Forgot your password?
typodupeerror
Software The Internet

Postfix 2.1 Released 286

Posted by michael
from the got-mail? dept.
MasTRE writes "After an extended period of polishing and testing, Postfix 2.1 is released. Some highlights: complete documentation rewrite (long overdue!), policy delegation to external code, real-time content filtering _before_ mail is accepted (a top 10 most requested feature in previous versions), major revision of the LDAP/MySQL/PGSQL code. Version 2.2 is in thw works, which promises even more features like client rate limiting and integration of the TLS and IPv6 patches into the official tree. There's never been a better time to migrate from Sendmail (just _had_ to get that in there ;)."
This discussion has been archived. No new comments can be posted.

Postfix 2.1 Released

Comments Filter:
  • Aaargghhh! (Score:5, Interesting)

    by gowen (141411) <gwowen@gmail.com> on Friday April 23, 2004 @11:17AM (#8950204) Homepage Journal
    It would be nice if, during product announcements, if the submitter actually included a sentence SAYING WHAT THE SOFTWARE DOES.

    Yes, I know its an SMTP server, but sheesh, is it so hard to start it "After an extended period of polishing and testing, Postfix, the popular open source mail transfer agent, has reached version 2.1
    • by mattdm (1931) on Friday April 23, 2004 @11:26AM (#8950335) Homepage
      Pssh. C'mon, what kind of geek hasn't heard of Postfix? I mean, sure, this'd be a valid complaint if we were talking about exim....

      *grin*
      • by Billy the Mountain (225541) on Friday April 23, 2004 @11:43AM (#8950565) Journal
        Pssh. C'mon, what kind of geek hasn't heard of Postfix?

        I agree postfix is ubiquitous, although prefix and infix have their merits as well!

        BTM
        • I agree postfix is ubiquitous, although prefix and infix have their merits as well!

          I never understood why computer scientists often use the word "postfix", because this is a term invented by biologists (anatomy). Linguists and mathematicians say "suffix" instead. Those are fields of knowledge which should be much closer to computer science than biology. I mean, what does the average CS student know about anatomy? *g*
          • Re:Aaargghhh! (Score:4, Interesting)

            by Anonymous Coward on Friday April 23, 2004 @12:47PM (#8951408)
            I never understood why computer scientists often use the word "postfix", because this is a term invented by biologists (anatomy). Linguists and mathematicians say "suffix" instead.

            I use both words, and I use them to mean different things. "Suffix" (in my idiolect) means "a bound morpheme attached to the end of a word"; "postfix" means "an unbound morpheme attached at the end of a word".

            Are you saying mathematicians really refer to the style of "2 3 +" as "suffix notation"?
    • I use QMail and Sendmail on several hosting servers. Which advantages will my customers get with Postfix ?
      • It's Free Software (unlike Qmail) without Sendmail's security record (unlike Sendmail).

        Personally, I still use Sendmail everywhere, but Postfix is designed to be a fast, secure, easy-to-configure MTA. It would be my migration path of choice if I were ever having problems in any of those three areas.

        • by stilwebm (129567) on Friday April 23, 2004 @12:09PM (#8950923)
          It is also important to note that Postfix provides Maildir support for local delivery. This means you can have nested folders (containing both messages and more folders) on your IMAP server, where as with Sendmail's mbox format you can only have folders containing messages, and those folders are actually just long text files. Qmail provides the maildir format natively, but Postfix makes it free.
          • by dasunt (249686) on Friday April 23, 2004 @01:33PM (#8951963)

            It is also important to note that Postfix provides Maildir support for local delivery. This means you can have nested folders (containing both messages and more folders) on your IMAP server, where as with Sendmail's mbox format you can only have folders containing messages, and those folders are actually just long text files. Qmail provides the maildir format natively, but Postfix makes it free.

            Or you can use Sendmail + Procmail for Maildir-style storage.

          • by Kunta Kinte (323399) on Friday April 23, 2004 @02:49PM (#8952762) Journal
            I was going to mod you down, but I figured I corrected you instead.

            It is not the MTA's (Mail Transfer Agent) job to put the mail on the filesystem, that's the MDA's (Mail Delivery Agent) job. Sendmail is a Mail Transfer Agent. Sendmail, for as long as I've known, as a pluggable MDA format, where you can put in any MDA you choose. You can easily build your own MDA for Sendmail. Not to mention if you use Milter.

            This is rudimentary internet mail handling.

            For example, I use Cyrus IMAP's MDA with sendmail; and thus sendmail simply hands the Cyrus MDA my mail once sendmail has figured the mail belongs on this server.

            Thus in a way, Sendmail, Postix, and all other MTA are essentially routers.

      • by Anonymous Coward on Friday April 23, 2004 @02:12PM (#8952384)
        Becuase so many other posts aren't stating this I'll try to explain some of the offerings:

        Postfix is easy to configure. One of it's biggest advantages is that it uses many different type of maps for various purposes. Say I want to tell postfix what domains to relay mail for. I can have it lookup the domains in a traditional dbm/hash file or I can even specify an LDAP server to hit. In addition I can have it do the lookups in any order, dmn static entries first, then hit an old sendmail hash, then finally hit LDAP for my new point and click allocation system. This same mapping system is identical for almost all configuration parameters, aliases, virtual domains, virtual alias, maildir/mbox locations, valid recipients, valid senders, SMTP Auth users, etc., etc.

        In addition I like postfix's rate control system. Postfix will notice when a foriegn mail system is under load (judged by its response times) and throttle back the rate and number of connections to it. This means that there is less of a chance that mail will be rejected with a temporary failure by the foreign server because it's too busy. It avoids the mail being moved from the active queue to the deferred queue imposing an hour or so delay until the next delivery attempt.

        This also works for inbound mail. I can set rate limits so that if a foreign mail server tries to bomb me, postfix will notice this and throttle the connections. It does this by imposing mandatory delays in confirming the delivery to the foreign server. Again, the rates and thresholds are all configurable.

        Postfix has some nice security features. For instance one feature is From: validation. All my users must log into postfix using SMTP Auth before sending mail. I have an LDAP map that specifies the allowable From: addresses the users are allowed to use. If the From: address doesn't match what's configured for the SMTP Auth user, the message is rejected. This keep users from spoofing other user's addresses in the From: header. In addition to validating the recipient domain, postfix can validate the recipient address before the message is accepted. Again, from any map type, including LDAP.

        Postfix also has a sendmail compatibility layer. Meaning sendmail commands like 'sendmail' and 'mailq' typically work exactly like their sendmail counterparts.

        As for performance and scalability, it's right up there with Qmail and sendmail. Performance on my particular servers will be less than on a plain Qmail or sendmail setup, but I also perform tons and tons more checks and validations on each message. Each message results in about 4 LDAP lookups and also gets piped through Amavis-new, Spamassassin, and ClamAV. The idea that postfix is for small to medium sized servers is a wash. It has a feature set that is above and beyond the rest and I'm quite impressed with it.

        I used to be a die hard sendmail guy. But after going to postfix, I'll never go back.

        My $.02 anyhow....

      • by sumbry (644145) on Friday April 23, 2004 @05:15PM (#8954435) Homepage
        Having worked at a hosting company for years, we actually migrated to Postfix (from Sendmail) way back in the day, when Postfix was still called VMailer (actually joined the beta before it even had a name).

        Simply put, Postfix is designed from the ground up with security in mind as well as the KISS philosophy of software design. Postfix has a bunch of little programs that all do one thing and do it very well, is realitively easy to chroot and even if you opt to not do that is still much more secure than Sendmail (esp its out of the box config). It's author Wietse Venema (sp?) was the same guy that wrote TCP Wrappers which is a stock part of almost every BSD/Linux distro today.

        Postfix was engineered from the groupd up to be a Secure MTA and was able to take immediate advantage of all the lessons that had been learned by Sendmail w/o having to hang on to a legacy codebase.

        Postfix is also extremely easy to configure, using straight non-cryptic ini style conf files and doesn't require a 1300 page manual to get the best out of it. Couple this with the fact that connecting it to a MySQL/Postgres/Oracle database for map lookups (forwarding, alias, transport, etc) and you've got this beast that scales very well for hosting environments (you can also used virtual passwd databases enabling you to create mailbox accounts that do not actually exist in the systems passwd db). When we deployed it at said hosting company, we were delivering close to a million messages a day and saw lookup times, delivery times, queue times, pretty much everything drop to about 1/4 of their levels w/Sendmail. Postfix is blazingly fast.

        Postfix isn't for everyone tho. If you're only running a few domains and/or Sendmail came preconfigured on the box you're running it on then you're probably fine sticking w/Sendmail. We actually only used Postfix as a hub and used Sendmail on all our severs in a relay only mode. If you know Sendmail back and forth and can make it jump through flaming hoops I wouldn't necessarily advise switching to Postfix unless you're looking to wring more out of your MTA and want to do it relatively easily and securely.

        Someone correct me if I'm wrong, but I don't think Postfix has even had any remote exploits (it doesn't run as root out of the box)?
    • Re:Aaargghhh! (Score:3, Interesting)

      by StormyMonday (163372)
      I'll second that.

      On far too many Open Source projects, it's a real struggle to figure out what the durn thing is supposed to do. Go to the website, get a list of contributers, a changelog, and perhaps some press releases. Fire it up, click "help->about" and get a logo. Nothing says what it does.

      WHAT THE BLEEP IS IT SUPPOSED TO DO?
  • by darthcamaro (735685) * on Friday April 23, 2004 @11:17AM (#8950205)
    I've been running sendmail 4ever - sure it's complicated as hell - and a bit of a resource hog at times..but it freaking works and is rock solid over more years of production use than any other MTA ever will be in our lifetimes.
    • Because of the design flaws in it and the fact that muh better MTA's now exist yet many people, some like you, refuse to migrate for the betterment of the internet.

      My preference is qmail, only because I haven't used postfix in a production environment yet.
      • Great..are we now gonna have some kinda religious debate about legacy software being crap?
        qmail is nice but it's not ubiquitous...for whatever reason sendmail still is - a correctly configured sendmail setup is still gonna meet the needs/requirements of most users.
        • If by religious you mean common sense discussion then sure. There is literally ZERO reason to use sendmail now. There is nothing you can do with sendmail that can't be done with Postfix or qmail and you'll get better performance and security to boot.

          Technology like everything else has a life span. Sendmails ended long ago, get over it.
    • by SuperBanana (662181) on Friday April 23, 2004 @11:24AM (#8950304)

      I've been running sendmail 4ever - sure it's complicated as hell - and a bit of a resource hog at times..but it freaking works and is rock solid over more years of production use than any other MTA ever will be in our lifetimes.

      On a Axil 320(110mhz, I think? I forget which sparc chip) running Solaris w/320MB of ram and one single SCSI drive, on a Mailman list with about 2,000 subscribers and 100 posts a day, we went from delivery times of an hour+(and load averages well over 4) to under 5 minutes(and load averages between .5 and 2).

      Proponents of Sendmail will say "oh, it just needs to be tuned properly".

      Nope, sorry. Proper software doesn't need tuning to do its job. Ever notice that the only proponents of the "it just needs someone who knows how to tune it" model are...well...the limited number of people who know how to tune it, and are fast finding themselves out of jobs?

      • Under 5 minutes? that's sweet - you did this with Postfix? and how did you manage the MTA change in all your apps or did you only have to do in GNU/Mailman?
      • Proper software doesn't need tuning to do its job.

        You may or may not be correct in this particular case, but as a general statement, that's just stupid.

        Do you really mean that the exact same settings for a little desktop (high priority to input-related tasks, swap only when needed) would work well for a high-load server (high priority to compute-related tasks, swap agressively to make RAM quickly available)? There are a lot of settings on a modern system that just can't be inferred by the system itself. Stating the opposite like it's an obvious fact is ignorant, misleading, or both.

        A real-world example: a Usenet spool and an MP3 repository may be the same size, but benefit hugely from tweaked bytes-per-inode or journal settings. In some cases, once the system is running, it's too late to easily change your mind (like bytes-per-inode). In other cases, you can switch at will, but not without unmounting the filesystem (ext3 journaling options). You, as the administrator, make those decisions. Either way, even if the computer were capable of recognizing that you'd made a bad decision, it's not in a position to correct them.

        A real-world example: I tuned Sendmail to use delayed sending so that when a client blasted 20,000 copies of a newsletter (yes, opt-in), then it would wait for several minutes so that it could efficiently aggregate recipients by domain. In there situation, telling Sendmail to leave email in the queue for 10 minutes meant a 50% savings in bandwidth. How on earth would you expect a self-tuned MTA to ever make that discovery on its own?

        Computers do some things well. Predicting the future usage patterns of their owners without mounds of previous input is not one of them. That's where manual tuning comes in, and why real system administrators still paid decently.

      • "Proper software doesn't need tuning to do its job."

        For someone using Solaris, that's an odd statement to make. I can't tell you how much F'ing tuning I've had to do on Solaris to get it working properly on our dev systems. I finally got things to where they needed to be, but I've seen more than my share of the 'ndd' command.

        Not that I think he's right about Sendmail. I've moved to Postfix and don't plan on looking back.

    • by woulduno (597978) on Friday April 23, 2004 @12:42PM (#8951360)
      Cause Postfix was built for people who do not understand how to properly configure a mailserver. It assumes you are new and keeps it locked down by default. Where sendmail is more customizable and faster (http://www.benchmarks.dmz.ro/article.php?story=20 02081221400018), although Qmail is faster, for standard configurations.. Sendmail is great for large high volume sites, where postfix is great for the home user or smaller sites. Although it can still be used in larger sites.. I personally have been using sendmail for years and cannot remember a security issue that applied to me. Mostly because I know how to configure sendmail and it is very well tuned. I worked with a company that sent stock notifications where we pushed over 5 million messages in under 30 minutes with 8 Sun Netra's with 440 mhz CPU's.. In case you do not get the math that is about 20,833 thousand messages per minute per machine! Running sendmail..
      • by Christianfreak (100697) on Friday April 23, 2004 @03:33PM (#8953194) Homepage Journal
        The last study I read showed the exact opposite. With Postfix being the fastest, sendmail close behind and qmail way slower than the other two.

        Cause Postfix was built for people who do not understand how to properly configure a mailserver.

        Feeling a bit up on yourself are you? I've used all three and as a busy sysadmin I have to say I don't have time to screw around with with Sendmail security patches and overly complex setup or qmail's complete lack of flexability. I have a fairly complex Postfix setup that stores my users in Mysql, does spam and virus checking and handles about 40 domains. I set it all up in about half a day ... I don't even want to think about how long it would have taken to do it with sendmail.
  • Wait, wouldn't post fix Postfix 2.1 actually be fix 2.2?

    -m
    • I think you're thinking of Prefix 2.0
    • No, no, you don't get it, it's because of all the filters. It fixes posts. So now, pe0ple kan wreite az badi az the want & get there pausts fyxt too a corekt form@t. This is a big help for spam filtering, no more v.iagr@, v1 gra, and stuff.

      I wonder if this technology would work for /. to spelling.
  • Version 2.2 is in the works, which promises even more features

    i was under the impression that the standard methodology in the unix-ish/open source-ish world was that odd sub-versions (.1, .3, etc.) were for adding features and even sub-versions (.2, .4, etc.) were for stabilizing the code, bug fixes, etc.

    am i incorrect or does the postfix project simply not follow this model? just curious.

    • Re:versioning (Score:4, Informative)

      by gowen (141411) <gwowen@gmail.com> on Friday April 23, 2004 @11:24AM (#8950296) Homepage Journal
      That was basically Linus's idea. Some people have copied it (Gnome and Gimp hackers spring to mind), but its by no means all pervasive.
    • i was under the impression that the standard methodology in the unix-ish/open source-ish world was that odd sub-versions (.1, .3, etc.) were for adding features and even sub-versions (.2, .4, etc.) were for stabilizing the code, bug fixes, etc.

      That is just Linux.
      • by Anonymous Coward
        You're forgetting the parent post authors theory on the world, Linux is the same thing as Unix, and Linux is the world, with out it, the earth would stop spinning and we'd all be thrown off into space.
        • You're forgetting the parent post authors theory on the world, Linux is the same thing as Unix, and Linux is the world, with out it, the earth would stop spinning and we'd all be thrown off into space.

          i do sometimes forget that /. has warped me. i apologize.

    • That's the model used by the developers of the Linux kernel, but it is by no means a standard, even in the open source world.
      • I think some of the guys at Microsoft may have used this at some point, also. Odd numbered NT service packs were a nightmare.

        In particular, NT4 SP5 was about as stable as Windows ME on a Cyrix chip...

        • I think the odd/even versioning also applies to Star Trek movies (suck/good/suck/good...) and Beethovan symphonies (suck/good/suck/good...).

          • by gowen (141411)
            Its the other way round with /. UIDs. Odd numbers are gurus and geniuses, even numbers are dweebs and wannabes. Its a pretty clever algorithm that gives them out.
  • by haplo21112 (184264) <haplo@NOSPAM.epithna.com> on Friday April 23, 2004 @11:21AM (#8950267) Homepage
    I upgraded first thing this morning when I saw the listing on freshmeat. So far its a drop in replacement.

    Download
    tar -zxvf
    cd postfix-2.1.0
    make
    make upgrade
    postfix stop
    postfix start

    No issues what so ever!

    Even working correctly with TMDA whitelisting/blacklisting spam filter, which had been my one real concerns did anything happen that could screw up TMDA. NOPE! Runs fine.

    Have to go ahead and look into setup and using some of the new features now I suppose.
  • Comparisons (Score:2, Informative)

    by thebra (707939) *
    on sendmail, qmail, exim, and postfix. HERE [shearer.org]
  • by bigberk (547360) <bigberk@users.pc9.org> on Friday April 23, 2004 @11:23AM (#8950288)
    I recently configured a 200 MHz Pentium host (with slow IDE drives etc.) as an ISP's mail server. It handles over 10,000 emails daily and the load average hangs around at 0.10 -- it's using Postfix with the renattach attachment filter [pc-tools.net] as a content filter (catches all those windows viruses). I was pretty impressed that Postfix performed so well on such an ancient machine :)
  • that's the question.

    I've been running Postfix for 8 months now, and I much, much prefer it to my life of running Sendmail for the previous 2 years. Anyway, I've been running Postfix, it has worked perfectly for me, and my 8 other mail users, and I have kept up to date on all/any security patches. Is there any compelling reason for me to upgrade? If the newer one is faster, more effiecent, that's great, but for a small server like mine I'm not sure if I'm even going to notice.

    Anyone with helpful advice
  • by marko_ramius (24720) on Friday April 23, 2004 @11:25AM (#8950323)
    > There's never been a better time to migrate
    > from Sendmail (just _had_ to get that in
    > there ;).

    So is there any documentation describing a good way to convert from sendmail? Like, how the directives in sendmail map to directives in postfix?

    mr
    • by bearl (589272) on Friday April 23, 2004 @11:56AM (#8950741)
      In the source directory there's a text file named INSTALL that has detailed instructions for the three installation options, including "Replace sendmail altogether."

      I won't quote them here in case some of the steps have changed, but it's a very nice step by step list of what to do, what to type, and when to type it.
  • Postfix Heaven (Score:5, Informative)

    by Chromodromic (668389) on Friday April 23, 2004 @11:31AM (#8950397)
    I just finished installing and configuring Postfix with TLS, Cyrus SASL, Maildir storage (which Postfix simply "does" by appending a "/" at the end of a mailbox path), and virtual users alongside Courier-IMAP, and, man, was it easy. I had the help of O'Reilly's Postfix: The Definitive Guide [amazon.com] and between that, the provided documentation and the wealth of resources available on the Web, I was able to get everything up and running in record time.

    I know this sounds like a commercial, but it's hard not to sound that way when everything just kind've worked the first time. I now have authenticated, encrypted SMTP and POP and my users are, literally, thanking me. My experience has been that using Postfix was an easy way for me to look good.

    Here's a Postfix SASL HOWTO [porcupine.org] which came in handy, but there are a lot of resources on the Web, especially at the Postfix [postfix.org] site.

  • insight needed (Score:2, Interesting)

    by U.I.D 754625 (754625)
    Is it worthwhile to migrate to postfix from qmail? Qmail has a weird license scheme preventing binary distribution that sort of urked me, not to mention hit-or-miss setup documentation, but it's been running great for years now. I've wanted to add some virtual domains and spam filtering and it might just be easier to swap the whole MTA.
    • I don't see any compelling reasons to migrate if everything is working fine in Qmail.

      If you want a cookbook on how to set up Postfix and SpamAssassin and friends, there are several really good resources: Jeffrey Posluns [securitysage.com], Jim Seymour [linxnet.com], Meng Wong [mengwong.com] (old but still useful). Posluns' guide is probably where you should start first.

    • You can easily do virtual domains and spam filtering in qmail. Virtual domains you can read about in "Life With Qmail". For spam filtering and virus checking,

      apt-get qmail-qfilter clamav spamassassin

      and you're there. On the other hand, you may have other reasons to change MTAs. I'm actually thinking of switching from qmail to courier since I already use courier for IMAP, so it just makes sense to use the courier MTA, too. Also, like you, I hate the oddball qmail license. I also hate the way qmail

    • Re:insight needed (Score:3, Informative)

      by ahodgson (74077)
      Postfix + Amavis [www.ijs.si] is a wicked combo for content filtering. For virtual domain admin, check out Jamm [sourceforge.net]. If you want great POP/IMAP mailbox support for your virtual domains, add Courier IMAP [inter7.com] to your setup.

      Some of the features you might like in Postfix over Qmail include SMTP AUTH, TLS/SSL support, nice content-filtering support, great spam blocking features (HELO checking, RHSbl support, DNSbl support, sender address checking, many others), and extensive database and LDAP support. The virtual domain support
  • by gtoomey (528943)
    SASL authentication was a shocker to get working with Postfix. Some people had not problems, but Murphy'y Law meant I never got it working properly. Lets hope its fixed.

    And it looks like content filtering (spam & virus filters) has been improved with version 2.1

  • Developers?? (Score:3, Insightful)

    by shift (222320) on Friday April 23, 2004 @11:33AM (#8950425)
    Why is this in the developers section? Wouldn't it be more appropriately placed in a topic for system administrators?
  • Real-time filtering (Score:5, Informative)

    by DustMagnet (453493) on Friday April 23, 2004 @11:33AM (#8950426) Journal
    Cool, what's that about? I found this written by Wietse Venema the author/maintianer for postfix:
    When used with a real-time SPAM filter, this approach allows Postfix to reject mail before the SMTP mail transfer completes, so that Postfix does not have to return rejected mail to the sender. Mail that is not accepted remains the responsibility of the client.

    In all other respects this content filtering approach is inferior to the existing content filter (see FILTER_README) which processes mail AFTER it is queued.

    The problem with real-time content filtering is that the remote SMTP client expects an SMTP reply within a deadline. As the system load increases, fewer and fewer CPU cycles remain available to answer within the deadline, and eventually you either have to stop accepting mail or you have to accept unfiltered mail.

    Too bad it doesn't have a counter attack mode, yet.
  • Sendmail upgrade? (Score:5, Informative)

    by Anonymous Coward on Friday April 23, 2004 @11:34AM (#8950441)
    There's never been a better time to migrate from Sendmail
    It seems Exim 4 was released Feb 2002. It includes IPV6, TLS, and SMTPAUTH via PAM, LDAP, MYSQL, PostgreSQL and more.. There is also client rate limiting, and realtime spam/virus filtering no need to accept and bounce junk.
    If you're using Postfix and have been waiting for any of these "new features", go ahead and try Exim.
    Exim home page [exim.org]
    • Re:Sendmail upgrade? (Score:4, Informative)

      by Zapman (2662) on Friday April 23, 2004 @01:37PM (#8952004)
      Every single one of these has been in postfix for at least 2-3 years. They have been UPDATED in postfix 2.1, not new features.
    • It seems Exim 4 was released Feb 2002. It includes IPV6, TLS, and SMTPAUTH via PAM, LDAP, MYSQL, PostgreSQL and more.

      I wrote a Perl-based whitelist program [outshine.com]. My biggest problem in the Exim vs. Postfix wars is that Exim (at the time I wrote the whitelist app) doesn't offer all the status codes that Postfix does. So my ability to bounce email with informative messages is limited in Exim. Postfix, no problem. But since you seem to know all about Exim's features, what can you tell me about the last 18 mon

  • by stevenbdjr (539653) <steven@mrchuckles.net> on Friday April 23, 2004 @11:36AM (#8950461) Homepage
    real-time content filtering _before_ mail is accepted

    About time. I've been doing this with Exim [exim.org] and Exiscan [duncanthrax.net] for almost 2 years now. It's nice to see other MTA's begin to incorporate this functionality. Now, if everyone upgrades and takes advantage of this wonderful feature, maybe the number of false NDR's I receive due to forged senders will start to go down...

  • The Doc (Score:5, Informative)

    by anarcat (306985) on Friday April 23, 2004 @11:42AM (#8950555) Homepage
    Yeah, that's good. I always had trouble finding my way into the postfix documentation, now it's a lot clearer [porcupine.org]. I especially like the listing of all main.cf settings [porcupine.org] (now if there would be a manpage for master.cf too...) and the bottleneck analysis tool [porcupine.org].

    I do miss however the "big pictures" yellow + blue graphs that seduced me into trying out postfix long time ago. Now we're stuck with pityful text-only rendering [porcupine.org]

    Still great, after all those years, postfix is my MTA of choice: ease of use, power and security.
  • by phoxix (161744) on Friday April 23, 2004 @11:57AM (#8950749)
    Hi guys,

    Postfix + TLS/SSL + SMTP-AUTH HOWTO [opencurve.org]

    I wrote this howto a while back ago. It explains what is needed to be done in setting up a secure Postfix SMTP server with TLS/SSL and SMTP-AUTH. It isn't fully done (but the meat is there). I hope someone will find it useful.

    Sunny Dubey

    PS: no I have *not* submitted it to postfix.org, for it is not done, and its doesn't have all that I want in it. (Must add virus/spam scanning to it first)
  • by IGnatius T Foobar (4328) on Friday April 23, 2004 @12:05PM (#8950857) Homepage Journal
    One of my servers is a big Sparc box (running Linux, not Solaris) that performs backup MX and other relay services for about a hundred domains at a hosting center. It gets constantly pounded on all day long. Originally it ran Sendmail, and it was badly loaded down. Installing Postfix cleared up all the problems. It's just that much better.

    Unfortunately, with all the extra mail traffic now due to MORE spam, MORE viruses, and all the bounces generated by the above, we have to expand again. And we have to go back to Sendmail because of one particular feature: you can have multiple Sendmail instances sharing an NFS-mounted queue. Since the new system is multiple Sparc boxes in a load-balanced cluster, we have to go back to Sendmail because Postfix doesn't support this. :(
    • sharing an NFS-mounted queue.

      I feel dirty just hearing about it,

      Alex
    • Why the hell are you sharing a mail queue? It's not like more than one server can send the message at a time, or receive it. And postfix supports NFS mailboxes just fine.

      And why the hell are you bouncing spam? Delete spam or reject spam, do not bounce spam.

      It sounds like you don't know what you're doing, or have a really stupid setup.

      And, BTW, if you're getting hammered because you're the backup MX, which spammers like to pound, it might make sense to set up a tertiary MX server that doesn't actually exi

      • by Azghoul (25786) on Friday April 23, 2004 @12:40PM (#8951330) Homepage
        Way to help the guy actually learn something. Real friendly there, buddy.

        Too bad the rest of us aren't experienced mail administrators like you are.
      • So much flamebait, so little time...

        Why the hell are you sharing a mail queue? It's not like more than one server can send the message at a time, or receive it. And postfix supports NFS mailboxes just fine.

        One server, one message? We're talking hundreds of thousands of messages per day spread out over dozens of individual mail systems. There are no local mailboxes -- this is strictly a relaying system.

        I, personally, set up a 'backup MX' record to point at one of my IPs that didn't actually run a ma
        • by mattrope (212499) on Friday April 23, 2004 @05:51PM (#8954764)
          I, personally, set up a 'backup MX' record to point at one of my IPs that didn't actually run a mail server, and cut my daily spam attempts by 30%.

          And you probably dropped the reachability of legitimate mail too. I'm sure that works well in your little playground, but this is a real environment and we have SLA's to honor.

          Actually, using an unreachable backup MX is an excellent idea and shouldn't affect legitimate email at all. Real mail servers (i.e., servers running software like sendmail, postfix, exim, etc.) will try to deliver a message to each MX server, from high priority to low priority, until they find one that is accessible. So if he sets up a bogus MX server at the lowest priority, all of his other MX servers will still be attempted (and if they're all down for some reason, he's screwed anyway). However, spammers often use custom mass-mailing software that isn't smart enough to try all MX servers. In fact, their software seems to specifically target the lowest priority MX servers, probably because they think these servers will be less likely to inspect and reject the message at SMTP time. So if your lowest priority MX server is bogus and doesn't really exist, spammer software might not be smart enough to actually try the other MX servers; it will give up and move on to the next victim.

          So using this technique shouldn't affect legitimate email, but it stands a good chance of cutting down on some spam. I'm glad he posted it.
    • by gnuman99 (746007) on Friday April 23, 2004 @12:23PM (#8951099)
      Uhhhm, why now just use the cluster to filter stuff, and then just map the mail to an internal SMTP server which moves the traffic to user accounts. That way your cluster will not need to use NFS, but just their own disks (which is faster, most of the time), and the internal SMTP server will not get loaded that much since it does nothing that CPU intensive (no filtering).
  • by RonBurk (543988) on Friday April 23, 2004 @12:09PM (#8950916) Homepage Journal
    One of the geek-cool things about this release of Postfix is that it finally provides a way to add your own code to the SMTP conversation without having to understand or patch Postfix at all.

    The new policy server interface is a simple sockets-based API for getting a chance to participate in the SMTP conversation as it is happening. The basic idea is:

    • tell your Postfix config file (main.cf) that you've written a "policy server" that listens on a particular Unix socket or TCP address/port. You can have the policy server get "called" at any of the points in the SMTP conversation where Postfix may make a decision about how to dispose of the message (HELO, RCPT, etc.).
    • write your policy server. It listens for connections, and each connection sends you one or more requests. Each request contains a small set of information about the mail message being transmitted (client name/address, HELO text, etc.) Your server responds with one of a broad set of actions that Postfix supports (reject, accept, defer, perform other custom checks, etc.).
    • The protocol for talking to your server is a simple text-based protocol with newlines, much like the form of HTTP. I coded an initial policy server in good ol' C in about an hour.
    In particular, this new API is a great place to implement greylisting. Your server can maintain its database of whitelisted and greylisted from/to/IP triplets all on its own and just respond to Postfix requests. And, once you've coded up your policy server, you don't have to revise it with every Postfix patch that comes down the pike. As long as the API remains backwardly compatible, your policy server code should survive any Postfix upgrades.

    Kudos to the new policy server API!

    • by dmeranda (120061) on Friday April 23, 2004 @12:35PM (#8951267) Homepage
      It's great to see this feature added! I've been using sendmail's milter feature (a very similar sockets-based "policy" API) for many years. And I can't live without it now, and there was no way I would even consider looking at any other MTA that didn't have a similar feature. I program my milter's in Python, a bit easier than C. But you should have your choice.

      Of course I'm one of those very happy sendmail administrators (we do exist), and I have a relatively complex setup handling hundreds of thousands of messages per day, with very complex routing, etc. But perhaps Postfix is finally serious about providing an alternative (of course I also need TLS and IPv6 built-in like sendmail's had forever).
  • by Anonymous Coward on Friday April 23, 2004 @12:09PM (#8950924)
    The latest version of an application... how about including a link to the release notes / changelog. No point in upgrading if you don't know the changes - RELEASE_NOTES [postfix.org]
  • by wfolta (603698) on Friday April 23, 2004 @12:56PM (#8951506)
    A pleasant surprise in the 10.3 was the adoption of Postfix. It's good to see that they apparently made a good choice and good things are happening on the Postfix front.

    (I had been rooting for exim, which is also a great package, but Postfix seems to be a good alternative. Maybe they should also include exim on XServe's?)

10 to the 6th power Bicycles = 2 megacycles

Working...