Replacing Sendmail with Postfix tough question.

Discussion related to network/web services such as Apache, BIND Sendmail, etc.

Replacing Sendmail with Postfix tough question.

Postby SomeoneHere » 19 Mar 2009, 17:22

Well let me give a little background. I have gone through some pain staking steps and reading but have yet to find an answer that puts my concerns to rest. I have been using Freebsd for awhile now and would like to set up a postfix mail server. I have used the ports collection for my install but I am hoping that someone can give me a better understanding. I have installed postfix,amavisd-new,clamav, clamav-milter, spamassassin, spamassassin-milter, dovecot and squirrelmail. From what I can tell it works. But what I did to make it works concerns me. First here

rc.conf

Code: Select all
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
postfix_enable="YES"
dovecot_enable="YES"
amavisd_enable="YES"
clamav_clamd_enable="YES"
clamav_milter_enable="YES"
clamav_milter_flags="--local --outgoing --max-children=50 --quarantine-dir=/var/quarantine --headers --timeout=0 --postmaster-only"
spamd_enable="YES"
spamd_flags="-u spamd"
spamass_milter_enable="YES"

/etc/periodic.conf

Code: Select all
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

mailer.conf
Code: Select all
#
# Execute the Postfix sendmail program, named /usr/local/sbin/sendmail
#
sendmail   /usr/local/sbin/sendmail
send-mail   /usr/local/sbin/sendmail
mailq   /usr/local/sbin/sendmail
newaliases   /usr/local/sbin/sendmail

clamav and spamassassin where not communicating with amavisd-new and to get it to work I added /etc/mail/sendmail.cf this

Code: Select all
O InputMailFilters=clamav,spamassassin
Xspamassassin, S=local:/var/run/spamass-milter.sock, F=, T=C:15m;S:4m;R:4m;E:10m
Xclamav, S=local:/var/run/clamav/clmilter.sock, F=T, T=S:4m;R:4m

My first concern is why would I have to modify this file for it to work? I should be using postfix no sendmail. My other concern is with the file
/etc/mail/README

Code: Select all
As of sendmail 8.12, in order to improve security, the sendmail binary no
longer needs to be set-user-ID root.  Instead, a set-group-ID binary
accepts command line mail and relays it to a full mail transfer agent via
SMTP.  A group writable client mail queue (/var/spool/clientmqueue/ by
default) holds the mail if an MTA can not be contacted.

To accomplish this, under the default setup, an MTA must be listening on
localhost port 25.  If the rc.conf sendmail_enable option is set to "NO",
a sendmail daemon will still be started and bound only to the localhost
interface in order to accept command line submitted mail (note that this
does not work inside jail(2) systems as jails do not allow binding to
just the localhost interface).  If this is not a desirable solution, it
can be disabled using the sendmail_submit_enable rc.conf option.  However,
if both sendmail_enable and sendmail_submit_enable are set to "NO", you
must do one of two things for command line submitted mail:

1. Designate an alternative host for the submission agent to contact
   by altering /etc/mail/freebsd.submit.mc (or setting SENDMAIL_SUBMIT_MC
   in /etc/make.conf to an alternate .mc file) and using
   'make install-submit-cf' in /etc/mail/.  Change the FEATURE(msp) line
   to FEATURE(msp, hostname) where hostname is the fully qualified hostname
   of the alternative host.


is this telling me that despite everyone saying that all you need to do to disable sendmail is add

Code: Select all
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"


to the rc.conf there is more that needs to be done to not use sendmail? My concern is that any command line emails or emails using squirrelmail are using sendmail instead of postfix and this would be a waste of resource and security issue. Any one that can shed some light on this for me would be greatly appreciated.
SomeoneHere
Junior Member
 
Posts: 9
Joined: 19 Mar 2009, 16:51

Postby Mel_Flynn » 19 Mar 2009, 22:22

Any program directly invoking /usr/sbin/sendmail, will effectively be calling /usr/sbin/mailwrapper. mailwrapper consults /etc/mail/mailer.conf to get the path to the real binary and then invokes that in return.

No idea about the milter stuff, anti-virus doesn't interest me and I use dspam with postfix, but I would be very surprised that the stock sendmail would come into play ever.

The /usr/local/sbin/sendmail is a compatible version of sendmail provided by postfix, for the purpose of injecting mail locally into the queue.

Also, the 4 NO's in /etc/rc.conf can be (forwards-compatible) specified as sendmail_enable="NONE". With forwards-compatible I mean that NONE is guarenteed by the rc team, to disable any and all sendmail binaries, even if it means 20 in the future.
Mel_Flynn
Member
 
Posts: 379
Joined: 18 Nov 2008, 18:02
Location: Drachten, Netherlands

Postby Visitor » 02 Jan 2012, 07:46

Mel_Flynn wrote:Also, the 4 NO's in /etc/rc.conf can be (forwards-compatible) specified as sendmail_enable="NONE". With forwards-compatible I mean that NONE is guarenteed by the rc team, to disable any and all sendmail binaries, even if it means 20 in the future.


I am going to reply to this as others will stumbled upon this thread from search engines like I did.

As of 2012,
Code: Select all
sendmail_enable="NONE"
should no longer be used, according to sendmail's man page at http://www.freebsd.org/cgi/man.cgi?query=rc.sendmail&sektion=8:

Code: Select all
sendmail_enable
        (str) If set to ``YES'', run the sendmail(8) daemon at system
        boot time.  If set to ``NO'', do not run a sendmail(8) daemon to
        listen for incoming network mail.   This does not preclude a
        sendmail(8) daemon listening on the SMTP port of the loopback
        interface.  [color=red]The ``NONE'' option is deprecated and should not be
        used.  It will be removed in a future release.[/color]
Visitor
Junior Member
 
Posts: 4
Joined: 01 Jan 2012, 16:01


Return to Web & Network Services

Who is online

Users browsing this forum: No registered users and 1 guest