Mail Server (seeking recommendations)

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Mail Server (seeking recommendations)

Steven Presser
Hello,
I'm working for a small company which has settled on OpenBSD as its
server software (because the security is excellent).  We have settled on
what software to use for everything but the mail server.  I'd like to
request recommendations from the knowledgeable people of this
list.  The priorities for the mail server are:
1. Security
2. Usability (for the end user - not everyone is technically skilled,
although the setup can be done for anyone who needs help)
3. Ease of setup
4. Scaleability
Obviously the first is by far the most important.  The other three
are more perks than anything else.

Thank you,
Steve

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
Postfix and Dovecot seem to make a great pair. I have used that setup  
and had no problems with it. SMTP AUTH works very nicely and is easy  
to setup because Dovecot provides an interface for checking users  
against and Postfix can use that same interface for SMTP AUTH. I  
should make an article on it but I have not gotten around to it.  
Others may have some better suggestions.

Bryan

On Apr 13, 2007, at 6:33 PM, Steven Presser wrote:

> Hello,
> I'm working for a small company which has settled on OpenBSD as its
> server software (because the security is excellent).  We have  
> settled on
> what software to use for everything but the mail server.  I'd like to
> request recommendations from the knowledgeable people of this
> list.  The priorities for the mail server are:
> 1. Security
> 2. Usability (for the end user - not everyone is technically skilled,
> although the setup can be done for anyone who needs help)
> 3. Ease of setup
> 4. Scaleability
> Obviously the first is by far the most important.  The other three
> are more perks than anything else.
>
> Thank you,
> Steve

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Steven Shockley
In reply to this post by Steven Presser
Steven Presser wrote:

> We have settled on
> what software to use for everything but the mail server.

I'm reasonably happy using the Courier-MTA suite on OpenBSD.  It's had
four reported vulnerabilities
(http://secunia.com/product/2557/?task=advisories), three DOS and one
remote-code-execution in a corner case (debug logging enabled).

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Vijay Sankar
In reply to this post by Steven Presser
On Friday 13 April 2007 20:33, Steven Presser wrote:
> Hello,
> I'm working for a small company which has settled on OpenBSD as its
> server software (because the security is excellent).  We have settled
> on what software to use for everything but the mail server.  I'd like
> to request recommendations from the knowledgeable people of this
> list.  The priorities for the mail server are:
> 1. Security

OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
opinion, for large or small networks. It allows you to support a
variety of clients very easily and with excellent security. Like Bryan
Vyhmeister mentioned, postfix also is a good option instead of
sendmail. I prefer sendmail because it is part of the OS distribution.

HTH,

Vijay

> 2. Usability (for the end user - not everyone is technically skilled,
> although the setup can be done for anyone who needs help)
> 3. Ease of setup
> 4. Scaleability
> Obviously the first is by far the most important.  The other three
> are more perks than anything else.
>
> Thank you,
> Steve
>
>
> !DSPAM:1,462031d1292531258626592!

--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

beck-7
In reply to this post by Steven Shockley
> >We have settled on
> >what software to use for everything but the mail server.
>
> I'm reasonably happy using the Courier-MTA suite on OpenBSD.  It's had
> four reported vulnerabilities
> (http://secunia.com/product/2557/?task=advisories), three DOS and one
> remote-code-execution in a corner case (debug logging enabled).
>

        This is a stupid measure.. He're my new MTA - it's super secure
trust me. It has had no reported vulnerablilies - so it must be
better than everything else. Use it.

        Of course I haven't yet decided if I'm going to replace
sendmail with it. of course sendmail had so many vulnerablilites
back when I was thin and had a mullet that this must be more
secure.

------8<----- Super secure MTA ----8<---------
#!/bin/sh

echo "stmp stream tcp nowait root /bin/sh supersecuremail" >> /etc/inetd.conf
pkill -HUP inetd

----------------------8<--------------------

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Joachim Schipper
In reply to this post by Steven Presser
On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote:

> Hello,
> I'm working for a small company which has settled on OpenBSD as its
> server software (because the security is excellent).  We have settled on
> what software to use for everything but the mail server.  I'd like to
> request recommendations from the knowledgeable people of this
> list.  The priorities for the mail server are:
> 1. Security
> 2. Usability (for the end user - not everyone is technically skilled,
> although the setup can be done for anyone who needs help)
> 3. Ease of setup
> 4. Scaleability
> Obviously the first is by far the most important.  The other three
> are more perks than anything else.

I'm going to go with the Postfix/Dovecot chorus here, which has worked
very well for me, with one caveat: Dovecot doesn't like concurrent
access to mailboxes. There were plans to fix this a while ago, but the
sole batch of users who often use concurrent mailboxes are still unhappy
about this. (Dovecot doesn't eat data or anything; it just drops the
connection.)

As to spam control, greylisting works very well; spamd or postgrey will
be extremely helpful.

                Joachim

--
TFMotD: dump (8) - filesystem backup

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Åke Nordin
On 4/14/07, Joachim Schipper <[hidden email]> wrote:

> On Fri, Apr 13, 2007 at 09:33:00PM -0400, Steven Presser wrote:
> > Hello,
> > I'm working for a small company which has settled on OpenBSD as its
> > server software (because the security is excellent).  We have settled on
> > what software to use for everything but the mail server.  I'd like to
> > request recommendations from the knowledgeable people of this
> > list.  The priorities for the mail server are:
> > 1. Security
> > 2. Usability (for the end user - not everyone is technically skilled,
> > although the setup can be done for anyone who needs help)
> > 3. Ease of setup
> > 4. Scaleability
> > Obviously the first is by far the most important.  The other three
> > are more perks than anything else.
>
> I'm going to go with the Postfix/Dovecot chorus here, which has worked
> very well for me, with one caveat: Dovecot doesn't like concurrent
> access to mailboxes. There were plans to fix this a while ago, but the
> sole batch of users who often use concurrent mailboxes are still unhappy
> about this. (Dovecot doesn't eat data or anything; it just drops the
> connection.)
>
> As to spam control, greylisting works very well; spamd or postgrey will
> be extremely helpful.

My operation have just the most superficial resemblance of a  "company"
(it's years since I earned any money out of it), but the setup I have is
sendfail+spamd on one box and dovecot on another, that works far better
than I've ever dreamt of.

Security: at least not much worse than the alternatives
 - Only stuuf in "base" + dovecot (which hasn't been laughed at
   too much security-wise, and it's got a security stance)
Ease of setup: Quite.
 - Dovecot is in ports (v1.0.0 checked in yesterday)
 - The version I believe is in 4.1 (1.0.rc22) is the one I run
   (from a late february snapshot) hasn't failed me at all
   (but see the errata at http://dovecot.org/oldnews.html)
 - sendfail setup has never been easier than with the
   exquisite OpenBSD documentation
 - ditto spamd
Scalability: I think so, but I might have fallen prey to a
certail nevel of hype. Especially Dovecot seems to have
a good track record.

I don't know much about ease of use by end users. I
find it easy but I don't think I'm typical. My few users
(mainly in the family) asked me to set their mail up,
but I do have the users I deserve...

--
Eke Nordin, moose (a) {stacken.kth|enting|netia} (o) se

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
In reply to this post by Bryan Vyhmeister-2
On Apr 13, 2007, at 8:49 PM, Sam Fourman Jr. wrote:

> Does your Mail setup use a PostgreSQL backend?

No. I just used plain text files. This was a small test install to  
evaluate for my main mail server install. I haven't used any database  
back-end at this point.

> I am wanting to know because I am Looking for a OpenBSD postfix
> dovecott,and PostgreSQL article on the internet.

That would be nice. If I get around to it, I may just try this and  
write up an article. I'm busy with moving my office right now so it  
may be wishful thinking.

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
In reply to this post by Vijay Sankar
On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:

> OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
> opinion, for large or small networks. It allows you to support a
> variety of clients very easily and with excellent security. Like Bryan
> Vyhmeister mentioned, postfix also is a good option instead of
> sendmail. I prefer sendmail because it is part of the OS distribution.

Is there any reasonably easy way to get SMTP AUTH functioning with  
sendmail and dovecot?

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Jacob Yocom-Piatt-2
Bryan Vyhmeister wrote:

> On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:
>
>> OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
>> opinion, for large or small networks. It allows you to support a
>> variety of clients very easily and with excellent security. Like Bryan
>> Vyhmeister mentioned, postfix also is a good option instead of
>> sendmail. I prefer sendmail because it is part of the OS distribution.
>
> Is there any reasonably easy way to get SMTP AUTH functioning with
> sendmail and dovecot?
>

i asked about this a few weeks back and i think the answer is no. this
means you have to maintain 2 pw DBs, one for dovecot, one for
cyrus-SASL. i would like to be wrong here since it would make life
easier for me.

cheers,
jake

> Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
On Apr 15, 2007, at 2:03 AM, Jacob Yocom-Piatt wrote:

> Bryan Vyhmeister wrote:
>> Is there any reasonably easy way to get SMTP AUTH functioning with
>> sendmail and dovecot?
>
> i asked about this a few weeks back and i think the answer is no. this
> means you have to maintain 2 pw DBs, one for dovecot, one for
> cyrus-SASL. i would like to be wrong here since it would make life
> easier for me.

That was the primary reason for using postfix with dovecot. Years  
back, I tried to get both sendmail and postfix working with SMTP AUTH  
and Cyrus as I recall. It was a mess. The super-easy integration of  
postfix and dovecot for SMTP AUTH is a welcome change.

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Martin Hedenfalk-3
In reply to this post by Bryan Vyhmeister-2
On 4/15/07, Bryan Vyhmeister <[hidden email]> wrote:

> On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:
>
> > OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
> > opinion, for large or small networks. It allows you to support a
> > variety of clients very easily and with excellent security. Like Bryan
> > Vyhmeister mentioned, postfix also is a good option instead of
> > sendmail. I prefer sendmail because it is part of the OS distribution.
>
> Is there any reasonably easy way to get SMTP AUTH functioning with
> sendmail and dovecot?

I'm using sendmail, dovecot and a PostgreSQL database with passwords.
I got SMTP AUTH working nicely, using saslauthd with rimap
authentication via localhost. This way I only need one password
database.

        -martin

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Joachim Schipper
In reply to this post by Bryan Vyhmeister-2
On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:

> On Apr 15, 2007, at 2:03 AM, Jacob Yocom-Piatt wrote:
>
> >Bryan Vyhmeister wrote:
> >>Is there any reasonably easy way to get SMTP AUTH functioning with
> >>sendmail and dovecot?
> >
> >i asked about this a few weeks back and i think the answer is no. this
> >means you have to maintain 2 pw DBs, one for dovecot, one for
> >cyrus-SASL. i would like to be wrong here since it would make life
> >easier for me.
>
> That was the primary reason for using postfix with dovecot. Years  
> back, I tried to get both sendmail and postfix working with SMTP AUTH  
> and Cyrus as I recall. It was a mess. The super-easy integration of  
> postfix and dovecot for SMTP AUTH is a welcome change.

I think the main trick is in writing scripts that generate all databases
from a single main file. This is fairly easy using perl, awk, ....

Of course, this becomes a hundred times more difficult the moment user
administration is not done centrally.

                Joachim

--
TFMotD: vaccess (9) - check access permissions based on vnode parameters

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Adam-29
In reply to this post by Bryan Vyhmeister-2
Bryan Vyhmeister <[hidden email]> wrote:

> On Apr 13, 2007, at 8:46 PM, Vijay Sankar wrote:
>
> > OpenBSD's sendmail, dovecot, and hastymail is a great solution, in my
> > opinion, for large or small networks. It allows you to support a
> > variety of clients very easily and with excellent security. Like Bryan
> > Vyhmeister mentioned, postfix also is a good option instead of
> > sendmail. I prefer sendmail because it is part of the OS distribution.
>
> Is there any reasonably easy way to get SMTP AUTH functioning with  
> sendmail and dovecot?

Yes, just put WANT_SMTPAUTH=yes in your /etc/mk.conf, install the
cyrus-sasl package and recompile sendmail.  Then see the configuration
options listed here http://www.sendmail.org/~ca/email/auth.html

Adam

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
In reply to this post by Martin Hedenfalk-3
On Apr 15, 2007, at 2:53 AM, Martin Hedenfalk wrote:

> On 4/15/07, Bryan Vyhmeister <[hidden email]> wrote:
>> Is there any reasonably easy way to get SMTP AUTH functioning with
>> sendmail and dovecot?
>
> I'm using sendmail, dovecot and a PostgreSQL database with passwords.
> I got SMTP AUTH working nicely, using saslauthd with rimap
> authentication via localhost. This way I only need one password
> database.

I'll have to look into that.

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
In reply to this post by Joachim Schipper
On Apr 15, 2007, at 3:03 AM, Joachim Schipper wrote:

> On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:
>> That was the primary reason for using postfix with dovecot. Years
>> back, I tried to get both sendmail and postfix working with SMTP AUTH
>> and Cyrus as I recall. It was a mess. The super-easy integration of
>> postfix and dovecot for SMTP AUTH is a welcome change.
>
> I think the main trick is in writing scripts that generate all  
> databases
> from a single main file. This is fairly easy using perl, awk, ....
>
> Of course, this becomes a hundred times more difficult the moment user
> administration is not done centrally.

This is exactly why I have hesitated to move to a system based on  
postfix and dovecot for my main ISP mail server. I would still like  
to do it that way but it definitely brings up some other issues with  
easy user administration. My staff needs to be able to add accounts  
easily and unfortunately, the command line is not that easy for them.  
If I did all of the user administration all the time it would be a  
non-issue but that is not practical.

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Bryan Vyhmeister-2
In reply to this post by Adam-29
On Apr 15, 2007, at 1:09 PM, Adam wrote:

> Bryan Vyhmeister <[hidden email]> wrote:
>> Is there any reasonably easy way to get SMTP AUTH functioning with
>> sendmail and dovecot?
>
> Yes, just put WANT_SMTPAUTH=yes in your /etc/mk.conf, install the
> cyrus-sasl package and recompile sendmail.  Then see the configuration
> options listed here http://www.sendmail.org/~ca/email/auth.html

Thanks. I'll look into that. I was not aware that this option existed.

Bryan

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Joachim Schipper
In reply to this post by Bryan Vyhmeister-2
On Sun, Apr 15, 2007 at 02:06:56PM -0700, Bryan Vyhmeister wrote:

> On Apr 15, 2007, at 3:03 AM, Joachim Schipper wrote:
>
> >On Sun, Apr 15, 2007 at 02:14:56AM -0700, Bryan Vyhmeister wrote:
> >>That was the primary reason for using postfix with dovecot. Years
> >>back, I tried to get both sendmail and postfix working with SMTP AUTH
> >>and Cyrus as I recall. It was a mess. The super-easy integration of
> >>postfix and dovecot for SMTP AUTH is a welcome change.
> >
> >I think the main trick is in writing scripts that generate all  
> >databases
> >from a single main file. This is fairly easy using perl, awk, ....
> >
> >Of course, this becomes a hundred times more difficult the moment user
> >administration is not done centrally.
>
> This is exactly why I have hesitated to move to a system based on  
> postfix and dovecot for my main ISP mail server. I would still like  
> to do it that way but it definitely brings up some other issues with  
> easy user administration. My staff needs to be able to add accounts  
> easily and unfortunately, the command line is not that easy for them.  
> If I did all of the user administration all the time it would be a  
> non-issue but that is not practical.

I'd suggest either writing quite a few scripts or looking at saslauthd,
then. The latter was already mentioned, and seems to be widely used.

                Joachim

--
TFMotD: resolv.conf, resolv.conf.tail (5) - resolver configuration files

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

666a
In reply to this post by Steven Presser
Here is my recommendation.  You only have to install and maintain
patches on one piece of software other than OpenBSD.  The software
is OpenVPN with OpenBSD's sendmail and popa3d.

Why popa3d? User can use any mail client he choses and you don't
have to worry about your email server running out of space.

Reply | Threaded
Open this post in threaded view
|

Re: Mail Server (seeking recommendations)

Stuart Henderson
In reply to this post by Bryan Vyhmeister-2
On 2007/04/15 14:06, Bryan Vyhmeister wrote:
> This is exactly why I have hesitated to move to a system based on  
> postfix and dovecot for my main ISP mail server.

This pair are pretty easy. Postfix (also more recent Exim versions) can
look at Dovecot for smtp-auth; Dovecot's auth setup is quite simple and
flexible.

> My staff needs to be able to add accounts easily and unfortunately,
> the command line is not that easy for them.  

BSD auth, ldap, sql, text files - take your pick... There's also
dovecot-sieve if you need server-side filtering.

One thing to note if you use milters, Postfix milter support is not
based on libmilter; building milter apps on a box with Sendmail 8.14
installed will result in breakage when run against Postfix until
Postfix milter support is updated unless you take extra care.

12