Advertisement: Support SunWorld, click here!

March 1999

Mail this Article

Topical Index
Subscribe, It's Free
Letters to the Editor
Events Calendar
TechDispatch Newsletters
Technical FAQs
Solaris Security
Secure Programming
Performance Q&A
SE Toolkit

Postfix and Mailman deliver enhanced e-mail security and performance

Learn how these new open source products can improve the way you manage mail

Good news -- there are better ways to do e-mail. Cameron and Kathryn introduce two new open source mail products called Postfix and Mailman and explain how you can begin to use them in your own work. Find out what you need to get started with these interesting and rewarding technologies. (2,500 words)
By Cameron Laird and Kathryn Soraiz

While e-mail is the most mature and most widely diffused Internet application, it hasn't stopped growing. The last year alone has seen several exciting developments and announcements, even in the oldest and least "sexy" domains: mail transfer agents and mailing list managers.

Keep in mind the fundamental architecture of e-mail processing: At your desktop, you compose a message. You use a mail user agent (MUA) as the user interface to pass your message, along with such other information as the address for which it's intended, to an e-mail server. A mail transfer agent (MTA) on the server takes responsibility for figuring out how best to deliver your message (Is it local -- should it go through my LAN? Is it external? What server on the other end will receive it?). Generally, it communicates with another MTA on the server used by your intended recipient. Once the message has been received by that second MTA, it's available for your recipient's MUA to access it.

The MTA market
Sendmail dominates the MTA market, as it has for the last 20 years. About two-thirds of all e-mail servers rely on this open source product. Sendmail is far more reliable, flexible, and portable than most of the commercial products that attempt to compete with it, and the recent launch of the for-profit Sendmail Inc. seems to have only enhanced the vigor of this venerable no-cost creation.

Sendmail isn't perfect, though. It's bulky, difficult, and has a history of security problems. More precisely, it's in just the shape you'd expect of a product originally built for a much different computing environment, and it's been patched and rewritten during several computing generations. Still, the Sendmail development team has achieved quite a feat in bringing it forward from the far more relaxed security traditions of two decades ago.

Wietse Venema has an alternative, though. Venema, a security expert on the IBM Research staff, started fresh, and has produced Postfix, a drop-in replacement for Sendmail which promises to deliver e-mail more quickly, conveniently, and safely.

Postfix isn't Sendmail's only challenger. Zmailer, Smail, qmail, Post.Office, exim, the Sun Internet Mail Server (SIMS), MMDF, CommuniGate, PMDF, Netscape Messaging Server, and a variety of other products offer specific benefits for Unix-hosted e-mail service. Postfix is the newest of these, however, and worth a look.

Postfix's heritage
Venema has a track record in secure computing. He says his "claim to fame is largely based on the low incidence of error" in the systems he's written, including Security Administrator Tool for Analyzing Networks (SATAN) and TCP Wrapper. In designing and implementing Postfix (which began life as VMailer and Secure Mailer; don't be confused by the name changes), Venema's goal was for it "to be fast, easy to administer, and hopefully secure, while at the same time being Sendmail-compatible enough to not upset your users."

Wietse Venema

He's made enough progress toward that goal that IBM has agreed to release Postfix as an open source product under an IBM license in the spirit of Perl's Artistic License. (Caution: While IBM supports Venema, its marketing department occasionally garbles the message. Don't be alarmed if you run into a Web page that suggests you must pay for Postfix, or that its use is otherwise restricted. While IBM is arguably the big company that best understands the open source story, it's still learning. The first official IBM Web pages about Postfix were confusing.)

Venema labels the current Postfix a "beta." To him this means "something close to perfection... It has nothing to do with software quality." He's quite confident in the quality of Postfix. For him, beta releases amount to an experiment to determine users' needs.

Sendmail is a famous monolith: it's one big program that does everything. Postfix is more Unix-like in that it consists of a number of little programs, each of which is easy to understand and validate, including postlock, postalias, postlog, postmap, and others. This is part of the answer to Sendmail's notorious vulnerability. Because Sendmail does so much, it effectively needs superuser privileges and is correspondingly easy to subvert. Each of Postfix's parts has a limited role, so even if it's faulty and behaves in an unplanned way, it's unlikely to have enough security permissions to do any serious damage.

Becoming a Postfix administrator
Trying out Postfix for yourself is only a small commitment. A compressed source code bundle (cryptographically authenticated, of course) is well under a megabyte. Once fully expanded, unpacked, and generated, a complete build tree, including all object files and binaries, fills from 30 to 50 megabytes, depending on the target operating system. It's utterly straightforward to build a complete installation kit on every common Unix platform: the make takes less than 10 minutes to run, even on poky hardware. The INSTALL directions included thoroughly explain how to do one of the following:

You might choose the first of these if your primary motivation is to improve the performance of bulk mailing. This gives you a way to experiment and quantify the speed-up, while leaving everything you've already configured to handle incoming e-mail in place and unaltered.

Postfix seems to be less scary to manage than Sendmail. Customizing or even configuring Sendmail always feels like a big deal; on the other hand, Postfix is quite a bit easier to experiment with because you can test just one thing at a time. Venema, for example, recently added a "debugging" feature suggested by Bennett Todd, a Unix systems and security analyst working on Wall Street: a "soft_bounce" selection to ensure that, even in the case of misconfiguration, messages are not erroneously returned to their senders.

Our speed tests were equivocal: While Postfix consistently was zippier for us, the results were so sensitive to configuration that anyone with serious performance requirements will need and want to run his or her own tests. For the light loads the majority of hosts typically experience, performance enhancements can be invisible. With very high traffic levels, though, whether inbound or outbound, Postfix (and such alternatives as qmail and Post.Office) handles a multiple of Sendmail's limits.

Both Sendmail's and Postfix's current releases run about 50,000 lines of source code. Postfix has six times as many source files and they average, of course, only about a sixth the size of Sendmail sources. That's the sort of thing that contributes to Postfix's approachability. It's much easier to localize changes, problems, and opportunities in Postfix's sources.

Choosing an MTA
Should you stay with Sendmail? Try Postfix? Test-drive a commercial alternative? Here are the main elements we consider when deciding between these possibilities:

Sendmail has it all. If you need features, Sendmail is likely to be the place they first appear and are exercised the most. Sendmail has at least an order of magnitude more source-code hackers than any of the other MTAs. Most Unix boxes ship with Sendmail. Sendmail's the easy choice for most system administrators.

If you're using Sendmail, though, you have a professional responsibility to update it to a current release. The security hazards of running an older version (some major Unix vendors still ship Sendmail 5.65!) are simply unacceptable.

It takes less than an hour to do a basic installation of Postfix. If you inherit a complicated and undocumented configuration, you might be tweaking your Postfix tables for a while; Postfix does not support Postfix's address-rewriting tables are easy enough to use, though, so that even starting from scratch shouldn't take you all day. What you have after such an investment is a far safer MTA that will probably perform much better.

Anyone considering Postfix should also know about qmail -- a more mature open source project that occupies almost exactly the same niche as Postfix. Its security and performance are very good, and it's had a couple more years to ripen than Postfix. It has about the same set of features as Postfix, plus a clever built-in "aliasing" scheme that simplifies mailing list management. Postfix's configuration files are fewer and perhaps more readable than qmail's; choosing between their approaches seems to be a matter of personal taste. Venema and qmail's inventor, Daniel J. Bernstein, have such strong personalities that some users decide between their products based on compatibility with their authors. Also, note that the qmail license is an unusual one. While Bernstein has liberalized it again recently, it generally has been more restrictive than the licenses for many other open source products in that it restricts developers from modifying the core of qmail or distributing binary images. This has been a predictably contentious topic throughout qmail's history. On one side, Bernstein doesn't want people to degrade qmail's security, even if inadvertently, and give his product a bad name. But then proponents of license liberalization argue that the license is a practical inconvenience that decreases the usefulness of qmail.

You're probably running Sendmail now, and all you need to do is pick up the latest release for its tighter security and antispamming features. But do tens of thousands of people look to you when they have e-mail problems? Is your domain a prominent one that might attract crackers? Has your uptime been floating higher? In such cases, it's time you at least begin to experiment with Postfix (or qmail, or one of the higher-end commercial products), which will give you superior performance and security to Sendmail with all the reliability that the latter has gained during two decades of refinement.

Finally, if you select or are leaning toward Postfix, strongly consider subscribing to the postfix-announce, postfix-users, and/or postfix-testers mailing lists. The latter, in particular, is where the design of new features is properly discussed. The Postfix home pages supplies more information about these mailing lists.

The Mailman arrives
Another open source product released to beta just this winter is Mailman, the GNU Mailing List Manager.

The market for mailing list management systems (MLMSs) is reminiscent of that for MTAs: While a plethora of products is available, Majordomo is freely available and has led the pack in popularity for many years. But also like Sendmail, Majordomo now seems clumsy and difficult to manage.

Mailman has been designed for a Webified world. All actions -- subscription requests, list administration, management reports -- can be performed either through a Web interface or more traditional textual commands. Moreover, Mailman integrates archiving, digests, Usenet gateways, spam protection, and bulk mailing. Improved customization and filtering are planned after the first official release.

One reassuring aspect of Postfix and Mailman is that their creators use them. Venema has depended on Postfix as the only MTA on his own node for over a year, while Ken Manheimer, John Viega, Scott Cotton, and Barry Warsaw developed Mailman largely as an extension of their own needs for more convenient and higher performing mailing list management than other products afford. Among other responsibilities, Mailman keeps the mailing lists of all activities, including the Python Special Interest Groups (Python SIGs), straight.

Performance primary
Warsaw, a system engineer at the Corporation for National Research Initiatives, told us, "Performance was primary. We used Majordomo before, and when a lot of messages came through, they just bogged the machine down. We're really happy with how Mailman's working out." The migration from Majordomo has been easy: "It took five minutes to convert three mailing lists, purely through the Web interface."

According to Warsaw, Mailman is coded in approximately 13,000 lines of Python code, along with 600 lines of C which wrap security facilities. Mailman exposes Python as an extension language that allows for customization of Mailman's interfaces.

Mailman further resembles Postfix in having a robust and swift generation. Warning: As a practical matter, you'll need root access on your host to configure Mailman properly. Most open source products can be generated and initially tested by ordinary Unix users. Some organizations have a policy that requires this. With Mailman, though, you'll at least need to create a new account and group (the default for both is "mailman") for Mailman's use.

The distributions for both Postfix and Mailman have clearly written README files that point to details on licensing, installation procedures, and known problems. Be careful. Sometimes the documentation lags the application. There have been a few cases where a fix appeared in a release, but the documentation didn't catch up until later. In the worst case, this means that something works, but you can only scrutinize further by reading source or experimenting with the installation in getting Mailman to work in other environments.

Warsaw needs only a few words to explain his judgment of Mailman's progress: "I'm biased, but I really see no reason to use Majordomo now. Mailman's performance is that much better, it has more features, and it's just as reliable." He's working on making the conversion from one to the other just as simple. While migrating a Majordomo mailing list into Mailman is straightforward now, Warsaw intends to document and further automate it after the 1.0 release.

The final milestone before the Free Software Foundation releases Mailman as an official product is resolution of a couple of faults reported on Linux file systems that Mailman's core development team haven't yet reproduced.

The software you're already using to handle your e-mail requirements probably works reliably. However, the scale of your operations is likely growing, while security threats become more difficult, and your users' demands for convenience expand. It might be time for you to move to a new technology -- one better suited to modern needs. Several of the best e-mail products are open source. In particular, you can easily install Postfix and Mailman, and test their performance in realistic settings. Postfix and Mailman already have healthy user communities. You can have confidence that Postfix and Mailman will be fresh and well-supported for years to come.

Thanks to Bennett Todd for his candid discussions of MTAs.

About the author
Cameron Laird and Kathryn Soraiz manage their own software consultancy, Network Engineered Solutions, from just outside Houston, TX. They write SunWorld's bi-weekly Regular Expressions column.

Home | Mail this Story | Comment on this Story | Resources and Related Links

Advertisement: Support SunWorld, click here!

Resources and Related Links
  Other SunWorld resources  

Tell Us What You Thought of This Story
-Very worth reading
-Worth reading
-Not worth reading
-Too long
-Just right
-Too short
-Too technical
-Just right
-Not technical enough

(c) Copyright 1999 Web Publishing Inc., and IDG Communication company

If you have technical problems with this magazine, contact

Last modified: Thursday, March 30, 2000