[SATLUG] Setting up email server

Sun Sep 2 02:53:08 CDT 2007

On Sun, 2007-09-02 at 01:48 -0500, Brad Knowles wrote:
> On 9/1/07, Patrick P wrote:
> >  I missed the question, but I have the following input to add. Qmail is
> >  the most secure smt server.
> I think many people would disagree on the security side. 

Well, "most" is always difficult.  Qmail is definitely one of the top 5
contenders for security, though, in the way that most people mean
security (see below).  Postfix is also in the top 5.  Exchange is not.
Beyond that, I can't really say.

> Unfortunately, qmail is difficult to install and depends on many 
> other "dan-ware" components in order to run, and you have to get all 
> those other components working correctly in order to have a 
> functioning mail server -- never mind secure.  In addition, qmail is 
> extremely obtuse and difficult to understand and manage, although I 
> imagine that once you've drunk the "dan-aide", everything "dan-like" 
> becomes trivially easy for you to do.  

Brad, you may feel that way about qmail, and it's a fact that DJB's
documentation is somewhat lacking... but there are a lot of good guides
(written by others) that make the whole process transparent.  When I was
exploring SMTP servers a while back (that's about 10 years ago), it was
the easiest to install of all the packages I found, with the exception
of those that came pre-installed.  (I think that was sendmail, not
sure). The ones that came preinstalled were much worse than qmail when I
actually wanted to change how they worked.

Overall, I've found qmail to be simple and straightforward to install
and to maintain.  You're welcome to your opinion, of course.  Mine
differs.

> More over, qmail has not been 
> updated in years, many patches from third-parties have to be 
> integrated in order to make a reasonably modern mail server, 

This is true.  It would be nice if these issues could be fixed.
Unforunately...

> comes with a software license that is known to be fundamentally 
> incompatible with both Free Software and Open Source.

... while this particular statement is technically incorrect (DJB
doesn't "license" his software at all, which he claims puts it in the
public domain) it does make it difficult for someone else to maintain
it, and DJB himself appears to have mostly stopped.

Which does not mean any of the software has fundamentally stopped
working.

> I wouldn't call that "secure", 

You're playing with different definitions of security here.  Qmail is
not likely to let at attacker compromise your server.  There are things
it doesn't do by default that modern mail servers should do by default,
like SMTP-AUTH or SSL, but patches exist to do these things and they are
not necessary -- just good options.

> nor would I consider that to be 
> desirable in an environment where you are likely to actually care 
> about things like the license you have to agree to for the software 
> you're going to use.

You're stating the case a little strongly here.  

> If you want something that is secure and is free from pretty much all 
> of these problems, you want to look at postfix instead.  The security 
> model for postfix is mutually distrustful programs that all operate 
> at the least possible privilege, a basic security concept that even 
> qmail violates.

It should be noted that the authors of postfix and qmail have had ...
shall we say... a bit of bad blood, and the proponents of both tend to
maintain the tradition.  

Claiming qmail violates the least-possible-privilege mechanism is...
interesting.  