Postfix 2.1 Released

MasTRE writes "After an extended period of polishing and testing, Postfix 2.1 is released. Some highlights: complete documentation rewrite (long overdue!), policy delegation to external code, real-time content filtering _before_ mail is accepted (a top 10 most requested feature in previous versions), major revision of the LDAP/MySQL/PGSQL code. Version 2.2 is in thw works, which promises even more features like client rate limiting and integration of the TLS and IPv6 patches into the official tree. There's never been a better time to migrate from Sendmail (just _had_ to get that in there ;)."

Already Upgraded...works great.

[haplo21112]

I upgraded first thing this morning when I saw the listing on freshmeat. So far its a drop in replacement.

Download
tar -zxvf
cd postfix-2.1.0
make
make upgrade
postfix stop
postfix start

No issues what so ever!

Even working correctly with TMDA whitelisting/blacklisting spam filter, which had been my one real concerns did anything happen that could screw up TMDA. NOPE! Runs fine.

Have to go ahead and look into setup and using some of the new features now I suppose.

Comparisons

[thebra]

on sendmail, qmail, exim, and postfix. HERE [shearer.org]

Re:versioning

[gowen]

That was basically Linus's idea. Some people have copied it (Gnome and Gimp hackers spring to mind), but its by no means all pervasive.

Re:Qmail

[Anonymous Coward]

Good thing there are no security fixes that egomaniac doesn't patch in qmail! [securityfocus.com]

Re:A big shout out to teh postfix guys

[Anonymous Coward]

ok... [securityfocus.com]

Postfix Heaven

[Chromodromic]

I just finished installing and configuring Postfix with TLS, Cyrus SASL, Maildir storage (which Postfix simply "does" by appending a "/" at the end of a mailbox path), and virtual users alongside Courier-IMAP, and, man, was it easy. I had the help of O'Reilly's Postfix: The Definitive Guide [amazon.com] and between that, the provided documentation and the wealth of resources available on the Web, I was able to get everything up and running in record time.

I know this sounds like a commercial, but it's hard not to sound that way when everything just kind've worked the first time. I now have authenticated, encrypted SMTP and POP and my users are, literally, thanking me. My experience has been that using Postfix was an easy way for me to look good.

Here's a Postfix SASL HOWTO [porcupine.org] which came in handy, but there are a lot of resources on the Web, especially at the Postfix [postfix.org] site.

Re:improved documentation..

[Anonymous Coward]

or you go to the actual link
http://www.postfix.org/docs.html
and it magically works.

Real-time filtering

[DustMagnet]

Cool, what's that about? I found this written by Wietse Venema the author/maintianer for postfix:

When used with a real-time SPAM filter, this approach allows Postfix to reject mail before the SMTP mail transfer completes, so that Postfix does not have to return rejected mail to the sender. Mail that is not accepted remains the responsibility of the client.

In all other respects this content filtering approach is inferior to the existing content filter (see FILTER_README) which processes mail AFTER it is queued.

The problem with real-time content filtering is that the remote SMTP client expects an SMTP reply within a deadline. As the system load increases, fewer and fewer CPU cycles remain available to answer within the deadline, and eventually you either have to stop accepting mail or you have to accept unfiltered mail.

Too bad it doesn't have a counter attack mode, yet.

Sendmail upgrade?

[Anonymous Coward]

There's never been a better time to migrate from Sendmail

It seems Exim 4 was released Feb 2002. It includes IPV6, TLS, and SMTPAUTH via PAM, LDAP, MYSQL, PostgreSQL and more.. There is also client rate limiting, and realtime spam/virus filtering no need to accept and bounce junk.
If you're using Postfix and have been waiting for any of these "new features", go ahead and try Exim.
Exim home page [exim.org]

SMTP time scanning, finally.

[stevenbdjr]

real-time content filtering _before_ mail is accepted

About time. I've been doing this with Exim [exim.org] and Exiscan [duncanthrax.net] for almost 2 years now. It's nice to see other MTA's begin to incorporate this functionality. Now, if everyone upgrades and takes advantage of this wonderful feature, maybe the number of false NDR's I receive due to forged senders will start to go down...

The Doc

[anarcat]

Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer [porcupine.org]. I especially like the listing of all main.cf settings [porcupine.org] (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool [porcupine.org].

I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering [porcupine.org]

Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.

Re:this SMTP server vs Qmail and Sendmail

[Just Some Guy]

It's Free Software (unlike Qmail) without Sendmail's security record (unlike Sendmail).

Personally, I still use Sendmail everywhere, but Postfix is designed to be a fast, secure, easy-to-configure MTA. It would be my migration path of choice if I were ever having problems in any of those three areas.

Re:Aaargghhh!

[Anonymous Coward]

"Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public Licence. In style it is similar to Smail 3, but its facilities are more general. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of exim is quite different to that of sendmail."

http://www.exim.org/ [exim.org]

Re:Comparisons

[Ryquir]

Yeah your comparisons link is seriously outdated (cicra 2001) and only compares mta descriptions. It is neither indepth nor does it touch on the features that existed at the time. With statements like "Add to this sendmail's renowned inefficiency" or "Postfix is quite flexible in its configuration file, but not to the extent of Exim" this document can't be anything more then a abstract draft written up for basic filler in attempt to sell a book idea to publishers.

This wouldn't have been a good comparison at the time it was written let alone now. Next time try googling a little harder perhaps you would have found this link: http://www.geocities.com/mailsoftware42/ [geocities.com] or heck google it for yourself here http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF -8&q=MTA+comparison&btnG=Google+Search [google.com]

Re:Great software, bad hardware

[bigberk]

When that old CPU fan craps out, a fast Postfix will do no good.

You're absolutely right. We're in the process of moving to some proper FreeBSD colocated servers (but then, what will I do with all the spare computing power)?

Re:because it's an ugly, lumbering dinosaur

[beegle]

Postfix has a sendmail-compatable setup where it creates a binary named "sendmail" that accepts common sendmail flags. In most setups, a switch-over is totally transparent.

The hardest part is deciding which of your Sendmail optimizations are still necessary on Postfix.

Sendmail is mostly around because of inertia. It can also do a few sick things (like bridging SNMP and non-SNMP mail systems) that are not necessary for most sane people.

Re:Converting from sendmail?

[bearl]

In the source directory there's a text file named INSTALL that has detailed instructions for the three installation options, including "Replace sendmail altogether."

I won't quote them here in case some of the steps have changed, but it's a very nice step by step list of what to do, what to type, and when to type it.

Postfix + TLS/SSL + SMTP-AUTH HOWTO

[phoxix]

Hi guys,

Postfix + TLS/SSL + SMTP-AUTH HOWTO [opencurve.org]

I wrote this howto a while back ago. It explains what is needed to be done in setting up a secure Postfix SMTP server with TLS/SSL and SMTP-AUTH. It isn't fully done (but the meat is there). I hope someone will find it useful.

Sunny Dubey

PS: no I have *not* submitted it to postfix.org, for it is not done, and its doesn't have all that I want in it. (Must add virus/spam scanning to it first)

Re:insight needed

[Xenophon Fenderson,]

I don't see any compelling reasons to migrate if everything is working fine in Qmail.

If you want a cookbook on how to set up Postfix and SpamAssassin and friends, there are several really good resources: Jeffrey Posluns [securitysage.com], Jim Seymour [linxnet.com], Meng Wong [mengwong.com] (old but still useful). Posluns' guide is probably where you should start first.

Re:this SMTP server vs Qmail and Sendmail

[DavidTC]

qmail isn't free software because it's non-forkable.

You can freely redistribute the source and binaries compiled from clean source. And you can distribute patches to it.

However, the point is, the qmail maintainer is the only person who can release new versions of qmail. And hence it's not free software.

There are two very large dangers with qmail...that it will go off in a random direction no one agrees with, and you'll either have to follow along or go that way, and that the qmail maintainer will just stop releasing new versions. With free software, if enough people use it, they will simply make a fork...but they can't do that with qmail. Technically they could grab a random version and keep building patches off that, but that becomes unmaintainable real fast.

In other words, qmail is basically 'freeware', not 'free software', although it does come in source form, and you have been granted the ability to modify it and even share the modifications. But not the end result.

Re:this SMTP server vs Qmail and Sendmail

[stilwebm]

It is also important to note that Postfix provides Maildir support for local delivery. This means you can have nested folders (containing both messages and more folders) on your IMAP server, where as with Sendmail's mbox format you can only have folders containing messages, and those folders are actually just long text files. Qmail provides the maildir format natively, but Postfix makes it free.

When next you announce..

[Anonymous Coward]

The latest version of an application... how about including a link to the release notes / changelog. No point in upgrading if you don't know the changes - RELEASE_NOTES [postfix.org]

Re:Grudgingly going back to Sendmail.

[DavidTC]

Why the hell are you sharing a mail queue? It's not like more than one server can send the message at a time, or receive it. And postfix supports NFS mailboxes just fine.

And why the hell are you bouncing spam? Delete spam or reject spam, do not bounce spam.

It sounds like you don't know what you're doing, or have a really stupid setup.

And, BTW, if you're getting hammered because you're the backup MX, which spammers like to pound, it might make sense to set up a tertiary MX server that doesn't actually exist. Spammers will go after that, instead, and never hit you, as almost all spamming software is written by complete fucking morons. Whereas actual mail that failed to get your primary server will just your backup. (Or, failing to get your backup, they will then fail to get your tertiary and just queue the mail, and start back over when they retry.)

I, personally, set up a 'backup MX' record to point at one of my IPs that didn't actually run a mail server, and cut my daily spam attempts by 30%.

Re:this SMTP server vs Qmail and Sendmail

[kweber666]

There are two very large dangers with qmail...that it will go off in a random direction no one agrees with

There is another theory which states that this has already happened.

and that the qmail maintainer will just stop releasing new versions

To quote the qmail web site [cr.yp.to]: The latest published qmail package is qmail-1.03.tar.gz, which was released in June 1998. So again, this may have happened already.

Re:because it's an ugly, lumbering dinosaur

[mattdm]

and how did you manage the MTA change in all your apps or did you only have to do in GNU/Mailman?

On fedora: run 'system-switch-mail', pick postfix, hit okay, you're done.

Re:because it's an ugly, lumbering dinosaur

[iainf]

how did you manage the MTA change in all your apps

Postfix presents itself as sendmail; it just drops in as a direct replacement. From my Mandrake box:

% file `which sendmail` /usr/sbin/sendmail: symbolic link to `/etc/alternatives/mta'
% file /etc/alternatives/mta /etc/alternatives/mta: symbolic link to `/usr/sbin/sendmail.postfix'

Re:Aaargghhh!

[spektr]

I use both words, and I use them to mean different things. "Suffix" (in my idiolect) means "a bound morpheme attached to the end of a word"; "postfix" means "an unbound morpheme attached at the end of a word".

Interesting. After doing some more research, I think it's time for me to give the word "postfix" a bigger place in my heart.

Are you saying mathematicians really refer to the style of "2 3 +" as "suffix notation"?

No, I found this entry in the Oxford English Dictionary: "MATH. An inferior index written to the right of a symbol, a subscript".

Re:Aaargghhh!

[Profane MuthaFucka]

Yes, I'd recommend that you look at both. Both are excellent, but in my experience some people who can't make sense of postfix configuration find Exim to be intuitive. And vice-versa. You won't know if you are a postfix or an exim person until you look at both.

OTOH..

[slittle]

The latest published qmail package is qmail-1.03.tar.gz, which was released in June 1998. So again, this may have happened already.

May also be read as: no known exploits for >= 5 years.

Re:this SMTP server vs Qmail and Sendmail

[dasunt]

It is also important to note that Postfix provides Maildir support for local delivery. This means you can have nested folders (containing both messages and more folders) on your IMAP server, where as with Sendmail's mbox format you can only have folders containing messages, and those folders are actually just long text files. Qmail provides the maildir format natively, but Postfix makes it free.

Or you can use Sendmail + Procmail for Maildir-style storage.

Re:Why does everyone alwasy gotta knock sendmail??

[Anonymous Coward]

Actually sendmail has better SMTP performance for sending multiple copies to multiple rcpts at same destination, but it's true that there's no reason for using sendmail except perhaps for outgoing SMTP.

Re:Sendmail upgrade?

[Zapman]

Every single one of these has been in postfix for at least 2-3 years. They have been UPDATED in postfix 2.1, not new features.

Not a compelling reason to switch.

[lorcha]

You can easily do virtual domains and spam filtering in qmail. Virtual domains you can read about in "Life With Qmail". For spam filtering and virus checking,

apt-get qmail-qfilter clamav spamassassin

and you're there. On the other hand, you may have other reasons to change MTAs. I'm actually thinking of switching from qmail to courier since I already use courier for IMAP, so it just makes sense to use the courier MTA, too. Also, like you, I hate the oddball qmail license. I also hate the way qmail installs weird shit all over my system. Come to think of it, I don't even remember why I chose qmail other than the hate of sendmail.

Blah.

Re:insight needed

[ahodgson]

Postfix + Amavis [www.ijs.si] is a wicked combo for content filtering. For virtual domain admin, check out Jamm [sourceforge.net]. If you want great POP/IMAP mailbox support for your virtual domains, add Courier IMAP [inter7.com] to your setup.

Some of the features you might like in Postfix over Qmail include SMTP AUTH, TLS/SSL support, nice content-filtering support, great spam blocking features (HELO checking, RHSbl support, DNSbl support, sender address checking, many others), and extensive database and LDAP support. The virtual domain support is full-featured, although very different to Qmail's in terms of implementation, and with something like Jamm your users can have full control of their domains and/or mailboxes via a web interface.

And yes, I know there are patches for Qmail to do most or all of the above. It's just easier to do with Postfix IMO.

Re:this SMTP server vs Qmail and Sendmail

[Anonymous Coward]

Becuase so many other posts aren't stating this I'll try to explain some of the offerings:

Postfix is easy to configure. One of it's biggest advantages is that it uses many different type of maps for various purposes. Say I want to tell postfix what domains to relay mail for. I can have it lookup the domains in a traditional dbm/hash file or I can even specify an LDAP server to hit. In addition I can have it do the lookups in any order, dmn static entries first, then hit an old sendmail hash, then finally hit LDAP for my new point and click allocation system. This same mapping system is identical for almost all configuration parameters, aliases, virtual domains, virtual alias, maildir/mbox locations, valid recipients, valid senders, SMTP Auth users, etc., etc.

In addition I like postfix's rate control system. Postfix will notice when a foriegn mail system is under load (judged by its response times) and throttle back the rate and number of connections to it. This means that there is less of a chance that mail will be rejected with a temporary failure by the foreign server because it's too busy. It avoids the mail being moved from the active queue to the deferred queue imposing an hour or so delay until the next delivery attempt.

This also works for inbound mail. I can set rate limits so that if a foreign mail server tries to bomb me, postfix will notice this and throttle the connections. It does this by imposing mandatory delays in confirming the delivery to the foreign server. Again, the rates and thresholds are all configurable.

Postfix has some nice security features. For instance one feature is From: validation. All my users must log into postfix using SMTP Auth before sending mail. I have an LDAP map that specifies the allowable From: addresses the users are allowed to use. If the From: address doesn't match what's configured for the SMTP Auth user, the message is rejected. This keep users from spoofing other user's addresses in the From: header. In addition to validating the recipient domain, postfix can validate the recipient address before the message is accepted. Again, from any map type, including LDAP.

Postfix also has a sendmail compatibility layer. Meaning sendmail commands like 'sendmail' and 'mailq' typically work exactly like their sendmail counterparts.

As for performance and scalability, it's right up there with Qmail and sendmail. Performance on my particular servers will be less than on a plain Qmail or sendmail setup, but I also perform tons and tons more checks and validations on each message. Each message results in about 4 LDAP lookups and also gets piped through Amavis-new, Spamassassin, and ClamAV. The idea that postfix is for small to medium sized servers is a wash. It has a feature set that is above and beyond the rest and I'm quite impressed with it.

I used to be a die hard sendmail guy. But after going to postfix, I'll never go back.

My $.02 anyhow....

netqmail-1.05.tar.gz

[Russ Nelson]

http://qmail.org/netqmail/

'nuff said. Trolls, heh, ya gotta love 'em.
-russ

Re:Grudgingly going back to Sendmail.

[Just Some Guy]

Some brain-dead spam broadcasters pick MXes at random to deliver to, and some deliberately target lower-priority exchanges (the idea being that a mailserver may be less picky about mail it receives from one of its backup MXes than other hosts). If a low-priority MX is listed but doesn't really exist, the spammer may attempt to deliver mail to that MX, and then give up when it fails.

It's kludgey, broken, and something I wish I'd thought of earlier.

Re:Grudgingly going back to Sendmail.

[IGnatius T Foobar]

So much flamebait, so little time...

Why the hell are you sharing a mail queue? It's not like more than one server can send the message at a time, or receive it. And postfix supports NFS mailboxes just fine.

One server, one message? We're talking hundreds of thousands of messages per day spread out over dozens of individual mail systems. There are no local mailboxes -- this is strictly a relaying system.

I, personally, set up a 'backup MX' record to point at one of my IPs that didn't actually run a mail server, and cut my daily spam attempts by 30%.

And you probably dropped the reachability of legitimate mail too. I'm sure that works well in your little playground, but this is a real environment and we have SLA's to honor.

Excellent Postfix Setup Guide

[jwbrown77]

Here. [gentoo.org]

The HOWTO is based on Gentoo, but the configuration principles can obviously be used on any machine.

Re:Grudgingly going back to Sendmail.

[DavidTC]

Because someone's a loon who's made an amazingly complicated mail system, that's why.

He's not only building relay servers that transfer mail between themselves, which there is absolutely no reason to do, (They should accept mail from X and forward to Y, not play hot potato with it. Having more than one server is fine, but they don't have anything to say to each other.) he's making them transfer mail between themselves using the mail queue instead of SMTP.

Which is rather akin to setting up a shuttle bus system between the airport and a hotel, realizing you need more than one bus to handle the load, and coming up with the 'solution' of running each bus halfway and transferring all the passengers at the midway point. Each bus driver only needs to be able to handle half the route, think of all the time and training he'll save!

With postfix, of course, he'd have to build a delivery station to offload the passengers to, but with sendmail, he apparently can transfer passengers directly from bus to bus! (Which, despite sendmail's shortcomings, I doubt was intentional.)

Re:Aaargghhh!

[cos(0)]

Are you saying mathematicians really refer to the style of "2 3 +" as "suffix notation"?

No, they refer to it as Reverse Polish Notation [wikipedia.org].

Re:this SMTP server vs Qmail and Sendmail

[sumbry]

To add to this, Postix is not just for small to medium sized servers. It actually scales extremely well because of it's design philosophy (bunch of small programs that each do one thing and do it well communicating w/each other).

I would actually argue the opposite of parent - use Sendmail if it came preconfigured on your box, but otherwise if you're running a large server or hub, migrate over to Postfix if you want to wring every ounce possible outta your mailserver.

Re:because it's an ugly, lumbering dinosaur

[ckaminski]

He meant for clients, not server config. The typical:

system("/usr/bin/sendmail -m user@host.tld");

Is unchanged when migrating to postfix. The backend, however, has some extremely significant differences.

You weren't trolled, you just didn't understand his argument correctly.

Re:Grudgingly going back to Sendmail.

[DavidTC]

That's exactly what I said. You've built a system where one system will accept a message, and then one system will attempt to deliver it, which provides no benefit at all over having one system deliver it from start to finish, except you've added race conditions and file sharing and waste all around.

As for talking about deleting things out of the queue, that's just crazy. There are commands to do that, and they run just fine remotely. (Not that running around deleting mail from a delivery queue is a normal action in the first place, and I suspect you came up with that because you know what you're talking about is silly.)