choose MTA

[d3c0]

good day,
I am new in Freebsd and want to use it in all my web projects.
Now I am in doubt about which MTA I should use, whether SendMail or Postfix.

please I need to know which is the most reliable to use.

Thank you.

 

[tingo]

Both sendmail and postfix are very reliable. If you are unfamiliar with MTA configuring, postfix is easier to configure, IMHO.

 

[ralphbsz]

In this day and age, few people actually uses MTAs. That's because setting one up has become hard, due to spam. Most mail forwarders and input hosts will not accept mail from arbitrary hosts, unless authentication has been arranged carefully. Most people just forward their mail to an external mail hosting provider. While sendmail (and presumably postfix) can be taught to do that, there are much simpler packages that can accomplish the same thing.

 

[Lamia]

This is a million dollar question.
Given that you're just getting started, Sendmail might be a good start. Postfix is quite advanced. You can also take a look at OpenSMTPD.

 

[hruodr]

It is a mythos that sendmail is (today) harder to configure than others. I have sendmail configured and gave up configuring other. Mail is a simple and old technik, but among usual servers MTA is the most difficult to configure. Better concentrate your efforts on sendmail instead of searching for alternatives.

 

[hruodr]

Most mail forwarders and input hosts will not accept mail from arbitrary hosts, unless authentication has been arranged carefully.

Authentication is for receiving mail, that is very simple with sendmail. What he needs for relaying to other is more dependent from the DNS and not the MTA:

Sender Policy Framework - Wikipedia

en.wikipedia.org

DomainKeys Identified Mail - Wikipedia

en.wikipedia.org

DMARC - Wikipedia

en.wikipedia.org

(I never configured the last).

 

[zirias@]

For an MTA nowadays, I'd say just use the one you already know and feel comfortable with configuring. Many years ago, when Debian switched their default MTA from sendmail to exim, I followed that some time later, and found it a lot easier to understand exim's configuration. Since then, I never used any other MTA, mainly because I don't want to start learning all over

But yes, what others wrote is important to consider: Setting up your own mail domain is a lot of work and hard to get correct nowadays. Back when I started, setting an MX to your home server (even on a dialup connection) worked pretty well and you could also send from there without issues -- these times are long gone. I now have a setup with an external mail gateway on a rented virtual machine that communicates with my home server through a VPN tunnel (of course, you could also have a public host only). Without at least configuring SPF and DKIM correctly, many receivers will still reject your mail, or at least sort it out as spam. You should also publish a DMARC policy in your DNS and register with dnswl.org. And of course, the first and most important thing to do is configuring your mail system so it's really secure. There must be no chance it's ever used as a relay (otherwise you'll be on all the RBLs in no time). And you have to always keep the host system secure and up to date -- spammers are also looking for security holes in mail systems to exploit, so they can abuse them for sending spam that correctly authenticates with SPF/DKIM. This happened to me once, fortunately only on a server about to be decomissioned, so I could take it down immediately and the "burned" IP address wasn't used for sending mail any more.

So, why run your own MTA at all? The advantage for me is, as often, being in control myself. I can keep my inboxes clean by running rspamd myself (which rejects currently ~80% of all incoming mail, and this doesn't count all the crap exim rejects before even asking the spam filter, because of failed sender verification). I also like having my mailboxes stored on my own hardware. But you should really think about whether this is worth all the work (setup and maintenance) that is necessary.

 

[20-100-2fe]

I have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.
It is very flexible, and I could easily share the same authentication base between email, web and XMPP servers.

 

[zirias@]

I have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.
It is very flexible, and I could easily share the same authentication base between email, web and XMPP servers.

Just for completeness, the same works with exim as well, I use the dovecot authentication service via a local socket from exim. Not sure about sendmail, never used that in a very long time.

That's why I think the choice of MTA should be based on whichever you feel most comfortable with. Postfix sure is a popular choice.

I guess for mail storage and IMAP access, Dovecot can be recommended. It also supports Sieve and Managesieve

 

[rootbert]

I highly recommend postfix, cannot emphasize it enough!

 

[Argentum]

have used Postfix + Dovecot for some time to self-host my mail and was quite happy with this combination.

Same here. Also using cbl.abuseat.org for bocking most unwanted traffic in Postfix.
For Dovecot using https://letsencrypt.org/ certificates.

 

[hruodr]

Not sure about sendmail, never used that in a very long time.

Of course is no problem with sendmail. It uses cyrus sasl that can for example consult an ldap db. I have it running with cyrus imap.

 

[Lamia]

Run a search on this forum. There are tonnes of guides in various threads that will help you. Purplehat is great - http://www.purplehat.org/?page_id=4.

 

[hruodr]

Also using cbl.abuseat.org for bocking most unwanted traffic in Postfix.

The problem of these lists is, that with high probability your dinamic IP at home is listed, at least that is my experience, then you cannot send with smtp from your home to your server. Of course, you can install a web-mailer in your server and use it instead of smtp.

 

[drhowarddrfine]

When I got the itch to see what postfix and other MTAs were about, I started reading the documentation and it all seemed the same as setting up sendmail. So I stuck with sendmail and I have no issues, including spam and getting flagged as spam. However, I'll note two caveats. One, I didn't try too hard to figure out postfix or the others and, two, it took me a while to figure out sendmail/spf/dkim/etc. for the same reason--I had and have too much going on to be able to concentrate on it.

Recently I read somewhere that sendmail is no longer actively worked on. Is that true?

 

[Lamia]

When I got the itch to see what postfix and other MTAs were about, I started reading the documentation and it all seemed the same as setting up sendmail. So I stuck with sendmail and I have no issues, including spam and getting flagged as spam. However, I'll note two caveats. One, I didn't try too hard to figure out postfix or the others and, two, it took me a while to figure out sendmail/spf/dkim/etc. for the same reason--I had and have too much going on to be able to concentrate on it.

Recently I read somewhere that sendmail is no longer actively worked on. Is that true?

There is smtpd if memory serves me right. It does what Sendmail does and might have been doing it better - delivery emails. I think it also has milters for dkim, spf, etc

 

[usdmatt]

I find Postfix *far* more user friendly and modern that Sendmail. I'm glad I no longer have to mess with that m4/cf stuff from the 1970's when just using a computer basically required programming skills.

For example, the below just makes sense without even really looking anything up. I wouldn't even know how to do some of this in Sendmail after using it for years - such as the ordered list of client restrictions. If I want to be able to block certain IP addresses from relaying, even after authenticating, I could just move my check_client_access rule before the permit_sasl_authenticated one.

mynetworks = 127.0.0.0/8, 192.168.100.0/24
smtpd_banner = mymailserver.email.com ESMTP hello!
disable_vrfy_command = yes
message_size_limit = 51200000
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:$config_directory/access, reject

Personally I've been championing removing Sendmail and replacing it with something simple like dma that just provides simple local delivery and submission services (with smtp-auth) to external smtp for years.

 

[hruodr]

Personally I've been championing removing Sendmail and replacing it with something simple like dma that just provides simple local delivery and submission services (with smtp-auth) to external smtp for years.

If you do not like it, do not use it. Why "championing" to impose you taste to others?

 

[usdmatt]

If you do not like it, do not use it. Why "championing" to impose you taste to others?

1) It makes replacement more of a pain as you have all the existing sendmail cruft all over the place
2) It makes FreeBSD bigger than it needs to be, and increases risk of remotely exploitable flaws
3) Upgrading Sendmail requires either replacing it with a ports version or waiting for an OS upgrade
4) FreeBSD seems to include the .cf files by default rather than generate them on install, so I have had to manual merge changes to these files many times during upgrade.

Note that I didn't say replace it with Postfix, rather with something that purely handles the minimum local features required by default, which is exactly why DragonflyBSD wrote dma. Anyone that wants a real mail server, and likes Sendmail, can install it, just like anyone that wants a web server can install their choice of nginx or apache, or can install bind if they want authoritative dns. You get the benefit of your own choice, and can keep up to date much more simply with just a pkg upgrade.

There has been an extensive effort in recent years to remove large external codebases, such as BIND, for many of the same reasons above. I'm not quite sure how Sendmail managed to avoid this. It's an archaic lumbering beast that has not has serious development for half a decade and should not be part of a base install.

 

[Lamia]

1) It makes replacement more of a pain as you have all the existing sendmail cruft all over the place
2) It makes FreeBSD bigger than it needs to be, and increases risk of remotely exploitable flaws
3) Upgrading Sendmail requires either replacing it with a ports version or waiting for an OS upgrade
4) FreeBSD seems to include the .cf files by default rather than generate them on install, so I have had to manual merge changes to these files many times during upgrade.

Note that I didn't say replace it with Postfix, rather with something that purely handles the minimum local features required by default, which is exactly why DragonflyBSD wrote dma. Anyone that wants a real mail server, and likes Sendmail, can install it, just like anyone that wants a web server can install their choice of nginx or apache, or can install bind if they want authoritative dns. You get the benefit of your own choice, and can keep up to date much more simply with just a pkg upgrade.

There has been an extensive effort in recent years to remove large external codebases, such as BIND, for many of the same reasons above. I'm not quite sure how Sendmail managed to avoid this. It's an archaic lumbering beast that has not has serious development for half a decade and should not be part of a base install.

And now that you mention DNS, could anyone kindly make recommendations for a good replacement for Domain Name (Re-)sellers' Premium DNS Managers (e.g. GoDaddy, Namecheap, etc).? I am aware of some free DNS managers - Hurricane etc - and we already have Authoritative (NSD) & Recursive/Caching(Unbound/PowwrDNS/DNSDIST) DNS servers installed.
My question again is could you please suggest a reliable TUI pkg/port that we can simply import our zone files (containing A,CNAME,PTR,MX,etc records) into it and stop paying for premium DNS managers?

 

[SirDice]

My question again is could you please suggest a reliable TUI pkg/port that we can simply import our zone files (containing A,CNAME,PTR,MX,etc records) into it and stop paying for premium DNS managers?

Not aware of anything, most will probably just create something themselves. If you have a PowerDNS "supermaster" you can easily use an SQL database with it. Then it's relatively easy to create a simple PHP (or some other language) web interface for it.

 

[rootbert]

DNS: good experience with https://www.ovh.com

 

[Lamia]

Thanks SirDice,
I shall soon explore the supermaster mode.

 

[Jose]

Another vote for Postfix / Dovecot. Switched over from Sendmail / UW-IMAP more than a decade ago, and never looked back.

It used to be you had to understand and debug m4 macro language scripts to generate sendmail.cf. That's right, the syntax was so complicated and unreadable that you have to use a (slightly more readable) programming language to generate it. This may have improved since I ditched Sendmail. I wouldn't know.

Look at this and make up your own mind:

Postfix : Products and vulnerabilities

Postfix: List of all products, security vulnerabilities of products, cvss score reports, detailed graphical reports, vulnerabilities by years and metasploit modules related to products of this vendor.

www.cvedetails.com

Sendmail Sendmail : CVE security vulnerabilities, versions and detailed reports

Sendmail Sendmail security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions

www.cvedetails.com

The point about a dynamic IP is a good one. I wouldn't try to run an MTA on a home connection. I run mine on a hosted virtual server.

 

[ralphbsz]

Actually, the two statistics look remarkably similar. In the last 10 years, on average less than 1 vulnerability per year. I don't think I care what happened in the early 2000s, because I don't run a version from the early 2000s.

And actually, editing the sendmail.cf file is perfectly doable. I personally think that the M4 files are less readable, and you're better of using the m4 framework as a starting point, and then reading, understanding, and editing the .cf files instead. But clearly, sendmail is very hard to configure, because if relies heavily on the .cf language as an actual execution mechanism, not just a configuration mechanism. And that is what makes the .cf files so overwhelming, and complex looking: you're de-facto looking at the source code of sendmail here, and you can fine-tune it to ridiculous levels, which in today's world are just not practical. I mean, who would want to use the configuration for encapsulating uucp addresses over bitnet? While the .cf files are capable of doing that (BTDT), it is just not needed today.

Which leads me to my personal conclusion: I use neither postfix nor sendmail. I use a very simple MTA on my home server, namely ssmtp, which is minimally configured to send all mail to a real commercial mail host outside, done.