Re: MTA comparison (postfix, exim4, ...)

[MJ Ray]

Osamu Aoki <[EMAIL PROTECTED]> wrote:
> Instead of removing data on you, it may be interesting to edit the
> following text to provide information on you and also add section on why
> you think exim is better as note on wiki.
> > >  http://wiki.debian.org/DefaultMTA

There is no link to edit that page.  IIRC, if I do some combination of
reconfiguring the web browser, making Yet Another Login, sacrificing a
kitten and wrapping this building in silly putty, then it appears, but
it's simpler to send email than edit the wiki.  You could add this
thread http://lists.debian.org/debian-devel/2007/11/msg00350.html to
"ML Discussion" if you're set up for editing it.

(BTW, your message-ids are @localhost - MTA config OK? ;-> )

Regards,
-- 
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Michael Alan Dorman]

On Fri, 16 Nov 2007 10:36:06 +
MJ Ray <[EMAIL PROTECTED]> wrote:

> 1. it doesn't seem to have as many anti-spam possibilities as Exim -
> there's postgrey for greylisting, but how can I tarpit RBL matches and
> other offences?

A quick 'apt-cache search postfix' lists a number of different policy
daemons, one of which might do what you want out of the box.  Add in
the recent support for the sendmail milter interface, and I would be
surprised if you couldn't find something appropriate.

Still, if not...well, I wrote an event-driven postfix policy daemon in
perl using POE that's able to handle > 100 queries/second on consumer
hardware in a few dozen lines of code.

> 2. when an email that I'm forwarding (due to /etc/aliases or a
> .forward or whatever) comes in, can I start trying to send it straight
> out and SMTP-reject it if the remote host doesn't want it?  My only
> production postfix server generates some blowback from joe-jobs if
> users forward mail to a more restrictive host, which I think is a
> serious problem.

I believe http://www.postfix.org/ADDRESS_VERIFICATION_README.html
details the facility you're looking for.

Mike.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Bernd Zeimetz]

> 1. it doesn't seem to have as many anti-spam possibilities as Exim -
> there's postgrey for greylisting, but how can I tarpit RBL matches and
> other offences?

Look at policyd-weight, for example.

> 
> 2. when an email that I'm forwarding (due to /etc/aliases or a
> .forward or whatever) comes in, can I start trying to send it straight
> out and SMTP-reject it if the remote host doesn't want it?  My only
> production postfix server generates some blowback from joe-jobs if
> users forward mail to a more restrictive host, which I think is a
> serious problem.


Definiteyl not a feature I'm missing. I hope exim caches the reply from
the final MX for some time, otherwise this sounds like a good way to run
a DOS attack.

-- 
Bernd Zeimetz
<[EMAIL PROTECTED]> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Osamu Aoki]

Just to be sure...

I am running postfix now just to find out the same questions you have...

I see no practical reason to run postfix on desktop machine now except
if postfix is something you are very familiar with...  As you mght have
expected, Manoj who is one of the best DD and wants to package
everything without debhelper seems to be running sendmail on his desktop
machine.  I am not taking this data to say we should follow him.  This
data was meant to give some objective status view.  

Just because popcon says exim4 is the one everyone running, it is not
the whole truth.  That is the context of my survay.

Instead of removing data on you, it may be interesting to edit the
following text to provide information on you and also add section on why
you think exim is better as note on wiki.


Please edit text as you wish... and correct English of mine :-)

Let me comment on your comment as below
On Fri, Nov 16, 2007 at 10:36:06AM +, MJ Ray wrote:
> Osamu Aoki <[EMAIL PROTECTED]> wrote:
> > After seeing recent post(*) on the default MTA issue, I did some
> > research and experiment on MTAs.  They are summarized at:
> >  http://wiki.debian.org/DefaultMTA
> 
> Although I am identified as running Postfix there, that was installed
> as a test a while ago.  Most of my upstream servers (including those
> which I control) run Exim and I will probably switch nail back to Exim
> on next upgrade.  There are problems with Postfix that I just haven't
> figured out and cause me problems:

Me too.  

> 1. it doesn't seem to have as many anti-spam possibilities as Exim -
> there's postgrey for greylisting, but how can I tarpit RBL matches and
> other offences?
> 
> 2. when an email that I'm forwarding (due to /etc/aliases or a
> .forward or whatever) comes in, can I start trying to send it straight
> out and SMTP-reject it if the remote host doesn't want it?  My only
> production postfix server generates some blowback from joe-jobs if
> users forward mail to a more restrictive host, which I think is a
> serious problem.
> 
> I'd love to know if the above are solved problems whose solutions I've
> not found.  Otherwise, you may want to discount my appearance on
> http://wiki.debian.org/DefaultMTA as that Postfix won't last.

Please list possible issues with postfix there.  This will make exim4
position better.

For me, exim4 is better:
 * less memory on run time
 * mailname is implimented as expected by the policy.

Osamu


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[MJ Ray]

Osamu Aoki <[EMAIL PROTECTED]> wrote:
> After seeing recent post(*) on the default MTA issue, I did some
> research and experiment on MTAs.  They are summarized at:
>  http://wiki.debian.org/DefaultMTA

Although I am identified as running Postfix there, that was installed
as a test a while ago.  Most of my upstream servers (including those
which I control) run Exim and I will probably switch nail back to Exim
on next upgrade.  There are problems with Postfix that I just haven't
figured out and cause me problems:

1. it doesn't seem to have as many anti-spam possibilities as Exim -
there's postgrey for greylisting, but how can I tarpit RBL matches and
other offences?

2. when an email that I'm forwarding (due to /etc/aliases or a
.forward or whatever) comes in, can I start trying to send it straight
out and SMTP-reject it if the remote host doesn't want it?  My only
production postfix server generates some blowback from joe-jobs if
users forward mail to a more restrictive host, which I think is a
serious problem.

I'd love to know if the above are solved problems whose solutions I've
not found.  Otherwise, you may want to discount my appearance on
http://wiki.debian.org/DefaultMTA as that Postfix won't last.

Best wishes,
-- 
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[MJ Ray]

Michael Alan Dorman <[EMAIL PROTECTED]> wrote: [...]
> Still, if not...well, I wrote an event-driven postfix policy daemon in
> perl using POE that's able to handle > 100 queries/second on consumer
> hardware in a few dozen lines of code.

Thanks for the pointers.  Can a policy server delay an incoming mail?
I suspect that sleeping in the perl would delay all incoming mail and
there's no access(5) response like Exim's delay, else I could do it
another way.  How can it be done?  (I want to increase the connection
cost to maybe-spammers of sending to my postfix...)

> MJ Ray <[EMAIL PROTECTED]> wrote:
> > 2. when an email that I'm forwarding (due to /etc/aliases or a
> > .forward or whatever) comes in, can I start trying to send it straight
> > out and SMTP-reject it if the remote host doesn't want it?  [...]
>
> I believe http://www.postfix.org/ADDRESS_VERIFICATION_README.html
> details the facility you're looking for.

I don't believe it does.  I don't want to verify the recipient address
- I want to try delivering the redirected mail and avoid being left
holding the baby if the destination MX doesn't want it or is MIA.

About Bernd Zeimetz's comment: I think it's not a way to DoS any more
than delivering directly to the destination MX is a way to DoS.
Sending hosts generally can't tell that the message is being
redirected and they'd be caught in neg-exp rate limits for trying to
send too much bad mail before it becomes a DoS on most hosts, as well
as whatever the target MX is doing.  Even so, redirecting mail is
discouraged because it increases the number of links in the chain.

Thanks for the comments,
-- 
MJ Ray http://mjr.towers.org.uk/email.html tel:+44-844-4437-237 -
Webmaster-developer, statistician, sysadmin, online shop builder,
consumer and workers co-operative member http://www.ttllp.co.uk/ -
Writing on koha, debian, sat TV, Kewstoke http://mjr.towers.org.uk/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Michael Alan Dorman]

On Sat, 17 Nov 2007 00:31:17 +
MJ Ray <[EMAIL PROTECTED]> wrote:

> Thanks for the pointers.  Can a policy server delay an incoming mail?
> I suspect that sleeping in the perl would delay all incoming mail and
> there's no access(5) response like Exim's delay, else I could do it
> another way.  How can it be done?  (I want to increase the connection
> cost to maybe-spammers of sending to my postfix...)

Well, you could write one that would handle the delay itself---slowing
its response to policy inquiries at various points---but that seems
like a bit of a rathole to start down.  The data management necessary
to do that with an non-blocking daemon would be easy to get subtly
wrong.  Subtly wrong and MTAs are a poor mix.

H.

You could play with the tarpit controls that smtpd has ('man smtpd'
look for TARPIT), and set the limits so low that tarpiting would kick
in immediately.  That might produce the result you're looking for.  It
feels a _little_ hacky, but not totally so.

You could bug Weitse for an access(5) response that would cause those to
kick in---given that there are tarpit controls, the infrastructure is
obviously in there somewhere, you just need a button to push to
activate the mechanism---but that would obviously be a longer-term
solution.

I am personally skeptical of the value of tarpiting such hosts since
these days so many spam machines are zombies and the supply seems nigh
infinite---it seems like you're courting running your own host out of
resources, since each open connection does incur some cost, and the
real solution is to sever the connection the moment you know it's
crap---but if you really want it, I'm not sure postfix is your ideal
MTA.

> I don't believe it does.  I don't want to verify the recipient address
> - I want to try delivering the redirected mail and avoid being left
> holding the baby if the destination MX doesn't want it or is MIA.

Hrm, you're right, it only does about half what you want---it won't
accept a mail unless it knows it can pass it on to that recipient, but
if there are other factors about the particular mail that would cause
the final destination to deny it, it's not gonna ferret those out.

I don't know of any pre-queue mechanism for doing exactly what you
want.  The fact is, postfix wants to be fast, but even more,
it wants to be robust, so it was designed pretty much from the ground
up to get things to stable storage first and foremost.  Things that
work pre-queue are newer, and consequently less comprehensive in
capabilities.

My solution for the blowback stuff was, simply, to write a perl script
to parse through the mailq output and delete the messages that were
obviously crap.  I handle a couple of million messages a day through
postfix, relaying for several hundred small domains, and even when one
of those domains gets joe-jobbed, my queue cleaner (which is very
conservative) make sure I don't have to deal with a bunch of crap.

Mike.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Florian Weimer]

* MJ Ray:

>> I believe http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>> details the facility you're looking for.
>
> I don't believe it does.  I don't want to verify the recipient address
> - I want to try delivering the redirected mail and avoid being left
> holding the baby if the destination MX doesn't want it or is MIA.

I didn't know that Exim 4 supports cut-through forwarding.  How do you
enable this feature?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Manoj Srivastava]

On Sat, 17 Nov 2007 01:44:51 +0900, Osamu Aoki <[EMAIL PROTECTED]> said: 

> Just to be sure...  I am running postfix now just to find out the same
> questions you have...

> I see no practical reason to run postfix on desktop machine now except
> if postfix is something you are very familiar with...  As you mght
> have expected, Manoj who is one of the best DD and wants to package
> everything without debhelper seems to be running sendmail on his
> desktop machine.  I am not taking this data to say we should follow
> him.  This data was meant to give some objective status view.

While I am flattered (and somewhat embarrassed) by the
 accolade, I strongly agree with the assessment that I am far from the
 typical user, and I should very likely not be emulated in this area.

I run sendmail since I have long paid my dues in sendmail.cf;
 and since sendmail can do everything I ever want an MTA to do, this
 level of comfort has come from  long hours of blood and sweat and
 tears, and not everyone can spend the time required to learn the
 intricacies of sendmail's config language.

I do think, however, that the sentiment that sendmail is much
 worse for security might be something that needs to be reviewd; today's
 sendmail is not the sendmail of yore.  It has undergone a refactoring,
 and now implements privilege separation  (which is something that
 postfix pioneered).

manoj
-- 
A lost ounce of gold may be found, a lost moment of time never.
Manoj Srivastava <[EMAIL PROTECTED]>   
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Miles Bader]

Osamu Aoki <[EMAIL PROTECTED]> writes:
> For me, exim4 is better:
>  * less memory on run time
>  * mailname is implimented as expected by the policy.

Postfix has a reputation for being faster and more secure than exim.

Why is it worth worrying about, though?  Are the difference between exim
and postfix really great enough to matter for typical use?!?

[If you're a high-volume mail site, of course, you will care about the
difference, but then you should be doing your own analysis...]

-MIles
-- 
My books focus on timeless truths.  -- Donald Knuth


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Henrique de Moraes Holschuh]

On Tue, 20 Nov 2007, Miles Bader wrote:
> Why is it worth worrying about, though?  Are the difference between exim
> and postfix really great enough to matter for typical use?!?

No, they are not.  And I speak this as a Postfix user (I replace exim with
postfix in every box I use or admin, and all central MTAs I admin are
postfix).

Most users only need a proper forwarding MTA, and Debian already made it
sane to setup such a thing with either postfix or exim a long time ago.

> [If you're a high-volume mail site, of course, you will care about the
> difference, but then you should be doing your own analysis...]

Indeed.  Exim is supposed to be better (faster or less resource-intensive)
than postfix for some workloads, and obviously the inverse would also be
true.

But the old sysadmin maximum of "all things being nearly the same, do use
what you know best how to operate and configure" is what really should drive
one to choose between exim and postfix (and apparently, sendmail), IMO.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Florian Weimer]

* Miles Bader:

> Postfix has a reputation for being faster and more secure than exim.

Nowadays, the Postfix code base is larger than the Exim code base.

> Why is it worth worrying about, though?  Are the difference between exim
> and postfix really great enough to matter for typical use?!?

"/usr/sbin/exim4 -bt" or even "/usr/sbin/exim4 -d+all -bt" can be a real
lifesaver if need to figure out what's going on.  Older versions of
Postfix lacked -bt support (I just had a brief encounter with 2.0 on a
customer machine *shivers*), partly due to its non-monolithic design.
If this has improved (and the documentation seems to suggest that, but I
couldn't test it yet), I see no pratical problems with using Postfix
instead of Exim in most environments--and vice versa, of course.

Personally, what made me stick to Exim so far is the ability to
configure retry behavior on a per-domain basis.  One of my mail servers
delivers mail to some hosts which a reachable only intermittently, and
I've set a lower retry value for these domains.  With Postfix, I'd have
to configure ETRN on the receivers instead, I guess.  But this kind of
setup is somewhat unusual.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Florian Weimer]

* Henrique de Moraes Holschuh:

> On Fri, 23 Nov 2007, Florian Weimer wrote:
>> Personally, what made me stick to Exim so far is the ability to
>> configure retry behavior on a per-domain basis.  One of my mail servers
>
> Postfix does that too.  You direct the domains to a different transport, and
> setup that transport with whichever parameters you want.

I don't think you can specify a transport-specific retry time.  Retry
times are global, and there's just one queue manager.  A specific
configuration example would be helpful.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Henrique de Moraes Holschuh]

On Fri, 23 Nov 2007, Florian Weimer wrote:
> Personally, what made me stick to Exim so far is the ability to
> configure retry behavior on a per-domain basis.  One of my mail servers

Postfix does that too.  You direct the domains to a different transport, and
setup that transport with whichever parameters you want.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: MTA comparison (postfix, exim4, ...)

[Henrique de Moraes Holschuh]

On Fri, 23 Nov 2007, Florian Weimer wrote:
> > On Fri, 23 Nov 2007, Florian Weimer wrote:
> >> Personally, what made me stick to Exim so far is the ability to
> >> configure retry behavior on a per-domain basis.  One of my mail servers
> >
> > Postfix does that too.  You direct the domains to a different transport, and
> > setup that transport with whichever parameters you want.
> 
> I don't think you can specify a transport-specific retry time.  Retry
> times are global, and there's just one queue manager.  A specific
> configuration example would be helpful.

Oops, you're correct. What you can do is: subscribe the relevant domains to
the fast flush service, and using a crontab, flush the domains you want
using postqueue -s.

It is almost the same as an ETRN, as it was said previously in this thread.
My bad.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

MTA religious wars (was: Re: MTA comparison (postfix, exim4, ...))

[Wouter Verhelst]

On Tue, Nov 20, 2007 at 03:41:20PM +0900, Miles Bader wrote:
> Postfix has a reputation for being faster and more secure than exim.

When talking about security, exim doesn't exactly have a horribly bad
track record. It's not qmail, but then I wouldn't *want* to use qmail
for other reasons.

> Why is it worth worrying about, though?  Are the difference between exim
> and postfix really great enough to matter for typical use?!?

If flexibility matters (and I think it does, even in "typical use",
which is a myth):

A fair while back (January 2006), a customer asked me to configure a new
system using postfix in such a way that it'd do some fairly complex
things (LDAP lookups and virtual users, amongst others).

As an exim fanboy, I have to admit that I found postfix much more
contrived at the time. For instance, it was easy to do a virtual users
setup, and it was fairly easy to do an LDAP setup; but the postfix
subsystem that one needed to use to do virtual users had a totally
different idea about how LDAP works than did the rest of the system,
requiring me to jump through a number of hoops and create a few ugly
hacks to even make it possible (eventually I got it to work, but it took
much longer than expected, and almost nobody on mailinglists or IRC
channels could explain to me how to do it).

In exim, by contrast, "lookups" are done using "string expansion", and
string expansion can be done almost everywhere in the exim configuration
file; the lookups can even be nested. This makes exim much more
flexible; if you were insane, you could even perform a lookup in a file
to find the name of another file containing the value of the primary of
a database tuple in which to look up the URL of the LDAP directory to
find the location of the Maildir in which to store the current email[1].

Of course nobody in their right mind would do such a thing for a
production server, but the point is that it's possible because of the
flexibility given by exim's string expansion system; it appeared to me
that postfix doesn't have this flexibility.

[1] As in this transport:

insane_local_delivery:
  driver = appendfile
  directory = ${lookup ldap{
  ${lookup pgsql{select url from ldapuris where id=
${readfile{
${lookup{$local_part}lsearch{/etc/primary-keys}}
}{}}
  }{$value}}
  }}
  maildir_format

-- 
 Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]