[olug] Mail Relaying w/Filtering

Christopher Cashell topher at zyp.org
Sun Nov 24 06:36:30 UTC 2002 

At Sat, 23 Nov 02, Unidentified Flying Banana Mike Peterson Charles, said:
> What are your thoughts on using exim from the experience of using it?
> Where is it's place in the list as far as features, ease to configure,
> and security?

Well, it's fairly easy to configure.  And it's fairly featureful.  I'd
rate it comparable to QMail and Postfix in both of those regards.

However, it doesn't match up in terms of security, both in actual
vulnerabilities, and in design.  QMail and Postfix were both designed
specifically to be very secure daemons.  QMail has never had a serious
exploit available for it (the author actually offered $1k of his own
money to anyone who could find one. . . after a year or two, it was
still unclaimed).  Postfix follows a lot of the design ideas in QMail,
and though it's had a few minor issues, I'd still rank it second with
regards to security.  One thing that always bothers me about exim, is
that it's a single large binary, and it runs SUID root.

On principle, I hate programs that do that.

I should admit that I'm something of a security respective person (read:
I'm paranoid).  Thus, my first choice of mail server is QMail, and my
second choice would probably be Postfix.  Exim or Sendmail would be
somewhere after those. ;-)

> Both Postfix and Sendmail come with Redhat.

These two are both shipped with Red Hat, and with Mandrake, I believe.
The reason being that they are two of the top 4-5 e-mail daemons, with
Sendmail being the most widely used, and Postfix being secure (and
easily redistributable).

> Exim comes with some distributions.

Many distributions that don't limit the amount of software included have
exim (Debian, for example).  I've seen posts on mailing lists that hint
that the main reason exim isn't included with Mandrake or Red Hat is
that they already include two MTA's.

> Qmail is part of custom setups like SME Server.

QMail is rarely distributed with distributions due to a slightly (very)
annoying license.  Basically, you are free to use QMail however you
want.  However, you can't redistribute modified binaries.  Since many
distributions like to move things slightly (putting config files in
certain locations, etc., they are unable to do that with QMail).

Most people who use QMail have to install it themselves from source (or
from a pseudo-package that downloads and patches the source on your
machine, which is how Debian does it).

> I have only been running Sendmail exclusively.
> I worked with Qmail when I tested out E-Smith the former package to SME
> Server.

Ugh. ;-)

Unless you have a specific need to do something which only Sendmail can
do, I'd not choose to do it.  It's a fact that there are some situations
where you basically need Sendmail to get the job done.  In all others,
there's better choices. ;-)

--
| Christopher
+------------------------------------------------+
| A: No.                                         |
| Q: Should I include quotations after my reply? |
+------------------------------------------------+

More information about the OLUG mailing list