Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 4/26/12 10:53 PM, Christopher Chan wrote: On Thursday, April 26, 2012 08:30 PM, Gary Gendel wrote: On 4/26/12 5:01 AM, Christopher Chan wrote: On 26/04/12 12:17 AM, Gary Gendel wrote: That isn't what spamdyke is trying to accomplish here. This checks to see if the sender is trying to spoof the MTA. What spamdyke is trying to do is to blacklist emails based upon the ip address embedded in the sending domain name. For example: If I get mail from 208.1.48.3 and it's reverse domain lookup resolves to customer.208.001_48.3.sample.com and sample.com is on my list it is blocked. Again, it's available with the following configuration parameter: check_reverse_client_hostname_access type:table Table should have key sample.com and RHS = REJECT, blah Table details: http://www.postfix.org/access.5.html Chris, I'm still unclear on how to do this. How could you write a regular express to check to see if the connecting ip address is buried in the reverse dns lookup. In my example, spamdyke would reject customer.208.001_48.3.sample.com, but customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA. This prevents rejecting reverse dns names with strings of arbitrary numbers in them. Gary, I am sorry, but things are a bit unclear here. Is it don't block misconfigured clients but do block clients with proper rdns in this domain? What do you mean by customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA? That customer.108.001_48.3.sample.com A would not map back to the ip of server whose PTR record points to customer.108.001_48.3.sample.com? This is the scenario... I get a connection from ip address 1.2.3.4. The reverse DNS lookup returns foo.001_002-3_4.example.com. If I have .example.com in an ip-in-rdns-keyword-blacklist option list, spamdyke will scan the reverse domain looking for the ip address in the reverse domain list, find it, and reject the mail. Notice that it does a contextual scan so it recognizes that 001 is the same as 1, the elements can be separated by various symbols, etc. Now, if I have a connection 1.2.3.4 and the reverse DNS lookup returns foo.43.1.23.4.example.com spamdyke will let that pass since the specific ip address would not be found. All I was saying is that using regular expressions, I can't see how you could do this distinction. The worst case would be if I did something draconian like putting .net on the list. Regular expressions would reject anything with the appropriate sequence of arbitrary numbers and punctuation whereas Spamdyke would limit it to an sequence that matches the sending ip. Spamdyke has a option to automatically do this for domains that end in country codes. A regular expression would be overly optimistic and potentially reject a lot of good sending MTAs. I also have a honeypot set up. Any email that is received by that does some analysis and automatically puts it in a spamdyke blacklist, where it will remain as long as it isn't renewed (sent to the honeypot) before an expiration time is met. I have built up a lot of infrastructure using spamdyke that gives me a superior spam rejection with no reported false positives. Bottom line is that I'm not ready to lose this capability until I have a replacement for spamdyke's menu of options, ease of configuration and performance. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 26/04/12 12:17 AM, Gary Gendel wrote: That isn't what spamdyke is trying to accomplish here. This checks to see if the sender is trying to spoof the MTA. What spamdyke is trying to do is to blacklist emails based upon the ip address embedded in the sending domain name. For example: If I get mail from 208.1.48.3 and it's reverse domain lookup resolves to customer.208.001_48.3.sample.com and sample.com is on my list it is blocked. Again, it's available with the following configuration parameter: check_reverse_client_hostname_access type:table Table should have key sample.com and RHS = REJECT, blah Table details: http://www.postfix.org/access.5.html ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 4/26/12 5:01 AM, Christopher Chan wrote: On 26/04/12 12:17 AM, Gary Gendel wrote: That isn't what spamdyke is trying to accomplish here. This checks to see if the sender is trying to spoof the MTA. What spamdyke is trying to do is to blacklist emails based upon the ip address embedded in the sending domain name. For example: If I get mail from 208.1.48.3 and it's reverse domain lookup resolves to customer.208.001_48.3.sample.com and sample.com is on my list it is blocked. Again, it's available with the following configuration parameter: check_reverse_client_hostname_access type:table Table should have key sample.com and RHS = REJECT, blah Table details: http://www.postfix.org/access.5.html Chris, I'm still unclear on how to do this. How could you write a regular express to check to see if the connecting ip address is buried in the reverse dns lookup. In my example, spamdyke would reject customer.208.001_48.3.sample.com, but customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA. This prevents rejecting reverse dns names with strings of arbitrary numbers in them. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 33 Date: Thu, Apr 26, 2012 In reply to: Gary Gendel g...@genashor.com Chris, I'm still unclear on how to do this. How could you write a regular express to check to see if the connecting ip address is buried in the reverse dns lookup. In my example, spamdyke would reject customer.208.001_48.3.sample.com, but customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA. This prevents rejecting reverse dns names with strings of arbitrary numbers in them. Gary Gary, is very simple, is maked, you don have to do nothing, just tell postfix do this add this to you main.cf smtpd_recipient_restrictions = reject_unknow_sender_domain Postfix will make a reverse lookup and if the domain not found, it will not allow get the mail. Also you can tell postfix who request to the remote server if that sender is a valid user, if it not exist i the remote server, the mail will not pass. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 4/26/12 11:54 AM, låzaro wrote: Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 33 Date: Thu, Apr 26, 2012 In reply to: Gary Gendelg...@genashor.com Chris, I'm still unclear on how to do this. How could you write a regular express to check to see if the connecting ip address is buried in the reverse dns lookup. In my example, spamdyke would reject customer.208.001_48.3.sample.com, but customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA. This prevents rejecting reverse dns names with strings of arbitrary numbers in them. Gary Gary, is very simple, is maked, you don have to do nothing, just tell postfix do this add this to you main.cf smtpd_recipient_restrictions = reject_unknow_sender_domain Postfix will make a reverse lookup and if the domain not found, it will not allow get the mail. This is a completely different check. In spamdyke this would be a poor-man's reject-missing-sender-mx option. I'm talking about the spamdyke ip-in-rdns-keyword-whitelist-file and ip-in-rdns-keyword-blacklist-file options which allow you to specify which domains you will or will not allow the connecting MTA's ip address to be embedded in. This catches a LOT of bot spam from ISPs that return this format for all the ip addresses that have no domain assigned. For example a bot in the comcast network may resolve to this: c-98-221-123-33.hsl1.nj.comcast.net So I can just add .comcast.net to my ip-in-rdns-keyword-blacklist-file file and any bot from the comcast.net domain will be rejected. It's a very directed search as it won't reject an arbitrary number string in the sequence and deals with comcast's use of various dot levels in the domain returned based upon the subnet. Also you can tell postfix who request to the remote server if that sender is a valid user, if it not exist i the remote server, the mail will not pass. This is a problematic thing to do as many servers do not support this functionality. I gave that approach up years ago because it adds delays for non-deterministic benefits. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
OUW! sorry my missunderstanding... here you are: smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/whitelist In the file: whitelist put this: some.domain.tld OK 200.55.136.18 OK Then run: postmap /etc/postfix/whitelist and finaly run postfix reload ;) Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 42 Date: Thu, Apr 26, 2012 In reply to: Gary Gendel g...@genashor.com Postfix will make a reverse lookup and if the domain not found, it will not allow get the mail. This is a completely different check. In spamdyke this would be a poor-man's reject-missing-sender-mx option. I'm talking about the spamdyke ip-in-rdns-keyword-whitelist-file and ip-in-rdns-keyword-blacklist-file options which allow you to specify which domains you will or will not allow the connecting MTA's ip address to be embedded in. This catches a LOT of bot spam from ISPs that return this format for all the ip addresses that have no domain assigned. For example a bot in the comcast network may resolve to this: c-98-221-123-33.hsl1.nj.comcast.net So I can just add .comcast.net to my ip-in-rdns-keyword-blacklist-file file and any bot from the comcast.net domain will be rejected. It's a very directed search as it won't reject an arbitrary number string in the sequence and deals with comcast's use of various dot levels in the domain returned based upon the subnet. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 42 Date: Thu, Apr 26, 2012 In reply to: Gary Gendel g...@genashor.com Also you can tell postfix who request to the remote server if that sender is a valid user, if it not exist i the remote server, the mail will not pass. This is a problematic thing to do as many servers do not support this functionality. I gave that approach up years ago because it adds delays for non-deterministic benefits. Gary sure.. that why I say also you can me to not use that... many servers here not work with it ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On Thu, Apr 26, 2012 at 9:25 AM, Gary Gendel g...@genashor.com wrote: This is a problematic thing to do as many servers do not support this functionality. I gave that approach up years ago because it adds delays for non-deterministic benefits. Yeah, it was widely switched off after spammers realized it was an easy way to find out which email addresses on their lists were valid... -- David Brodbeck System Administrator, Linguistics University of Washington ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On Thursday, April 26, 2012 08:30 PM, Gary Gendel wrote: On 4/26/12 5:01 AM, Christopher Chan wrote: On 26/04/12 12:17 AM, Gary Gendel wrote: That isn't what spamdyke is trying to accomplish here. This checks to see if the sender is trying to spoof the MTA. What spamdyke is trying to do is to blacklist emails based upon the ip address embedded in the sending domain name. For example: If I get mail from 208.1.48.3 and it's reverse domain lookup resolves to customer.208.001_48.3.sample.com and sample.com is on my list it is blocked. Again, it's available with the following configuration parameter: check_reverse_client_hostname_access type:table Table should have key sample.com and RHS = REJECT, blah Table details: http://www.postfix.org/access.5.html Chris, I'm still unclear on how to do this. How could you write a regular express to check to see if the connecting ip address is buried in the reverse dns lookup. In my example, spamdyke would reject customer.208.001_48.3.sample.com, but customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA. This prevents rejecting reverse dns names with strings of arbitrary numbers in them. Gary, I am sorry, but things are a bit unclear here. Is it don't block misconfigured clients but do block clients with proper rdns in this domain? What do you mean by customer.108.001_48.3.sample.com would not be rejected because it doesn't match the ip address of the sending MTA? That customer.108.001_48.3.sample.com A would not map back to the ip of server whose PTR record points to customer.108.001_48.3.sample.com? Christopher ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 24/04/12 09:30 PM, Gary Gendel wrote: The pipeline architecture of qmail has been instrumental at making third-party additions incredibly simple. You can easily plug in special debugging modules, and even tee off things so you can test new modules in parallel with real operations. Before spamdyke was available, I had developed a number of homebrew modules for spam analysis and control. That said, qmail isn't 100% sendmail compatible, so occasionally I ran into issues with unhandled sendmail options (until patched). I don't know whether postfix suffers from the same issue yet. postfix will be fine with sendmail options. postfix also support milters and you can use something like mimedefang to do the same although you will have write from scratch or go hunting. Since my Qmail based system does not inherently support IPV6 and would require significant patching I'm committed to move to Postfix before this becomes necessary. However, Postfix configuration is far more complex if you are someone that likes to understand the purpose of each option and it's impact to other options. I will also miss the simplicity of making a split-horizon caching DNS service via dnscache/tinydns when I need to go to IPV6 which is an important piece of any email system in a private networked LAN. postfix configuration is only complex because it offers more than qmail. If someone were to look at your setup, it would be complex for them too in the beginning. djbdns has a ipv6 patch available. Unless you need dnssec, i don't see why one needs to move off djbdns. But qmail or any patched ones is another story. Just the need to stop qmail-send to do any queue management is reason enough not to use qmail for incoming. Gary On 4/24/12 8:44 AM, låzaro wrote: anyway... postfix is the better today :D I saw using Qmail long time ago, I like it, but is obsolete Also, I have my compiled Qmail and configured just as personal email museum Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 17 Date: Tue, Apr 24, 2012 In reply to: Christopher Chanchristopher.c...@bradbury.edu.hk On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 24/04/12 09:08 PM, Jonathan Adams wrote: Dovecot's take on Qmail (and other MTA's http://wiki.dovecot.org/MTA ) which states qmail is an obsolete and unmaintained server. Its POP3 part can be taken over by Dovecot. Qmail started off boasting about speed and security in the mid-1990s, but has lots of unfixed bugs (this document includes patches where known), among them security bugs that remain unfixed, and the security guarantee (500 USD) denied. If you really intend to continue using it, read Dave Sill's Life with qmail which contains instructions to work around some of qmail's security issues. DJB coughed up the goods for the dnscache security hole. The qmail-smtpd one is rather contrived (read: only 'demonstrated' in a very particular setup with a particular compiler on a particular operating system) and most probably never going to see the light of day. The only fair comment there is 'obsolete and unmaintained'. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Chris, I've replaced my qmail chain for SASL delivery with postfix. It took me a few rounds to get all the bits I needed working, but I'm good with the results. The non-SASL chain will be a big nut to crack. There are a lot of useful spam features in spamdyke that I haven't found an equivalent for in postfix. For example, spamdyke can find an ip address buried in the fqdn and check if it matches the sending MTA's ip address. This can be done for the domains you specify. I have the one spamdyke option turned on to do this against all country code domains. I also have a list of about 60 other domains to do this against. If it weren't for spamdyke, I wouldn't have an issue but Sam Clippinger did an impressive job at making an open source anti-spam tool specifcally for qmail that beats anything else I've seen. As for the dot-qmail stuff. I've moved away from that quite awhile ago except for my mailing lists which I don't have a problem shutting down. Gary On 4/25/12 10:42 AM, Christopher Chan wrote: On 24/04/12 09:30 PM, Gary Gendel wrote: The pipeline architecture of qmail has been instrumental at making third-party additions incredibly simple. You can easily plug in special debugging modules, and even tee off things so you can test new modules in parallel with real operations. Before spamdyke was available, I had developed a number of homebrew modules for spam analysis and control. That said, qmail isn't 100% sendmail compatible, so occasionally I ran into issues with unhandled sendmail options (until patched). I don't know whether postfix suffers from the same issue yet. postfix will be fine with sendmail options. postfix also support milters and you can use something like mimedefang to do the same although you will have write from scratch or go hunting. Since my Qmail based system does not inherently support IPV6 and would require significant patching I'm committed to move to Postfix before this becomes necessary. However, Postfix configuration is far more complex if you are someone that likes to understand the purpose of each option and it's impact to other options. I will also miss the simplicity of making a split-horizon caching DNS service via dnscache/tinydns when I need to go to IPV6 which is an important piece of any email system in a private networked LAN. postfix configuration is only complex because it offers more than qmail. If someone were to look at your setup, it would be complex for them too in the beginning. djbdns has a ipv6 patch available. Unless you need dnssec, i don't see why one needs to move off djbdns. But qmail or any patched ones is another story. Just the need to stop qmail-send to do any queue management is reason enough not to use qmail for incoming. Gary On 4/24/12 8:44 AM, låzaro wrote: anyway... postfix is the better today :D I saw using Qmail long time ago, I like it, but is obsolete Also, I have my compiled Qmail and configured just as personal email museum Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 17 Date: Tue, Apr 24, 2012 In reply to: Christopher Chanchristopher.c...@bradbury.edu.hk On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 25/04/12 11:06 PM, Gary Gendel wrote: Chris, I've replaced my qmail chain for SASL delivery with postfix. It took me a few rounds to get all the bits I needed working, but I'm good with the results. The non-SASL chain will be a big nut to crack. There are a lot of useful spam features in spamdyke that I haven't found an equivalent for in postfix. For example, spamdyke can find an ip address buried in the fqdn and check if it matches the sending MTA's ip address. This can be done for the domains you specify. I have the one spamdyke option turned on to do this against all country code domains. I also have a list of about 60 other domains to do this against. ...piece of cake... http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname That provides what you want to check fqdn-ip = client ip To restrict that check to specific domains, you can make use of restriction classes. http://www.postfix.org/RESTRICTION_CLASS_README.html If it weren't for spamdyke, I wouldn't have an issue but Sam Clippinger did an impressive job at making an open source anti-spam tool specifcally for qmail that beats anything else I've seen. I've only heard of spamdyke now (sorry, I got off the qmail for incoming/front line/first stage a long time ago) but there is mimedefang if postfix's own facilities are not good enough for you. As for the dot-qmail stuff. I've moved away from that quite awhile ago except for my mailing lists which I don't have a problem shutting down. Ah. I'm using dovecot's lda with sieve support. Postfix will happily use procmail, maildrop, dovecot lda, cyrus, whatever except qmail-local. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 4/25/12 11:38 AM, Christopher Chan wrote: On 25/04/12 11:06 PM, Gary Gendel wrote: Chris, I've replaced my qmail chain for SASL delivery with postfix. It took me a few rounds to get all the bits I needed working, but I'm good with the results. The non-SASL chain will be a big nut to crack. There are a lot of useful spam features in spamdyke that I haven't found an equivalent for in postfix. For example, spamdyke can find an ip address buried in the fqdn and check if it matches the sending MTA's ip address. This can be done for the domains you specify. I have the one spamdyke option turned on to do this against all country code domains. I also have a list of about 60 other domains to do this against. ...piece of cake... http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname That provides what you want to check fqdn-ip = client ip That isn't what spamdyke is trying to accomplish here. This checks to see if the sender is trying to spoof the MTA. What spamdyke is trying to do is to blacklist emails based upon the ip address embedded in the sending domain name. For example: If I get mail from 208.1.48.3 and it's reverse domain lookup resolves to customer.208.001_48.3.sample.com and sample.com is on my list it is blocked. Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
anyway... postfix is the better today :D I saw using Qmail long time ago, I like it, but is obsolete Also, I have my compiled Qmail and configured just as personal email museum Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 17 Date: Tue, Apr 24, 2012 In reply to: Christopher Chan christopher.c...@bradbury.edu.hk On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Dovecot's take on Qmail (and other MTA's http://wiki.dovecot.org/MTA ) which states qmail is an obsolete and unmaintained server. Its POP3 part can be taken over by Dovecot. Qmail started off boasting about speed and security in the mid-1990s, but has lots of unfixed bugs (this document includes patches where known), among them security bugs that remain unfixed, and the security guarantee (500 USD) denied. If you really intend to continue using it, read Dave Sill's Life with qmail which contains instructions to work around some of qmail's security issues. On 24 April 2012 13:44, låzaro netad...@lex-sa.cu wrote: anyway... postfix is the better today :D I saw using Qmail long time ago, I like it, but is obsolete Also, I have my compiled Qmail and configured just as personal email museum Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 17 Date: Tue, Apr 24, 2012 In reply to: Christopher Chan christopher.c...@bradbury.edu.hk On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss -- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
With all this discussion about Postfix vs. Qmail, I started looking at what it would take to replace my Qmail installation with Postfix. I started looking at what it would take to replace spamdyke with postfix functionality. Most things have a direct correlation. One case so far, greylisting, requires running an independent email proxy for postfix where it is incorporated in spamdyke. I'm still working through the list but many of the configuration options need more detailed documentation or I'll have to work through the code to see exactly what it's trying to accomplish. For example, it took me quite awhile to dig out how postfix handles CIDR notation. The pipeline architecture of qmail has been instrumental at making third-party additions incredibly simple. You can easily plug in special debugging modules, and even tee off things so you can test new modules in parallel with real operations. Before spamdyke was available, I had developed a number of homebrew modules for spam analysis and control. That said, qmail isn't 100% sendmail compatible, so occasionally I ran into issues with unhandled sendmail options (until patched). I don't know whether postfix suffers from the same issue yet. Since my Qmail based system does not inherently support IPV6 and would require significant patching I'm committed to move to Postfix before this becomes necessary. However, Postfix configuration is far more complex if you are someone that likes to understand the purpose of each option and it's impact to other options. I will also miss the simplicity of making a split-horizon caching DNS service via dnscache/tinydns when I need to go to IPV6 which is an important piece of any email system in a private networked LAN. Gary On 4/24/12 8:44 AM, låzaro wrote: anyway... postfix is the better today :D I saw using Qmail long time ago, I like it, but is obsolete Also, I have my compiled Qmail and configured just as personal email museum Thread name: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Mail number: 17 Date: Tue, Apr 24, 2012 In reply to: Christopher Chanchristopher.c...@bradbury.edu.hk On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
in Qmail, the security is patch-maked in postfix is by-design-maked for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. If need some help with postfix, can mail me to the private, postfix is my strong point. Greetings On Mon, 2012-04-23 at 08:00 +0800, Christopher Chan wrote: So are people up for netqmail, daemontools, djbdns packages? On Sunday, April 22, 2012 08:34 PM, Gary Gendel wrote: Which brings us back to qmail. I've been using it flawlessly starting on a Sparc IPC running SunOS before Postfix was a gleam in Wietse Venema's eye. The darn thing is rock solid, secure, lightweight, and fast. That said, I have nothing against Postfix other that I've never had a reason to look further than qmail. You did. That's why you are not running qmail-smtpd. Not even a patched qmail-smtpd. Yes, DJB designed qmail to be modular and using third-party modules is far game but using third-party modules already means it is not qmail. Stop deluding yourself. qmail's main problem has always been back-scatter due to lack of smtp time recipient checking not mention all the other host of things one needs/wants do before accepting message body data. You have looked beyond qmail and decided to stick with dot-qmail and other goodies and found yourself a qmail-smtpd replacement. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
I will take you up on that! On 2012-04-23 17:22, openindiana-discuss-requ...@openindiana.org wrote: Message: 2 Date: Mon, 23 Apr 2012 08:44:13 -0400 From: l?zaronetad...@lex-sa.cu To: Discussion list for OpenIndiana openindiana-discuss@openindiana.org Subject: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Message-ID:1335185053.1721.9.camel@localhost Content-Type: text/plain; charset=UTF-8 in Qmail, the security is patch-maked in postfix is by-design-maked for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. If need some help with postfix, can mail me to the private, postfix is my strong point. Greetings ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
I will take you up on that! done ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On Monday, April 23, 2012 08:44 PM, låzaro wrote: in Qmail, the security is patch-maked in postfix is by-design-maked NO, that is not accurate. security where it means anti-spam, DJB did not bother because as far as he is concerned, the way things are, things are just broken. Too bad his idea of how email should work never took off. So any anti-spam features are provided by THIRD-PARTIES. It is not 'patch-maked'. There is zero anti-spam. As for postfix, 'by-design-maked' just means Wietse put in the time to develop postfix unlike DJB who stopped in 1998. for example, smtp auth, SASL, TLS and soon. Also postfix is more modular. You can use it with someSQL LDAP and all thats cute things. There is a qmail fork that does both sql and ldap too. postfix is only better because its developer continued to work on the code and keep up with the times and he built a good reputation while at it. No qmail fork has ever managed that because of DJB's stand on licensing but now that qmail is public domain, maybe in the future one of these forks might. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 22/04/12 05:19 AM, Jonathan Adams wrote: you could always use Sendmail ... It's reliable, and flexible, if you can work out the configuration for it ... but Postfix is a damn sight easier to get working. people can still read sendmail rulesets? :p My biggest bug bears with Postfix are the inability to use sendmail -bv for testing aliases and the fact that a person in multiple aliases will get the email more than once e.g: I suspect postmap -q will do what you want. man postmap (if you have postfix) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 22/04/12 12:50 AM, Magnus Hedemark wrote: If we're going out on limbs, Haraka might be worth a look. http://haraka.github.com/ One still needs a proper mta on a later stage with haraka if used for incoming... Sounds more like a smtp proxy with filtering/authentication capabilities. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Which brings us back to qmail. I've been using it flawlessly starting on a Sparc IPC running SunOS before Postfix was a gleam in Wietse Venema's eye. The darn thing is rock solid, secure, lightweight, and fast. That said, I have nothing against Postfix other that I've never had a reason to look further than qmail. Gary On 4/22/12 8:26 AM, Christopher Chan wrote: On 22/04/12 12:50 AM, Magnus Hedemark wrote: If we're going out on limbs, Haraka might be worth a look. http://haraka.github.com/ One still needs a proper mta on a later stage with haraka if used for incoming... Sounds more like a smtp proxy with filtering/authentication capabilities. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
For the most part, they don't need to any more. IMHO, during the Sendmail 8.8/8.9, or when ever the m4 macro compiler and .mc files got brought online, that event brought Sendmail up to speed on ease of configuration inline with its competitors. Jerry On 04/22/12 08:22, Christopher Chan wrote: On 22/04/12 05:19 AM, Jonathan Adams wrote: you could always use Sendmail ... It's reliable, and flexible, if you can work out the configuration for it ... but Postfix is a damn sight easier to get working. people can still read sendmail rulesets? :p ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 22/04/12 11:28 PM, Jerry Kemp wrote: For the most part, they don't need to any more. IMHO, during the Sendmail 8.8/8.9, or when ever the m4 macro compiler and .mc files got brought online, that event brought Sendmail up to speed on ease of configuration inline with its competitors. But where is the fun in that? Trying to debug, searching for that missing tab, jumping here and there following the rules, isn't that what it means to run sendmail? :D Jerry On 04/22/12 08:22, Christopher Chan wrote: On 22/04/12 05:19 AM, Jonathan Adams wrote: you could always use Sendmail ... It's reliable, and flexible, if you can work out the configuration for it ... but Postfix is a damn sight easier to get working. people can still read sendmail rulesets? :p ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
So are people up for netqmail, daemontools, djbdns packages? On Sunday, April 22, 2012 08:34 PM, Gary Gendel wrote: Which brings us back to qmail. I've been using it flawlessly starting on a Sparc IPC running SunOS before Postfix was a gleam in Wietse Venema's eye. The darn thing is rock solid, secure, lightweight, and fast. That said, I have nothing against Postfix other that I've never had a reason to look further than qmail. You did. That's why you are not running qmail-smtpd. Not even a patched qmail-smtpd. Yes, DJB designed qmail to be modular and using third-party modules is far game but using third-party modules already means it is not qmail. Stop deluding yourself. qmail's main problem has always been back-scatter due to lack of smtp time recipient checking not mention all the other host of things one needs/wants do before accepting message body data. You have looked beyond qmail and decided to stick with dot-qmail and other goodies and found yourself a qmail-smtpd replacement. Gary On 4/22/12 8:26 AM, Christopher Chan wrote: On 22/04/12 12:50 AM, Magnus Hedemark wrote: If we're going out on limbs, Haraka might be worth a look. http://haraka.github.com/ One still needs a proper mta on a later stage with haraka if used for incoming... Sounds more like a smtp proxy with filtering/authentication capabilities. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
What MTA would you suggest? On 2012-04-20 14:40, openindiana-discuss-requ...@openindiana.org wrote: Message: 8 Date: Fri, 20 Apr 2012 09:00:03 +0800 From: Christopher Chan christopher.c...@bradbury.edu.hk To: openindiana-discuss@openindiana.org Subject: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Message-ID: 4f90b513.9080...@bradbury.edu.hk Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Hans, May I ask why you would want to use qmail? It has pretty weak anti-spam facilities, if at all, and so would not really be an mta you want for incoming use. If you only want to use it for outgoing then I can understand. Christopher On Friday, April 20, 2012 03:40 AM, Hans J. Albertsson wrote: I'm considering setting up qmail rather than sendmail or postfix on my openindiana 151-a3 systems. Is there a ready-made package available for openindiana or must I compile it from scratch? Will Qmail integrate well with Webmin, or even at all? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Postfix. Sent from my typewriter On Apr 21, 2012, at 9:19 AM, Hans J. Albertsson hans.j.alberts...@branneriet.se wrote: What MTA would you suggest? On 2012-04-20 14:40, openindiana-discuss-requ...@openindiana.org wrote: Message: 8 Date: Fri, 20 Apr 2012 09:00:03 +0800 From: Christopher Chan christopher.c...@bradbury.edu.hk To: openindiana-discuss@openindiana.org Subject: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Message-ID: 4f90b513.9080...@bradbury.edu.hk Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Hans, May I ask why you would want to use qmail? It has pretty weak anti-spam facilities, if at all, and so would not really be an mta you want for incoming use. If you only want to use it for outgoing then I can understand. Christopher On Friday, April 20, 2012 03:40 AM, Hans J. Albertsson wrote: I'm considering setting up qmail rather than sendmail or postfix on my openindiana 151-a3 systems. Is there a ready-made package available for openindiana or must I compile it from scratch? Will Qmail integrate well with Webmin, or even at all? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
On 21/04/12 09:29 PM, Magnus Hedemark wrote: Postfix. +1 Problem for both is still the same at the moment...build your own...postfix integrates well with a lot of stuff...vpopmail, dovecot, spamassassin via spamass-milter...at least, that is how i set things up. qmail's modularity allows you to use stuff like mailfront, qpsmtpd, whatever else out there but you cannot touch the queue while qmail-send is running. You will also have to patch it if you have 'high' loads of any kind. At least with the ext-todo patch if you get injection rates beyond your hardware. I'm going to out on a limb and call into question zfs' performance for a mail queue. You'd want it on a separate disk running UFS with softupdates. Sent from my typewriter On Apr 21, 2012, at 9:19 AM, Hans J. Albertssonhans.j.alberts...@branneriet.se wrote: What MTA would you suggest? On 2012-04-20 14:40, openindiana-discuss-requ...@openindiana.org wrote: Message: 8 Date: Fri, 20 Apr 2012 09:00:03 +0800 From: Christopher Chanchristopher.c...@bradbury.edu.hk To: openindiana-discuss@openindiana.org Subject: Re: [OpenIndiana-discuss] Qmail-to-go on openindiana? Message-ID:4f90b513.9080...@bradbury.edu.hk Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Hans, May I ask why you would want to use qmail? It has pretty weak anti-spam facilities, if at all, and so would not really be an mta you want for incoming use. If you only want to use it for outgoing then I can understand. Christopher On Friday, April 20, 2012 03:40 AM, Hans J. Albertsson wrote: I'm considering setting up qmail rather than sendmail or postfix on my openindiana 151-a3 systems. Is there a ready-made package available for openindiana or must I compile it from scratch? Will Qmail integrate well with Webmin, or even at all? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Chris, There are no packages for Qmail that I am aware of. However, it's pretty trivial to build and install since it's dependencies are extremely small. I wrote some SMF scripts so I could use svcadm. I have two chains for incoming email. The first is on the standard port 25 and has no relaying and gobs of spam checking. The second is at port 587 and does SSL/TLS authorization so users can use it to relay mail. The sending engine is stock qmail-send unpatched. The authorized incoming engine is a chain of sslserver, and smtp-front (mailfront) and uses cvm for SASL login. Mailfront replaces the qmail front-end so I believe it will work with the stock qmail. The non-authorized incoming engine is a chain of tcpserver and spamdyke. I believe that spamdyke will work without qmail modifications but I'd have to check. If there are any qmail patches, the only one I believe is necessary is the qmail queue patch so you can hook spamassassin to it. Gary On 4/19/12 9:00 PM, Christopher Chan wrote: Hi Hans, May I ask why you would want to use qmail? It has pretty weak anti-spam facilities, if at all, and so would not really be an mta you want for incoming use. If you only want to use it for outgoing then I can understand. Christopher On Friday, April 20, 2012 03:40 AM, Hans J. Albertsson wrote: I'm considering setting up qmail rather than sendmail or postfix on my openindiana 151-a3 systems. Is there a ready-made package available for openindiana or must I compile it from scratch? Will Qmail integrate well with Webmin, or even at all? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Qmail-to-go on openindiana?
Webmin comes with a qmail modules in its standard bundle. AFAIK, Sunfreeware might be the only place to get a qmail package. Since it's no longer in development, I'd highly recommend checking out some 3rd party patches and forks if you intend to continue down this path; http://en.wikipedia.org/wiki/Qmail#External_links -Gary ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
