qmail to Postfix - monday 2010-11-08 2212 last modified 2010-11-08 2212
Categories: Nerdy
TrackBacks Sent: None

One of the unavoidable changes in environment post-crash was to shift away from the unmaintainable qmail over to a more modern mail transport agent, namely Postfix. While qmail was an attractive choice when it and Sendmail were the only real options, particularly after all the horror stories surrounding Sendmail security and its legendarily obtuse configuration syntax, qmail's licensing issues kept it at the same published revision for years, despite the evolution of internet mail into a much different beast from that of the early, naïve days. The gymnastics required to make qmail work involved hairy and incompatible source-level patches, late nights digging through other people's uncommented C code to figure out what might fit where; for modern software, a verified update procured with one line should be enough most days. Here's a phrase that should inspire terror in any admin: qmail + LDAP. And still, qmail lacked a way to turn off its bounce messages, which earned our mail server a black mark in some minor monitoring lists. It took a lot just to get to that point, but by the end, institutions like MIT were flatly rejecting mail from our machine.

Moving to Postfix was something I resisted due to the perceived amount of work it would take, but when I was forced to do it, I found it took comparatively no time to accomplish. About a half a day's worth of reading and a few hours experimenting, and the only thing I might complain about in a multiuser environment is the difficulty for a normal user in minting a new address (qmail's dot-file facility made that simple). But Postfix supports + extensions, so that's not necessarily a barrier. I needed to add Amavis. I needed to translate a few qmail addresses into the Postfix regular expression format. I needed to add a few SSL services and configure for security. That was about it. The rest was all already in the box. LDAP? Built in (not like I want that back again). I might complain about some of the documentation, but it's not the worst I've seen. I could help rectify some of the situation if I wanted to write a real qmail to Postfix migration guide. Ask if you need, we'll see if there's an audience.

My spam level has dropped considerably since Postfix has rules for rejecting clearly illegitimate mail, and it won't even accept mail to non-existent addresses (its own security vulnerability in some ways, but I'll live with it). While qmail is supposedly public domain code, has been for a few years, whatever that means, it's too little and too late. Nobody's adopted it and brought it into the next net century, and as far as I can tell, it will remain at version 1.03 in perpetuity. Which makes this the last thing I'll have to say about qmail: you used to do all right, but the world outgrew you. Good riddance.

Comments

postfix features

I've used postfix almost exclusively for all my years of working on servers - it is so much easier to figure out what is going on and how to reconfigure it than other mail servers.

As far as the illegitimate emails being a security hazard, that should be easy enough to turn off if you wanted to. My solution to that "security" problem is to set some settings:

smtpd_soft_error_limit=1

# only 1 error allowed when under stress, 8 errors when not (10 is default)

smtpd_hard_error_limit=${stress?1}${stress:8}

smtpd_error_sleep_time=5

smtpd_junk_command_limit=5

# 10 second timeout when under stress, 300 (default) when not.

smtpd_timeout = ${stress?10}${stress:300}

I don't know if I've tested it, but I believe that it counts as an error with a bad rcpt line, so at least forces them to reconnect on error. And then you can limit connections elsewhere.

(PS. <br/> would be nice to add to the safe html tag list, or someway to make the list of postfix commands above show up nicely without doing paragraph tags everywhere. The plain text format lost all of the carriage returns...

postgrey is also really handy for eliminating spam, if you haven't used that before.

Jon Daley on November 25, 2010 09:43 AM

You must login to leave a comment

TrackBacks

No TrackBacks for this entry.