Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Linux sendmail vs postfix : stability, robustness & vulnerabilities

We are using a commercial version of sendmail (refer to sendmail.com) in RHEL 5.x

We have seen something like 20k email sent to it within 5 mins & it just hung up or caused
severe delay in delivery.

Q1:
Is postfix (which is now the default Smtp with RHEL 6.x) more robust ie can take bursts of high
volumes & can handle huge attachments/mails with faster deliveries?

Q2:
In the past VA scans 5-10years ago, sendmail is always reported as something that should
not be used.  Does postfix has similar issue or it's not vulnerable to most VA scans today?

Q3:
Was told by our vendor that they set up 'commercial' version of sendmail which has a
separate interface/module GUI for whitelisting & blacklisting.  Is there a commercial
version of 'postfix' which we can get official (eg: supported by RHEL) support with
add-on user-friendly interfaces/GUI?
SOLUTION
Avatar of Steve Bink
Steve Bink
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
A1: postfix does much better under heavy load. It has easy to understand configuration files, so you dont have to pay web interface to manage them.
A2: Not VA scans are at fault , but the eighties design of sendmail, e.g. its siblings BIND and DHCPD went through multiple complete rewrites to keep them in technology.
A3: It is just text files, make your own interface, or use webmin...
Avatar of sunhux
sunhux

ASKER

Thanks guys.

I've just read iRedMail's reviews : the interface/GUI is something we'll need but I'm still missing a
few information on iRedMail:

a) does its GUI do whitelisting, blacklisting?
b) does it act as MTA & MUA itself or it still needs postfix & dovecot to complement it ?
c) we have occasional mails blasting, so can it take say 30000 mails in 5 minutes with each mail 100kByte size
d) do we need something like LDAP to store or iRedmail has its own proprietary user-friendly mail indexing/storage?
e) is this product's support based in USA, China, or ...  which country?  We have sensitive projects
Avatar of sunhux

ASKER

Also, is there any links that provide info on how to migrate from Sendmail to iRedmail?
in every platform I've set up for the past 20 years, i've use sendmail.

having said that, you might want to check out exim.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

>And anything but sendmail can handle 400 mails per  minute or 10 mails per second, even with full AV checks
Does Gheist mean any other MTA (except sendmail) can handle that kind of volume ie sendmail (even the
commercial one that we use ie smswitch-3.3.0)  is the only MTA that can't handle that kind of volume.


In our case, the vendor recommends the following setting for the commercial sendmail:
(any comments on improving the setting? ) :

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 2097152

# Controls the default maxmimum size of a message queue
kernel.msgmax = 65536
Sorry, sendmail is a dinosaur, commercial or not. You pay for it much more than you ever pay just having hosted email solution.

kernel ipc parameters have no effect on any of the mailers mentioned. they are relevant for databases if at all.
This is question about sendmail alternatives, not about making pigs fly.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of sunhux

ASKER

> NOT DEPLOY YOUR OWN EMAIL SERVICE at all
We can't as we man/operate some very sensitive defence & government systems, thus
we need to have our own internal email MTA.

Gmail is pretty efficient : is it using postfix as its MTA?
GMail's MTA self-identifies as "gsmtp" - chances are it is a proprietary solution they built in-house.  I heard some internet rumors that they started with qmail, but I can't substantiate that.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Debian has exim
Centos has postfix by default
Qmail had some fishy licence problems

Long time ago, like 2002 i printed lengthy sendmail.cf, and then dismantled it piece by piece into Exim. I think even nowadays you can hire consultant to do that.
I assume your government gives you guidelines on how to configure at least one of postfix or exim for your needed security level.
I admit I like exim, though Microsoft SMTP and postfix suffices for me to forward mail to smarthost.

https://en.wikipedia.org/wiki/List_of_mail_servers#Product_statistics
Just to rectify the comment:

QMail USED to be distributable SOLELY as source code (assume that is the "fishy license problem" referred to above). This was per the developer Daniel J Bernstein, and while unusual, it was just his own way of making sure no one could use his code and profit from it. Daniel was fond of re-inventing the wheel and removing all the legacy problems with it, which is how/why QMail was/is so popular and enduring.

However, QMail was placed into the public domain in 2007 (the ONLY major MTA that is in the public domain!), so all of the licensing "quirks" are gone. You can now find QMail RPMs and Apt-Get packages for QMail installations.... but note that there are any number of versions of QMail out there -- basically, each is kind of like a Linux Distro on a smaller scale... they're groups of packages designed to help QMail be easier and more complete to implement and use.

Dan
IT4SOHO
Thank you for correcting me.
I would recommend not going to high volume qmail. Postfix or exim will rise throughput 10fold where sendmail chokes.
Make sure you queue locally on machines where lots of mail is born. That saves mail messages from central mail hub overloads. Having two central mail  hubs means there is no disruption unless mayor disaster happens. You can ven shut down one and watch everything just flowing fine... (and if you need 3 central mail hubs to handle everything smoothly + 1 machine spare, well you must have deep pockets to stay with commercial sendmail)
Avatar of sunhux

ASKER

I'm looking more at iRedmail or Postfix having high volume mails (sometimes we may have
marketing mail blasting by our sales dept which are legitimate): Exim recently has a GHOST
vulnerability so not in favour.

Does RHN (as we subscribe to RHN) produce patches for Postfix?

Between Postfix & iRedmail, which of the two:

a) has more user-friendly GUI to do whitelisting, greylisting, blacklisting (sometimes we may
    need to do these xxxlisting by entire range of subnets & our current commercial Sendmail
    does not allow this, requiring us to enter IP address one by one), checking for stuck mails
    in the queue, anti-spamming management, allowing online backup & restore to a DR email
    server,  reporting of usage by bytes & number of emails/month for customer billing

b) has more prolific patches (I suppose RHN doesn't, it's only  the postfix user community)
     for security vulnerabilities & fixes for bugs ?
a) that is normally done with text files., though nobody prevents you from integrating database and making PHP web ui to change it
b) redhat applies all relevant patches, though their base product is a bit oldish.
modules can be acquired via fedora epel - like greylisting, clamav milter etc.