Postfix: Secure, sendmail-compatible mail server
A secure, fast, and properly configured Mail Transport Agent ensures that users’ e-mail gets out toward its destination, the host machine is not vulnerable to compromise, and unsolicited e-mail does not overwhelm the system. How well does Postfix meet these requirements?
There is a well-known “Candid Camera” prank in which a man crouched hidden inside a street corner mailbox. When an unsuspecting victim opened the mail slot and pushed mail in, a hand reached up from inside the box and grabbed it from him or her. Some people laughed off the hand, some were nonplussed, and some, as you would expect, were rather freaked out. Although Allan Funt was probably just out for a good laugh and high ratings, he also nicely illustrated the role of the Mail Transport Agent, or MTA, in the network e-mail system.
The MTA is like an active sidewalk mailbox that receives mail and must pass it on toward its destination. In the case of a network, that destination may be a user mailbox on the local system that hosts the MTA itself, or it may be another system elsewhere. MTAs must make intelligent decisions about what to do with e-mail in all sorts of circumstances, under both normal and abnormal conditions.
Sendmail was the first MTA, and it remains perhaps the most well known and widely deployed. It is often the default MTA installed with Linux and other Unix-like operating systems. But sendmail has drawn its share of detractors over the years. It was not designed with security in mind, it is not particularly fast, and, most loathed of all, it is extremely complex to configure. In fact, sendmail configuration errors lie behind many mail routing problems, and a leading instructional book for configuring sendmail runs to 1,000 pages.
Enter Postfix, written by Unix security expert Wietse Venema, as a freeware alternative to sendmail. Postfix is designed to be strong where sendmail is weak — for example, Postfix is very fast and can deliver 1 million unique messages per day on average desktop hardware. Beyond that, Postfix is built from the ground up around a secure architecture.
Unfortunately, sendmail has been exploited over the years through numerous vulnerabilities, making it one of the premier access routes for unauthorized access into and compromise of network servers. In contrast, Postfix processes run on the host system with the least privileges necessary, and the processes themselves are isolated from one another so Postfix’s activities are divided into small, unconnected routines. This modular design not only isolates Postfix from exploits, it also adds to its flexibility, in that individual routines can be enabled or disabled or even enhanced, depending on the needs of that particular system.
As with all Unix-like server software, Postfix is typically compiled on the host computer from the source, which can be downloaded from the Postfix Web site. Pre-compiled binaries for Postfix are also available for most major platforms in their typical packages (e.g., RPM format for Red Hat Linux systems); however, these are not available on the Postfix Web site. Rather, you must locate them from the usual distribution points for the operating system, such as the vendor or an aggregate site like RPMFind.net.
To ease the transition from sendmail to Postfix, Venema intentionally designed Postfix to be compatible with sendmail. Therefore, Postfix can use the same infrastructure (e.g., mail queues and folder locations) as a standard sendmail installation. The only sendmail component Postfix does not map to is sendmail’s infamous configuration file, Sendmail.cf. This is a necessary omission; however, as Postfix is designed to be easier to configure.
“Easier” is a relative term, though. The behavior of a robust MTA is intrinsically complex. Even Postfix has several hundred configuration options. However, sensible defaults are in place so that generally only a handful of configuration options must be modified for a given system. And the options themselves are more straightforward than those in sendmail, which possess an obtuse syntax leading to many configuration errors. Furthermore, administrators can use the free software Webmin to add GUI-based configuration to many server functions, including the Postfix configuration.
A secure, fast, and properly configured MTA ensures that users’ mail gets out toward its destination, that the host machine is not vulnerable to compromise, and that unsolicited e-mail such as spam does not overwhelm the system. Sendmail, although the granddaddy of MTAs for Unix-like operating systems, is not the best choice for meeting any of these needs.
Postfix is an excellent choice. Many enterprises also choose Postfix’s competitor, QMail, for the same reasons, and this software, too, is worth looking into. Either way, it’s time to pull the curtains on sendmail.
Pros: Freeware; Compatibility with sendmail eases migration; Secure and configurable
Cons: GUI is provided by a third party; Need to dig around for platform-specific binaries; By nature of the beast, still intrinsically complex
Reviewed by: Aaron Weiss
Original Review Date: 9/25/2003
Original Review Version: 2.0