Postfix 2.1 Released 286
MasTRE writes "After an extended period of polishing and testing, Postfix 2.1 is released. Some highlights: complete documentation rewrite (long overdue!), policy delegation to external code, real-time content filtering _before_ mail is accepted (a top 10 most requested feature in previous versions), major revision of the LDAP/MySQL/PGSQL code. Version 2.2 is in thw works, which promises even more features like client rate limiting and integration of the TLS and IPv6 patches into the official tree. There's never been a better time to migrate from Sendmail (just _had_ to get that in there ;)."
Aaargghhh! (Score:5, Interesting)
Yes, I know its an SMTP server, but sheesh, is it so hard to start it "After an extended period of polishing and testing, Postfix, the popular open source mail transfer agent, has reached version 2.1
Why does everyone alwasy gotta knock sendmail?? (Score:4, Interesting)
A big shout out to teh postfix guys (Score:-1, Interesting)
Postfix on the other hand is simple to manage, secure, and isn't missing any important features.
Postfix performs quite well (Score:5, Interesting)
because it's an ugly, lumbering dinosaur (Score:5, Interesting)
I've been running sendmail 4ever - sure it's complicated as hell - and a bit of a resource hog at times..but it freaking works and is rock solid over more years of production use than any other MTA ever will be in our lifetimes.
On a Axil 320(110mhz, I think? I forget which sparc chip) running Solaris w/320MB of ram and one single SCSI drive, on a Mailman list with about 2,000 subscribers and 100 posts a day, we went from delivery times of an hour+(and load averages well over 4) to under 5 minutes(and load averages between .5 and 2).
Proponents of Sendmail will say "oh, it just needs to be tuned properly".
Nope, sorry. Proper software doesn't need tuning to do its job. Ever notice that the only proponents of the "it just needs someone who knows how to tune it" model are...well...the limited number of people who know how to tune it, and are fast finding themselves out of jobs?
to update or not to update? (Score:2, Interesting)
I've been running Postfix for 8 months now, and I much, much prefer it to my life of running Sendmail for the previous 2 years. Anyway, I've been running Postfix, it has worked perfectly for me, and my 8 other mail users, and I have kept up to date on all/any security patches. Is there any compelling reason for me to upgrade? If the newer one is faster, more effiecent, that's great, but for a small server like mine I'm not sure if I'm even going to notice.
Anyone with helpful advice is appreciated. TIA.
VSCB
Converting from sendmail? (Score:3, Interesting)
> from Sendmail (just _had_ to get that in
> there
So is there any documentation describing a good way to convert from sendmail? Like, how the directives in sendmail map to directives in postfix?
mr
Re:because it's an ugly, lumbering dinosaur (Score:3, Interesting)
this SMTP server vs Qmail and Sendmail (Score:3, Interesting)
insight needed (Score:2, Interesting)
Re:Aaargghhh! (Score:3, Interesting)
On far too many Open Source projects, it's a real struggle to figure out what the durn thing is supposed to do. Go to the website, get a list of contributers, a changelog, and perhaps some press releases. Fire it up, click "help->about" and get a logo. Nothing says what it does.
WHAT THE BLEEP IS IT SUPPOSED TO DO?
Re:Comparisons (Score:1, Interesting)
Since when is it a security-focussed feature to install your binaries in a writable partition?
Grudgingly going back to Sendmail. (Score:5, Interesting)
Unfortunately, with all the extra mail traffic now due to MORE spam, MORE viruses, and all the bounces generated by the above, we have to expand again. And we have to go back to Sendmail because of one particular feature: you can have multiple Sendmail instances sharing an NFS-mounted queue. Since the new system is multiple Sparc boxes in a load-balanced cluster, we have to go back to Sendmail because Postfix doesn't support this.
Re:Great software, bad hardware (Score:3, Interesting)
Shift some services to it, network monitoring, security scans. Stuff you can easily run somewhere else if it dies but it's handy not to. Or donate it to a charity that wants it. MP3 server, CD jukebox server. Write something spiffy to act as a voicemail system...
Postfix's new policy server API (Score:5, Interesting)
The new policy server interface is a simple sockets-based API for getting a chance to participate in the SMTP conversation as it is happening. The basic idea is:
- tell your Postfix config file (main.cf) that you've written a "policy server" that listens on a particular Unix socket or TCP address/port.
You can have the policy server get "called" at any of the points in the SMTP conversation where Postfix may make a decision about how to dispose of the message (HELO, RCPT, etc.).
- write your policy server. It listens for connections, and each connection sends you one or more requests. Each request contains a small set of information about the mail message being transmitted (client name/address, HELO text, etc.) Your server responds with one of a broad set of actions that Postfix supports (reject, accept, defer, perform other custom checks, etc.).
- The protocol for talking to your server is a simple text-based protocol with newlines, much like the form of HTTP. I coded an initial policy server in good ol' C in about an hour.
In particular, this new API is a great place to implement greylisting. Your server can maintain its database of whitelisted and greylisted from/to/IP triplets all on its own and just respond to Postfix requests. And, once you've coded up your policy server, you don't have to revise it with every Postfix patch that comes down the pike. As long as the API remains backwardly compatible, your policy server code should survive any Postfix upgrades.Kudos to the new policy server API!
Re:Great software, bad hardware (Score:3, Interesting)
Like sendmail's milter? (Score:4, Interesting)
Of course I'm one of those very happy sendmail administrators (we do exist), and I have a relatively complex setup handling hundreds of thousands of messages per day, with very complex routing, etc. But perhaps Postfix is finally serious about providing an alternative (of course I also need TLS and IPv6 built-in like sendmail's had forever).
Re:Aaargghhh! (Score:4, Interesting)
I use both words, and I use them to mean different things. "Suffix" (in my idiolect) means "a bound morpheme attached to the end of a word"; "postfix" means "an unbound morpheme attached at the end of a word".
Are you saying mathematicians really refer to the style of "2 3 +" as "suffix notation"?
Where's ZMailer? (Score:2, Interesting)
Nice that MacOS X now uses Postfix (Score:5, Interesting)
(I had been rooting for exim, which is also a great package, but Postfix seems to be a good alternative. Maybe they should also include exim on XServe's?)
Re:Why all the MTA anti-sendmail holy wars? (Score:3, Interesting)
It uses capabilities, chroot jails, etc. It is nowdays very good about running with least priviledge, and only a very small kernel of code ever runs with root priviledge in a proper setup anyway. (or if at all if you OS supports capabilities).
The one potentially bad thing about your mention of Postfix using fixed-length records, is that is usually the root cause for buffer overflows. I'm not saying that Postfix is suseptible or not, but actually fixed-length records is not necessarily a universally good security policy. But at least Postfix has some policies, so I have nothing against it. I just can't stand sendmail bashing without the facts.
Re:OTOH.. (Score:5, Interesting)
I loved qmail, but all my systems run Postfix nowadays. SSL, SMTP AUTH, content filtering, too many features I needed and qmail doesn't have.
I just hope djbdns doesn't go the same way, cause I REALLY hate BIND.
Re:this SMTP server vs Qmail and Sendmail (Score:2, Interesting)
And if you're dealing with mailing lists (from the admin side) you definately wanna take a look at ezmlm [ezmlm.org].
I haven't tried postfix in a while but I guess the old rule of thumb (for small sites use whatever, if you need it big stick with qmail) still applies?
Re:Great software, bad hardware (Score:3, Interesting)
Re:this SMTP server vs Qmail and Sendmail (Score:4, Interesting)
To be fair..
Qmail is *very* well deigned and programmed. There's hasen't been a real need to issue a new package for a long time.
I still don't like the license - but it is damn fine software.
Re:Why does everyone alwasy gotta knock sendmail?? (Score:5, Interesting)
Cause Postfix was built for people who do not understand how to properly configure a mailserver.
Feeling a bit up on yourself are you? I've used all three and as a busy sysadmin I have to say I don't have time to screw around with with Sendmail security patches and overly complex setup or qmail's complete lack of flexability. I have a fairly complex Postfix setup that stores my users in Mysql, does spam and virus checking and handles about 40 domains. I set it all up in about half a day
Re:this SMTP server vs Qmail and Sendmail (Score:4, Interesting)
It may be damn fine software, but its creator has decided that he doesn't like the existing init systems on linux/BSD and so has written his own. That right there took qmail out of consideration. I don't care if he is right or wrong, I have no intention of installing a second init system just so I can run his software. The creators of Postfix integrate beautifully with linux standards, Redhat even provides a well integrated postfix package (install the rpm's then run 'redhat-switch-mail'). Not to mention the awesome 'mailgraph' utility - http://people.ee.ethz.ch/~dws/software/mailgraph/ [ee.ethz.ch] for charting stats!
And best of all, its wicked fast. I can handle 100's of msg per minute on a 500Mhz box, which I learned the hard way that sendmail can't.
Re:this SMTP server vs Qmail and Sendmail (Score:5, Interesting)
Simply put, Postfix is designed from the ground up with security in mind as well as the KISS philosophy of software design. Postfix has a bunch of little programs that all do one thing and do it very well, is realitively easy to chroot and even if you opt to not do that is still much more secure than Sendmail (esp its out of the box config). It's author Wietse Venema (sp?) was the same guy that wrote TCP Wrappers which is a stock part of almost every BSD/Linux distro today.
Postfix was engineered from the groupd up to be a Secure MTA and was able to take immediate advantage of all the lessons that had been learned by Sendmail w/o having to hang on to a legacy codebase.
Postfix is also extremely easy to configure, using straight non-cryptic ini style conf files and doesn't require a 1300 page manual to get the best out of it. Couple this with the fact that connecting it to a MySQL/Postgres/Oracle database for map lookups (forwarding, alias, transport, etc) and you've got this beast that scales very well for hosting environments (you can also used virtual passwd databases enabling you to create mailbox accounts that do not actually exist in the systems passwd db). When we deployed it at said hosting company, we were delivering close to a million messages a day and saw lookup times, delivery times, queue times, pretty much everything drop to about 1/4 of their levels w/Sendmail. Postfix is blazingly fast.
Postfix isn't for everyone tho. If you're only running a few domains and/or Sendmail came preconfigured on the box you're running it on then you're probably fine sticking w/Sendmail. We actually only used Postfix as a hub and used Sendmail on all our severs in a relay only mode. If you know Sendmail back and forth and can make it jump through flaming hoops I wouldn't necessarily advise switching to Postfix unless you're looking to wring more out of your MTA and want to do it relatively easily and securely.
Someone correct me if I'm wrong, but I don't think Postfix has even had any remote exploits (it doesn't run as root out of the box)?
Bogus backup MX servers (Score:4, Interesting)
Actually, using an unreachable backup MX is an excellent idea and shouldn't affect legitimate email at all. Real mail servers (i.e., servers running software like sendmail, postfix, exim, etc.) will try to deliver a message to each MX server, from high priority to low priority, until they find one that is accessible. So if he sets up a bogus MX server at the lowest priority, all of his other MX servers will still be attempted (and if they're all down for some reason, he's screwed anyway). However, spammers often use custom mass-mailing software that isn't smart enough to try all MX servers. In fact, their software seems to specifically target the lowest priority MX servers, probably because they think these servers will be less likely to inspect and reject the message at SMTP time. So if your lowest priority MX server is bogus and doesn't really exist, spammer software might not be smart enough to actually try the other MX servers; it will give up and move on to the next victim.
So using this technique shouldn't affect legitimate email, but it stands a good chance of cutting down on some spam. I'm glad he posted it.
Re:Why does everyone alwasy gotta knock sendmail?? (Score:2, Interesting)
I've used sendmail, and I've used postfix. I definitely prefer postfix. I didn't think I would, I had a serious sendmail bias a few months ago, but I'm a convert. PGSQL support did it for me, I think.