Discussion on MTA : SendMail, Postfix, Exim, Qmail

MTA Comparison (http://shearer.org/MTA_Comparison)

For historical reasons the most popular continues to be sendmail but since there are safer alternatives do not think that would be the case that some distro courageous thought to their use by default?

Especially for distro think for security as openbsd.

Which you prefer between postfix and exim?

Qmail.
I think that still has the drawback of do not be a truly open.

I personally prefer Postfix. However, I believe that people that love to administer Exim mail servers will have as good mail servers as people that love to administer Postfix setups. But yeah, I prefer from far Postfix to Exim. I just love how it is structured and well built.

# Why is Sendmail included, it is "known insecure"?!
Sendmail has had an imperfect security record, however the Sendmail authors and maintainers have been very receptive to reworking their code to make it much more secure (and this is a sadly uncommon response). The recent security history of Sendmail is not much different than some of the supposedly "more secure" alternatives.
# Why isn't Postfix included?
The license is not free, and thus can not be considered.
# Why isn't qmail or djbdns included?
Neither program is what many Unix users "expect" out of a mail or DNS application.


Good enough for me although I probably would use postfix or qmail if I had to spend a lot of time with such a program.

I use qmail actually, and never had any issues with running it or setting it up...We have been using it for about 3 years for our in-house email server.

How about OpenSMTPd

http://undeadly.org/cgi?action=article&sid=20081112084647

How about OpenSMTPd

http://undeadly.org/cgi?action=article&sid=20081112084647
It doesn't have that name quite yet.. :)

Also, it's still early in the developmental phase.

But.. I can't wait until it replaces sendmail.. m4 is just horrid for configuration files.

OpenSMTPD* will have pf-style syntax.. :)

How about OpenSMTPd

http://undeadly.org/cgi?action=article&sid=20081112084647

While this looks like a great contender heed the warnings!

"don't use it live unless you want to help test and spot bugs"

Query: If your email provider has an smtp server (i.e., smtp.myemail.com), do you still need an MTA (i.e., sendmail) to send email if you use a basic MUA like mutt? Would you need one (i.e., fetchmail) to get mail if you have a pop server?

Query: If your email provider has an smtp server (i.e., smtp.myemail.com), do you still need an MTA (i.e., sendmail) to send email if you use a basic MUA like mutt? Would you need one (i.e., fetchmail) to get mail if you have a pop server?
The newest Mutt has built in SMTP so you do not need sandmail. The stable one doesn't have so you will need to configure sendmail to send mail to your IP mail server which will relay it further. I am not using Mutt so I do not know if it has built in support for downloading mails from POP3 and IMAP servers. If I have to guess I think it has it. If it doesn't have you will have to use fetchmail to get your mail from the remote mail server of your IP. You do want to use IMAP and SMTP only with TSL or SSL.

I would not use POP3 period.

Cheers,
OKO

The newest Mutt has built in SMTP so you do not need sandmail. The stable one doesn't have so you will need to configure sendmail to send mail to your IP mail server which will relay it further. I am not using Mutt so I do not know if it has built in support for downloading mails from POP3 and IMAP servers. If I have to guess I think it has it. If it doesn't have you will have to use fetchmail to get your mail from the remote mail server of your IP. You do want to use IMAP and SMTP only with TSL or SSL.

I would not use POP3 period.

Cheers,
OKO

Thanks, that answered my question.


Why wouldn't you use POP3?

Why wouldn't you use POP3?

Plain text over telnet. Be my guest and you tell me why:)

Plain text over telnet. Be my guest and you tell me why:)

Ah, that could be a security risk! I did not know that. I just went with the flow and used the ever popular pop3 - don't even know if any of my email accounts support IMAP (but, I will check with my web hosting company, since that account is where I'm trying to get all my various email accounts consolidated into).

Ah, that could be a security risk! I did not know that. I just went with the flow and used the ever popular pop3 - don't even know if any of my email accounts support IMAP (but, I will check with my web hosting company, since that account is where I'm trying to get all my various email accounts consolidated into).

Make sure their IMAP and SMTP use TLS or at least SSL.

I've never really understood the purpose of using IMAP/POP over SSL/TLS. For authentication, sure, but for the actual data transfer? What's the point? The messages travelled over plaintext SMTP between how many different SMTP servers, routers, and other networking gear? And are stored in plaintext on how many systems? And are stored on the ISP/destination server in plaintext for how long? Why encrypt the last connection only?

I've never really understood the purpose of using IMAP/POP over SSL/TLS. For authentication, sure, but for the actual data transfer? What's the point? The messages travelled over plaintext SMTP between how many different SMTP servers, routers, and other networking gear? And are stored in plaintext on how many systems? And are stored on the ISP/destination server in plaintext for how long? Why encrypt the last connection only?

Why do you want to send message in the plain text? How about signed and encrypted message:)

Exactly. So, if your message is signed and encrypted, why would you need POP-over-SSL or IMAP-over-SSL? :)

POPS (POP3S?) and IMAPS never made sense to me, as a message-transfer protocol. Unless the entire communications channel, from end-point to end-point, is encrypted, then there is very little value in encrypting the final leg of a message's journey.

On groupware systems where messages tend to remain within the system (internal messages), then secure server-client connections like IMAPS make sense. But for general "sending over the Internet" setups? Not really. At least not in my mind.

That's like driving a tank from home to work, then jumping on a 10-speed bike to travel from work to the mall, then jumping on a bus to travel from the mall to the grocery store, then hitch-hiking from the grocery store back to work, then jumping back in the tank to drive home. Sure, the home-to-work leg of the trip is super-secure, but what about the rest of the journey?? ;)

People live in blissful ignorance, they assume that if they encrypt the communication... everyone else will. ;)

There is some use in pop3s and imaps.

For example, if you want to eavesdrop on me, then the easiest way to do so is to listen on the pop3/imap/smtp traffic from my computer to the main server/MTA.
If pop3s/imaps/smtps are used, this will be much harder.

There is some use in pop3s and imaps.

For example, if you want to eavesdrop on me, then the easiest way to do so is to listen on the pop3/imap/smtp traffic from my computer to the main server/MTA.
If pop3s/imaps/smtps are used, this will be much harder.

It seems that most consumer email systems (at least the ones I've dealt with) only use POP3 (and some IMAP) - unless they are using pop3s/imaps and just not saying so in their documentation.

Yes, most only support smtp and pop3, only the better ones support imap, and few support the secure version.

I talked with my friend who works for the company that hosts my website. He claimed that they had the secure protocols, but that I'd need a SSL certificate (which costs money). Is that correct?

Note: I'm not running an email site - the email account(s) for that site is just for my own use - i.e. myusername@mydomain.com

I talked with my friend who works for the company that hosts my website. He claimed that they had the secure protocols, but that I'd need a SSL certificate (which costs money). Is that correct?

Note: I'm not running an email site - the email account(s) for that site is just for my own use - i.e. myusername@mydomain.com

Yes. Third party SSL certificate is not free.