I'll do my best! Already there's some degree of bombardment. But since things aren't working yet I don't think I'm (currently) contributing to the spam problem.
Really postfix is easier? I assumed it would be easier to go with something FreeBSD came with.
Hmm, it's a matter of opinion as well as what you're used to. Sendmail can definitely deliver, but the moment when you want to customize it further then things can become a bit tricky.
For example... SMTP authentication. In other words: allowing users to specify a username/password in order to be allowed to send e-mail using your system. On Sendmail this is perfectly doable, and the advised route (source:
chapter 27 of the FreeBSD handbook) is to utilize
security/cyrus-sasl.
On Postfix it's very easy to devise another and (IMO!) easier to use approach. You already mentioned
mail/dovecot above, which is what led up to my comment. On Postfix it's very easy to allow Postfix to utilize the already available authentication methods provided by Dovecot. In other words: allowing users who can receive / retrieve e-mail (using Dovecot) to authenticate themselves to send mail using the exact same credentials:
(from
/usr/local/etc/postfix/main.cf)
Code:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_authenticated_header = yes
Of course some work had to be done on the Dovecot part as well (just mentioning this for completeness sake); I had to set up the socket which Postfix is using above. So from
/usr/local/etc/dovecot.conf:
Code:
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
But this was more or less all that was too it. The rest consisted of stuff which you'd already do when using Dovecot: making sure the users could actually retrieve their e-mail.
Now, we can discuss this why this could be a good or bad idea, but that's not the point. I'm merely trying to demonstrate the flexibility which Postfix can provide.
But, please don't get me wrong here: Sendmail is an excellent program which is very diverse and flexible as well. It is most definitely
not a bad idea to use it also because, as you said yourself, it is a standard on FreeBSD. Simple as that. My LAN server uses it and it has never failed me.
But in some cases things can be a bit easier
For example, setting up my LAN server to use my main mail server as relay is relatively easy in Sendmail:
- Edit /etc/mail/<your host>.mc
- Uncomment the SMART_HOST definition and add the right address
- Recompile your configuration
- Restart Sendmail:
# service sendmail restart
.
But on Postfix I'd use:
- Edit /usr/local/etc/postfix/main.cf
- Uncomment the relayhost option and specify the host.
- This can even utilize MX records, UUCP, and using different ports is also a no brainer.
- Refresh Postfix:
# postfix reload
And well, I simply prefer the latter myself.
But in the end both environments have their specific way of working and once you get the hang of it then both will be very easy to use. I'm most definitely not calling Sendmail bad or anything, it most certainly is not.
Are there particular ways I should or shouldn't configure sendmail? Or ways to test how vulnerable an email server is?
The one thing you should be very careful with is setting up a relay. As in: allowing others to send e-mail through your system, that is the main culprit which causes a lot of problems on the Net.
Always be sure to check
/etc/mail/access and ensure that you're using the right settings (not allowing the whole world to relay). The FreeBSD handbook has a
whole chapter on this.
Some external hosts which can help you check are
mxtoolbox.com,
mailradar.com and
spamhelp.org.
Some other tips which really work well for me: be picky about what incoming connections you allow. For example, my MTA only allows fully qualified HELO lines (=an identifier for a remote mailserver). This can help you reduce spam a bit because commonly speaking a regular mailserver has a DNS entry assigned to it. Rogue hosts (think about a compromised machine on a regular internet connection) usually do not. So they'll most likely identify themselves with an IP address. And that's a no no on my end. I'm taking it one step further by also demanding a valid hostname. So if someone makes something up then my MTA refuses to accept e-mail.
I can also recommend looking into SPF (Sender Policy Framework). See the official
project website. In short: if you send e-mail then you define in a TXT DNS record which servers are used for that. So if someone else tries to send e-mail on your behalf from a remote location then any mailserver can establish that it's bogus. Just for context: Microsoft, Google, Facebook, Apple... they all use it.
Code:
$ dig TXT apple.com | grep spf
apple.com. 3561 IN TXT "v=spf1 ip4:17.0.0.0/8 -all"
Also consider looking into Greylisting. That
seriously reduced spam on my end. There are several options for this, on Postfix I rely on Postgrey which is quite easy to set up. I have no clue how to set this up on Sendmail but I'm sure Google knows
In short: any incoming e-mail gets rejected the first time and the connection is logged and cut. Only after a few minutes will the delivery be allowed. The theory is that every mailserver will retry a delivery when it fails the first time. Spammers on the other hand, especially those using compromised boxes, usually do not.
Seriously: using Greylisting has cut our spam amounts easily in half, without using any other spamfilter.
And that brings me to: also consider looking into spamfilters. There are plenty and they'll help you reduce a lot of nasty stuff. You mentioned Spamassasin and I can definitely recommend that one. Same for ClamAV.
Hope this can help a bit.