Solved

Linux sendmail vs postfix : stability, robustness & vulnerabilities

Posted on 2015-01-23
19
3,462 Views
Last Modified: 2015-02-24
We are using a commercial version of sendmail (refer to sendmail.com) in RHEL 5.x

We have seen something like 20k email sent to it within 5 mins & it just hung up or caused
severe delay in delivery.

Q1:
Is postfix (which is now the default Smtp with RHEL 6.x) more robust ie can take bursts of high
volumes & can handle huge attachments/mails with faster deliveries?

Q2:
In the past VA scans 5-10years ago, sendmail is always reported as something that should
not be used.  Does postfix has similar issue or it's not vulnerable to most VA scans today?

Q3:
Was told by our vendor that they set up 'commercial' version of sendmail which has a
separate interface/module GUI for whitelisting & blacklisting.  Is there a commercial
version of 'postfix' which we can get official (eg: supported by RHEL) support with
add-on user-friendly interfaces/GUI?
0
Comment
Question by:sunhux
  • 6
  • 5
  • 3
  • +3
19 Comments
 
LVL 50

Assisted Solution

by:Steve Bink
Steve Bink earned 175 total points
ID: 40567707
In every platform I've managed, postfix has been the MTA of choice on Linux.  Have you checked out iRedMail?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40568071
A1: postfix does much better under heavy load. It has easy to understand configuration files, so you dont have to pay web interface to manage them.
A2: Not VA scans are at fault , but the eighties design of sendmail, e.g. its siblings BIND and DHCPD went through multiple complete rewrites to keep them in technology.
A3: It is just text files, make your own interface, or use webmin...
0
 

Author Comment

by:sunhux
ID: 40568090
Thanks guys.

I've just read iRedMail's reviews : the interface/GUI is something we'll need but I'm still missing a
few information on iRedMail:

a) does its GUI do whitelisting, blacklisting?
b) does it act as MTA & MUA itself or it still needs postfix & dovecot to complement it ?
c) we have occasional mails blasting, so can it take say 30000 mails in 5 minutes with each mail 100kByte size
d) do we need something like LDAP to store or iRedmail has its own proprietary user-friendly mail indexing/storage?
e) is this product's support based in USA, China, or ...  which country?  We have sensitive projects
0
 

Author Comment

by:sunhux
ID: 40568092
Also, is there any links that provide info on how to migrate from Sendmail to iRedmail?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40568149
in every platform I've set up for the past 20 years, i've use sendmail.

having said that, you might want to check out exim.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 82 total points
ID: 40568181
if you want *reliable* mail server make sure you run it on robust platform such as Linux or FreeBSD,
I have used all MTA's such as Exim, Qmail, Sendmail, Postfix; My choice still Postfix or Qmail.
If you are looking for a MTA  mail transport agent take the following factors into consideration:
security; easy to manage and configure, active support, interoperability, antivirus, antispam, vacation, speed, logging, TLS implementation  ..etc.

Also have a look at:
http://en.wikipedia.org/wiki/Comparison_of_mail_servers
http://linuxmantra.com/2010/07/sendmail-vs-postfix-vs-qmail-vs-exim.html
http://www.scalix.com/
http://www.communigate.com/CommuniGatePro/
http://www.open-xchange.com/
http://www.egroupware.org/
http://zarafa.com/
0
 
LVL 50

Accepted Solution

by:
Steve Bink earned 175 total points
ID: 40568332
iRedMail is just the same open-source packages an admin would normally install, but pre-configured to be a closed MTA.   It includes postfix, clamav, spamassassin, fail2ban, and a host of other nifty things you would normally have to install, configure, and integrate yourself.  Take a look at their features page to see all the utility available.

The free admin interface isn't much - it only allows for adding and removing domains and their users.  You can purchase a license for their "pro" interface, which offers much greater functionality.  There is an online demo available from their site for you to check out.  The admin interface is just that though - an admin interface.

As far as MUA packages, it includes RoundCube webmail, though you could also choose any MUA, including remote clients such as Thunderbird or Outlook.

I highly recommend giving it a test run.  It is a breeze to install, and just works.
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 83 total points
ID: 40568451
Exim's architecture is similar to that of sendmail, it is default on Debian, and in turn most popular MTA around. Only web GUI is webmin, though that has more security holes than all versions of sendmail together.

What do you want to migrate? If it is mailboxes for system users, that is default for any mailer out there. You might need to read some documentation where to put normally sendmails virtual mailboxes.

I find qmail and sendmail hard to configure for complex setups.
Exim is handiest to reject mail in SMTP session with antivirus for example.
For exim and sendmail you have single process handling outgoing queue, for others it is as much as needed.

And anything but sendmail can handle 400 mails per  minute or 10 mails per second, even with full AV checks.
0
 

Author Comment

by:sunhux
ID: 40569343
>And anything but sendmail can handle 400 mails per  minute or 10 mails per second, even with full AV checks
Does Gheist mean any other MTA (except sendmail) can handle that kind of volume ie sendmail (even the
commercial one that we use ie smswitch-3.3.0)  is the only MTA that can't handle that kind of volume.


In our case, the vendor recommends the following setting for the commercial sendmail:
(any comments on improving the setting? ) :

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 2097152

# Controls the default maxmimum size of a message queue
kernel.msgmax = 65536
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 61

Expert Comment

by:gheist
ID: 40569365
Sorry, sendmail is a dinosaur, commercial or not. You pay for it much more than you ever pay just having hosted email solution.

kernel ipc parameters have no effect on any of the mailers mentioned. they are relevant for databases if at all.
This is question about sendmail alternatives, not about making pigs fly.
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 160 total points
ID: 40570658
I'm going to chime in here as a johnny-come-lately and make some recommendations based on my 25 year history with UNIX-based mail programs, a 15+ year career teaching UNIX & Linux system administration, and spending the past few years as an admin on the QMailToaster project.

FIrst, if you assume that because I'm an admin on the QMT project that I'm going to suggest to you that you drop sendmail and postfix and run QMail... you would be DEAD wrong.

As noted by another "expert" above, MAIL has a huge dependency on DNS, so if you're dead-set on deploying your own, internal mail server, make sure you don't overlook the DNS overhead you'll have - especially if you're implementing any kind of reasonable SPAM protection (SPF & DKIM for starters).

But I'm actually going to spend the remainder of this response trying to convince you to NOT DEPLOY YOUR OWN EMAIL SERVICE at all!

20 years ago, I used to charge $35/year for domain registrations -- today it's $15, and sometimes less.
20 years ago, I used to charge $25/year to manage a domain's DNS services -- today it's free with a domain registration.
20 years ago, I used to charge $10/mo to manage a block of 10 email addresses -- today it's more like $10/year

Why the declining prices? At first glance, you'd think it is the typical technology maturation price drop -- and you'd only be partially right (and only a small part, at that). The truth is, domain registrations, DNS services, and even basic email haven't changed much in the past 20-years. What has changed is the use and (more importantly) the ABUSE of these services, which has precipitated a plethora of other services deployed in the name of protecting us from these ever-escalating abuses.

So, if you're deploying your own mail servers, you're also going to need to start monitoring your server's public IP address for the SPAM blacklists. It'd be great if there were only a few, and the site valli.org will certainly help you with the public blacklists (like SPAMCOP and SORBS) -- but "security vendors" and large ISPs each keep their own, PRIVATE blacklists as well. You can't monitor them (well, there are a couple that will let you monitor them for a fee), and when you get ON one of these lists, you generally have to get a CLIENT of the security company (or ISP) to issue a complaint that your messages are being blocked.

Next, you're going to need SPAM blocking services. The free ones (like SpamAssassin) require considerable maintenance and attention, as well as each having their own learning curve. No matter how much SPAM you block, however, know that your users will complain about too much getting through (or too much being blocked).

What all of this boils down to the fact that email is a complex, constantly evolving problem that has already been solved and managed by the largest ESP (Email Service Providers) and domain registrars. Whether you register at GoDaddy.com or IT4SOHO.NET, there are low-cost options that host your business email "in the cloud" where you won't have to worry about blacklists or spam-blocking (except to make a brief call to support from time to time).

My final point: This isn't a technology question anymore -- it's an economics one! For the cost of implementing your own "volkswagon beetle" of a mail server, you can get a "cadillac" service from a significantly large provider -- in many cases, your registrar!

Just my thoughts...

Dan
IT4SOHO

PS: Many registrars will give you a set of free POP accounts -- this shouldn't be confused with BUSINESS email, which I believe should be IMAP-based and have backups. You get what you pay for!
0
 

Author Comment

by:sunhux
ID: 40573370
> NOT DEPLOY YOUR OWN EMAIL SERVICE at all
We can't as we man/operate some very sensitive defence & government systems, thus
we need to have our own internal email MTA.

Gmail is pretty efficient : is it using postfix as its MTA?
0
 
LVL 50

Expert Comment

by:Steve Bink
ID: 40573457
GMail's MTA self-identifies as "gsmtp" - chances are it is a proprietary solution they built in-house.  I heard some internet rumors that they started with qmail, but I can't substantiate that.
0
 
LVL 20

Assisted Solution

by:Daniel McAllister
Daniel McAllister earned 160 total points
ID: 40573465
The only major MTAs that I know of that share their underlying implementations are:
 - Office.com (msn.com hotmail.com etc) uses Exchange (shocker there!)
 - Yahoo.com uses QMail


Early on GMail used QMail too, but if that is still the case, they've customized it beyond all recognition. Also MessageLabs used QMail until the were bought out by Symantec (now it's a "proprietary secret"). (I know these because of my affiliation with QMail -- as noted previously, I am an admin on the QMail Toaster project).

On the other hand, according to Wikipedia: In August 2013 in a study performed by E-Soft, Inc.,[2] approximately 27% of the publicly reachable mail-servers on the Internet ran Postfix

However, because PostFix is the default MTA on RHEL and derivative systems (like CentOS), that number will be inflated.
Still, the survey of some 2.3 million mail servers found that nearly HALF used EXIM as the MTA, followed by Postfix and Sendmail. (My beloved QMail Toaster came in a distant 12th -- HOWEVER, QMail makes it VERY EASY to change the banner message, and only 45% of tested servers actually identified their software in the banner message at all.)

All told, there are enough statistics out there to make any of the big 3 happy (QMail, Postfix, Exim).

Dan
IT4SOHO
0
 
LVL 61

Expert Comment

by:gheist
ID: 40573755
Debian has exim
Centos has postfix by default
Qmail had some fishy licence problems

Long time ago, like 2002 i printed lengthy sendmail.cf, and then dismantled it piece by piece into Exim. I think even nowadays you can hire consultant to do that.
I assume your government gives you guidelines on how to configure at least one of postfix or exim for your needed security level.
I admit I like exim, though Microsoft SMTP and postfix suffices for me to forward mail to smarthost.

https://en.wikipedia.org/wiki/List_of_mail_servers#Product_statistics
0
 
LVL 20

Expert Comment

by:Daniel McAllister
ID: 40573859
Just to rectify the comment:

QMail USED to be distributable SOLELY as source code (assume that is the "fishy license problem" referred to above). This was per the developer Daniel J Bernstein, and while unusual, it was just his own way of making sure no one could use his code and profit from it. Daniel was fond of re-inventing the wheel and removing all the legacy problems with it, which is how/why QMail was/is so popular and enduring.

However, QMail was placed into the public domain in 2007 (the ONLY major MTA that is in the public domain!), so all of the licensing "quirks" are gone. You can now find QMail RPMs and Apt-Get packages for QMail installations.... but note that there are any number of versions of QMail out there -- basically, each is kind of like a Linux Distro on a smaller scale... they're groups of packages designed to help QMail be easier and more complete to implement and use.

Dan
IT4SOHO
0
 
LVL 61

Expert Comment

by:gheist
ID: 40573920
Thank you for correcting me.
I would recommend not going to high volume qmail. Postfix or exim will rise throughput 10fold where sendmail chokes.
Make sure you queue locally on machines where lots of mail is born. That saves mail messages from central mail hub overloads. Having two central mail  hubs means there is no disruption unless mayor disaster happens. You can ven shut down one and watch everything just flowing fine... (and if you need 3 central mail hubs to handle everything smoothly + 1 machine spare, well you must have deep pockets to stay with commercial sendmail)
0
 

Author Comment

by:sunhux
ID: 40598098
I'm looking more at iRedmail or Postfix having high volume mails (sometimes we may have
marketing mail blasting by our sales dept which are legitimate): Exim recently has a GHOST
vulnerability so not in favour.

Does RHN (as we subscribe to RHN) produce patches for Postfix?

Between Postfix & iRedmail, which of the two:

a) has more user-friendly GUI to do whitelisting, greylisting, blacklisting (sometimes we may
    need to do these xxxlisting by entire range of subnets & our current commercial Sendmail
    does not allow this, requiring us to enter IP address one by one), checking for stuck mails
    in the queue, anti-spamming management, allowing online backup & restore to a DR email
    server,  reporting of usage by bytes & number of emails/month for customer billing

b) has more prolific patches (I suppose RHN doesn't, it's only  the postfix user community)
     for security vulnerabilities & fixes for bugs ?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40598139
a) that is normally done with text files., though nobody prevents you from integrating database and making PHP web ui to change it
b) redhat applies all relevant patches, though their base product is a bit oldish.
modules can be acquired via fedora epel - like greylisting, clamav milter etc.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now