you ever pay just having hosted email solution.

kernel ipc parameters have no effect on any of the mailers mentioned. they are relevant for databases if at all.
This is question about sendmail alternatives, not about making pigs fly.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I'm going to chime in here as a johnny-come-lately and make some recommendations based on my 25 year history with UNIX-based mail programs, a 15+ year career teaching UNIX & Linux system administration, and spending the past few years as an admin on the QMailToaster project.

FIrst, if you assume that because I'm an admin on the QMT project that I'm going to suggest to you that you drop sendmail and postfix and run QMail... you would be DEAD wrong.

As noted by another "expert" above, MAIL has a huge dependency on DNS, so if you're dead-set on deploying your own, internal mail server, make sure you don't overlook the DNS overhead you'll have - especially if you're implementing any kind of reasonable SPAM protection (SPF & DKIM for starters).

But I'm actually going to spend the remainder of this response trying to convince you to NOT DEPLOY YOUR OWN EMAIL SERVICE at all!

20 years ago, I used to charge $35/year for domain registrations -- today it's $15, and sometimes less.
20 years ago, I used to charge $25/year to manage a domain's DNS services -- today it's free with a domain registration.
20 years ago, I used to charge $10/mo to manage a block of 10 email addresses -- today it's more like $10/year

Why the declining prices? At first glance, you'd think it is the typical technology maturation price drop -- and you'd only be partially right (and only a small part, at that). The truth is, domain registrations, DNS services, and even basic email haven't changed much in the past 20-years. What has changed is the use and (more importantly) the ABUSE of these services, which has precipitated a plethora of other services deployed in the name of protecting us from these ever-escalating abuses.

So, if you're deploying your own mail servers, you're also going to need to start monitoring your server's public IP address for the SPAM blacklists. It'd be great if there were only a few, and the site valli.org will certainly help you with the public blacklists (like SPAMCOP and SORBS) -- but "security vendors" and large ISPs each keep their own, PRIVATE blacklists as well. You can't monitor them (well, there are a couple that will let you monitor them for a fee), and when you get ON one of these lists, you generally have to get a CLIENT of the security company (or ISP) to issue a complaint that your messages are being blocked.

Next, you're going to need SPAM blocking services. The free ones (like SpamAssassin) require considerable maintenance and attention, as well as each having their own learning curve. No matter how much SPAM you block, however, know that your users will complain about too much getting through (or too much being blocked).

What all of this boils down to the fact that email is a complex, constantly evolving problem that has already been solved and managed by the largest ESP (Email Service Providers) and domain registrars. Whether you register at GoDaddy.com or IT4SOHO.NET, there are low-cost options that host your business email "in the cloud" where you won't have to worry about blacklists or spam-blocking (except to make a brief call to support from time to time).

My final point: This isn't a technology question anymore -- it's an economics one! For the cost of implementing your own "volkswagon beetle" of a mail server, you can get a "cadillac" service from a significantly large provider -- in many cases, your registrar!

Just my thoughts...


PS: Many registrars will give you a set of free POP accounts -- this shouldn't be confused with BUSINESS email, which I believe should be IMAP-based and have backups. You get what you pay for!
sunhuxAuthor Commented:
We can't as we man/operate some very sensitive defence & government systems, thus
we need to have our own internal email MTA.

Gmail is pretty efficient : is it using postfix as its MTA?
Steve BinkCommented:
GMail's MTA self-identifies as "gsmtp" - chances are it is a proprietary solution they built in-house.  I heard some internet rumors that they started with qmail, but I can't substantiate that.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
The only major MTAs that I know of that share their underlying implementations are:
 - Office.com (msn.com hotmail.com etc) uses Exchange (shocker there!)
 - Yahoo.com uses QMail

Early on GMail used QMail too, but if that is still the case, they've customized it beyond all recognition. Also MessageLabs used QMail until the were bought out by Symantec (now it's a "proprietary secret"). (I know these because of my affiliation with QMail -- as noted previously, I am an admin on the QMail Toaster project).

On the other hand, according to Wikipedia: In August 2013 in a study performed by E-Soft, Inc.,[2] approximately 27% of the publicly reachable mail-servers on the Internet ran Postfix

However, because PostFix is the default MTA on RHEL and derivative systems (like CentOS), that number will be inflated.
Still, the survey of some 2.3 million mail servers found that nearly HALF used EXIM as the MTA, followed by Postfix and Sendmail. (My beloved QMail Toaster came in a distant 12th -- HOWEVER, QMail makes it VERY EASY to change the banner message, and only 45% of tested servers actually identified their software in the banner message at all.)

All told, there are enough statistics out there to make any of the big 3 happy (QMail, Postfix, Exim).

Debian has exim
Centos has postfix by default
Qmail had some fishy licence problems

Long time ago, like 2002 i printed lengthy sendmail.cf, and then dismantled it piece by piece into Exim. I think even nowadays you can hire consultant to do that.
I assume your government gives you guidelines on how to configure at least one of postfix or exim for your needed security level.
I admit I like exim, though Microsoft SMTP and postfix suffices for me to forward mail to smarthost.

Daniel McAllisterPresident, IT4SOHO, LLCCommented:
Just to rectify the comment:

QMail USED to be distributable SOLELY as source code (assume that is the "fishy license problem" referred to above). This was per the developer Daniel J Bernstein, and while unusual, it was just his own way of making sure no one could use his code and profit from it. Daniel was fond of re-inventing the wheel and removing all the legacy problems with it, which is how/why QMail was/is so popular and enduring.

However, QMail was placed into the public domain in 2007 (the ONLY major MTA that is in the public domain!), so all of the licensing "quirks" are gone. You can now find QMail RPMs and Apt-Get packages for QMail installations.... but note that there are any number of versions of QMail out there -- basically, each is kind of like a Linux Distro on a smaller scale... they're groups of packages designed to help QMail be easier and more complete to implement and use.

Thank you for correcting me.
I would recommend not going to high volume qmail. Postfix or exim will rise throughput 10fold where sendmail chokes.
Make sure you queue locally on machines where lots of mail is born. That saves mail messages from central mail hub overloads. Having two central mail  hubs means there is no disruption unless mayor disaster happens. You can ven shut down one and watch everything just flowing fine... (and if you need 3 central mail hubs to handle everything smoothly + 1 machine spare, well you must have deep pockets to stay with commercial sendmail)
sunhuxAuthor Commented:
I'm looking more at iRedmail or Postfix having high volume mails (sometimes we may have
marketing mail blasting by our sales dept which are legitimate): Exim recently has a GHOST
vulnerability so not in favour.

Does RHN (as we subscribe to RHN) produce patches for Postfix?

Between Postfix & iRedmail, which of the two:

a) has more user-friendly GUI to do whitelisting, greylisting, blacklisting (sometimes we may
    need to do these xxxlisting by entire range of subnets & our current commercial Sendmail
    does not allow this, requiring us to enter IP address one by one), checking for stuck mails
    in the queue, anti-spamming management, allowing online backup & restore to a DR email
    server,  reporting of usage by bytes & number of emails/month for customer billing

b) has more prolific patches (I suppose RHN doesn't, it's only  the postfix user community)
     for security vulnerabilities & fixes for bugs ?
a) that is normally done with text files., though nobody prevents you from integrating database and making PHP web ui to change it
b) redhat applies all relevant patches, though their base product is a bit oldish.
modules can be acquired via fedora epel - like greylisting, clamav milter etc.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now