postfix comments ... was: Re: receiving mails with executable.

C. Jon Larsen jlarsen at RICHWEB.COM
Tue Dec 2 15:52:10 GMT 2003 

On Tue, 2 Dec 2003, Julian Field wrote:

> To give you the brief answer to this question....
>
> The Postfix guys don't like me as I dared to use their software in a way
> they hadn't intended. Rather than publish the file format (which sendmail
> does) or happily let me use it (the Exim authors use MailScanner
> themselves), the Postfix guys throw their toys out of the pram and whinge a
> lot.

I see your point :=) I think postfix is supposed to be formalizing their
APIs for dealing with queues, etc. Thanks for the background info.

>
> I'm not going to apologise for daring to "think outside the box".

MailScanner is *great* software. You have a lot to be proud of. Postfix
guys seem to suggest using Amavis-new instead of MS. But to me thats a
step backwards and away from the best software to scan and protect emails
(MailScanner).

I wanted postfix and I wanted MailScanner :=)  Here's what I did to make
them work together - see below ...

>
> Many people run MailScanner on Postfix without any problems. A few sites
> see a fault where very occasionally a message with no body is delivered.
> The correct version of the same message with its body is later delivered
> correctly, in addition to the version with the body missing. No mail is lost.

I did not want to take that chance, so I setup 1 postfix instance as an
external smtp router and proxy that looks up incoming domains in an SQL
database and makes routing decisions based on a content_scan column. It
can route the mail directly to the destination, drop the mail if its for an
invalid domain, or route it to the dedicated MailScanner box, which uses
sendmail. The MailScanner box does its job, and then sends the mail to a
third postfix box which does message delivery to mailboxes, and handles
SMTP AUTH for customers that send email from mail clients.

Exim was not my cup of tea for a secure internet facing MTA :=)  I'm not
saying its not secure, its just not what I wanted. I did not see Exim as
being more secure than sendmail due to its design (my opinion only, send
flames to /dev/null).

I was looking for something that had privilege separation like qmail or
postfix for an internet facing MTA. Since my internal mailscanner box is
locked down from an SMTP listener perspective, I am o.k. running sendmail
on that, though exim would probably make a better host than sendmail for
the MS - thanks for the tips though.

I looked as smtp.proxy, Obtuse/juniper smtp proxy, qpsmtpd, and mailfront
as ways to improve the security of the internet facing MTA. qpsmtpd and
mailfront were too qmailish (also not my preference) and none of the smtp
proxies gave me a warm and fuzzy regarding protocol support/workaround
(ESMTP, cisco pix workarounds like postfix has). They seemed o.k. for
hobbyists but not for production networks that get a lot of mail from a
lot of different networks with different (often partially broken MTAs).

I kept coming back to postfix as the best combination of security,
protocol support, and usability for my external MTA.

I had already picked postfix as my MTA for my mailboxes. So I
went from 2 boxes (mailscanner + postfix) to 3 boxes (inbound postfix
message router, mailscanner/sendmail, mailbox, smtp auth postfix).

Hopefully this will help someone else. If not, thats fine too. Just
relaying my experiences and research.

-jon


>
> As many MailScanner sites now run it on a dedicated server, it makes very
> little difference what MTA is chosen, as all the MTA's can take mail in and
> just punt it onto another server.
>
> My personal recommendation is probably Exim, especially if you don't like
> sendmail. Exim is very easy to configure and is very fast. When used with
> MailScanner it is considerably faster than Postfix as Postfix copies all
> the data around more often than it needs to, resulting in inefficient
> handling, particularly of large messages.
>
> At 13:46 02/12/2003, you wrote:
> >On Tue, 2 Dec 2003, Mark Hernandez wrote:
> >
> > > hi all,
> > >
> > > Im using Postfix on a Freebsd 4.8 O.S. and choose mailscanner to add
> > > features
> >
> >Is MailScanner safe to use with postfix ? The postfix site and several
> >messages in the archives advise strongly not to use postfix with MS
> >because postfix does not like to have its queues manipulated by an
> >external program.
> >
> >Postfix has a content filter interface they they suggest using and the
> >current postfix snapshot has a new smtp content filter proxy interface
> >that looks interesting.
> >
> >I don't like sendmail anymore (security issues seem to never stop), so I
> >have switched to postfix for all mail relay and mailbox destinations -
> >with a MailScanner + sendmail box that sits in the middle.
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654
>
>

--
+ Jon Larsen: Chief Technology Officer, Richweb, Inc.
+ Richweb.com: Providing Internet-Based Business Solutions since 1995
+ GnuPG Public Key: http://richweb.com/jlarsen.gpg
+ Business: (804) 359.2220 x 101; Mobile: (804) 307.6939

More information about the MailScanner mailing list