# The little MTA roundup



## hardworkingnewbie (Sep 4, 2021)

I wanted to try a little bit different, so I want to give in this post a little roundup on Mail Transport Agents (MTA). In case you don't know yet what a MTA is: it's a piece of software, which is responsible to deliver your emails throughout the internet until its final destination. It's accepting therefore connections from Mail User Agents (MUA), so programs like Mutt, Alpine, Thunderbird, Kmail, Claws - you got the idea.

Personally I've been managing different MTA installations in terms of software and size since around 1998. My biggest was back then 1998 one which ran Exim and Cyrus IMAPD with ~3000 mail adresses, this has though changed throughout the years.

Let's begin with what I call legacy MTAs, you should avoid using for new installations if you can:

*Sendmail*
Sendmail is the granddaddy of MTAs, with its initial release back in 1983 by Eric S. Allman. In its hayday of glory and when there were not much alternatives, it was known to be a security nightmare because of its monolithic design (one binary does it all), as well to be a configuration nightmare in its sendmail.cf file.

The latest documentation book of sendmail.cf at O'Reilly has around 1292 pages. One idiom back then in the days was "You are not a real administrator if you have not edited a sendmail.cf file at least once. You are insane if you did twice."

My advise: avoid it at all costs. It's not much in use nowadays, configuration is a nightmare and aside today there are better alternatives around.

*Qmail*
Qmail by Daniel J. Bernstein was a breath of fresh air back in the old days in 1995. It was the first real MTA which has been designed with security as fundamental principle from the beginning, and therefore it has been very secure compared Sendmail.

Aside that it was also fast and easier to configure. It was also a strongly opinionated piece of software, and configuration was mostly done in dot files throughout a cascade of directories. It also introduced some innovations to the scene, like e.g. Maildir.

The development on the official source has stopped long time ago, but there are some forks around which introduced features like IPv6 support to it. It's been quite popular back then, also Hotmail used it in the beginning, but nowadays it's a niche MTA for some hardcore fans because of its long pause in development.

My advise: if you don't have some legacy installation running just skip it and use Postfix instead.

Let's move on the more recent stuff:

*Exim*
Exim by Philip Hazel is a successor to S-Mail 3. It's been around since also 1995, but uses only one binary to do all stuff. Exim is best known for the reason that it is the default MTA of the GNU/Linux Debian distribution. It's somewhat now a slow burn project, but still sees continous development.

Exim's configuration is quite human readable, and flexible to a point that many consider Exim to be more kind of a MTA framework because you can really much define many things in a flexible type of manner other MTA's don't. It's got a big community, so getting documentation and support of all types is also no problem.

It's main disadvantage is its monolithic design, similar to Sendmail. So every 2-3 years you can expect that this will bite you in the hand, and you will have to update your MTA probably quite fast to have the fix.

Furthermore Exim offers no dedicated queue manager, which might be a problem for some use cases. If you really do need big throughput it's also not the fastest MTA on the block around. It's still though one of the most used open source MTAs today on the internet due to the fact that Debian ships with it.

My advise: if you don't really need its flexibility take a closer look, but you should still skip it due to its monolithic design and the security implications coming from it.

*Postfix*
Postfix is the brainchild of Wietse Venema, a well known security reseacher back then working at IBM Research, and around since 1998. As you might consider when looking at the author, security has been a fundamental part of its design right from the beginning. In fact Postfix has an excellent track record in terms of security due to this, because if something breaks the damage area is normally quite narrow and mitigated.

It's configuration is powerful and simple enough to be humanly understandable, compared to Exim though it's not always so flexible. Then again use cases which cannot be done with Postfix are probably quite narrow anyways for normal installations.

Postfix also speaks Milter, which means that you can use your own Milters of choice. It's also one of the most used open source MTAs, has a big community and documentation is plentiful. Due to its design it has also a dedicated queue manager, which is tunable.

Furthermore it's under continous development still today, and quite capable of handling large mail loads.

This makes Postfix my personal recommendation if you really want to run a MTA, because it's well documented, under continous development, easily enough configurable and been designed with security on mind.

Worth mentionings:

*Haraka*
Haraka is the only MTA which has not been created in the last millenium. It's initial release was in May 2011 by Matt Sergeant, it's written in Javascript (really!) and runs on Node.JS. Sergeant took the basic design of Qpsmtpd (which runs on Perl), on which he worked before , and ported it over to Node.JS because he wanted something more speedy, asyncronous and event driven.

Haraka is mainly about one thing, and this is* raw speed. *It's been created to replace installations, where even Postfix is not nearly speedy enough to handle the existing mail load. So when you got always a few thousand SMTP connections open any time, and sending out millions emails per day this is probably the MTA which can do the job for you.

True to this niche Haraka is the MTA being used by Craigslist. After they rolled out Haraka on their servers, they claimed to have de-commissioned 50% of their hardware which ran Postfix before because they were no longer needed.

So probably not a thing most of use will ever have a real need to use anyway due to lack of mail load; but it might be interesting to have a look at it regardless.


----------



## Geezer (Sep 4, 2021)

I am a dinosaur. I still use sendmail.


----------



## trev (Sep 4, 2021)

I use sendmail. Configuration is easy. I never edit the .cf file.
My first MTA was Qmail on Mark Williams COHERENT (RIP - its printed documentation was awesome).


----------



## drhowarddrfine (Sep 4, 2021)

I live in a nightmare world, I guess, and have used sendmail for 17 years.


----------



## eternal_noob (Sep 4, 2021)

I use neither of these. But interesting read, thanks for posting.


----------



## zirias@ (Sep 4, 2021)

I used sendmail when it was the default on Debian, and then followed their switch to Exim. Back then, this was a huge improvement in both flexibility and readable configuration, as you describe it .

Now, I guess I'm just too lazy to learn anything else, and sure, this comes at a price – you must have a close look on possible security issues.


----------



## Alain De Vos (Sep 4, 2021)

Not in this roundup. Using opensmtpd(smtp) + dovecot(imap)


----------



## hardworkingnewbie (Sep 4, 2021)

Well my personal history is as follows:

started with Smail-3 in conjunction with Taylor UUCP and Cnews, later INN.

Switched over to Exim, because it was similar to Smail-3 but more powerful, and with Cyrus IMAP (because it didn't rely on mbox files, instead had a more performant solution), later Courier IMAP because it supported Maildir. Fun thing for me about Courier is that it's also a MTA, but I've never met anyone who uses its MTA functionality at all.

Then switched over to Postfix with Dovecot around 2008, and been using that since then. And I'm quite confident I'll stick with both for a much longer time to come.


----------



## hruodr (Sep 4, 2021)

It is not anymore necessary to edit .cf files for common use of sendmail. But the bashing never ends. sendmail is not more difficult to configure than other MTAs, it is not more insecure than other MTAs.


----------



## Deleted member 30996 (Sep 4, 2021)

Sendmail sends me my Daily reports every day at the same time and port 25 is blocked at the firewall both ways. 

That's how I want it to work and it can do so on it's own without me worrying about it.


----------



## zirias@ (Sep 4, 2021)

Trihexagonal said:


> Sendmail sends me my Daily reports every day at the same time and port 25 is blocked at the firewall both ways.
> 
> That's how I want it to work and it can do so on it's own without me worrying about it.


Seriously, for *THAT* (nothing but local mail delivery), you don't need sendmail. Classic usecase for something super simple like "dma".


----------



## Deleted member 30996 (Sep 4, 2021)

Sendmail is what they give me in the FreeBSD Base System so that's all I've ever used.


----------



## zirias@ (Sep 4, 2021)

Trihexagonal said:


> Sendmail is what they give me in the FreeBSD Base System so that's all I've ever used.


They give you dma as well for quite some time, so you could avoid trying to shoot sparrows using a rocket launcher


----------



## Geezer (Sep 4, 2021)

Trihexagonal said:


> Sendmail is what they give me in the FreeBSD Base System so that's all I've ever used.



Yes, I think that is the main reason to use it.



hruodr said:


> It is not anymore necessary to edit .cf files for common use of sendmail.



Good thing too. Never understood them.


Sendmail, a rocket launcher with unintelligible config files, that seems to hit the target.


----------



## zirias@ (Sep 4, 2021)

Geezer said:


> Sendmail, a rocket launcher with unintelligible config files, that seems to hit the target.


Kind of 

I have some doubts whether you'd want to use it, even _if_ you need the features (there are alternatives, see the OP). Well sure, it might work, and it's cool to know how to configure it 

But, seriously, if all you need is some local delivery – avoid the monster!


----------



## hardworkingnewbie (Sep 4, 2021)

hruodr said:


> It is not anymore necessary to edit .cf files for common use of sendmail. But the bashing never ends. sendmail is not more difficult to configure than other MTAs, it is not more insecure than other MTAs.


Well my view is from a different angle: I do know about the M4 macros, and that it's possible to run Sendmail just with them.

But which message exactly does it give that the configuration file of a MTA needs an own wrapper *by default* to be somewhat manageable to the normal people? For me quite simple: it's hard to do without it and too complicated for most then when done directly.

Also a wrapper most certainly always has some uncovered areas which when required to be tackled the need to fight the beast directly will arise. Having to rely on a wrapper to configure a software for me is always a band-aid, but nothing more.

Aside that: Sendmail is more insecure than other MTAs due to its monilithic design. Same goes for Exim. There's a good reason why Sendmail was removed 2006 in NetBSD as default MTA because of that.

The first MTA which really was designed with security in mind was Qmail by Daniel J. Bernstein. This design was so ground breaking, that even Sendmail Inc. tried for a while to duplicate that effort on their own by writing a new Sendmail MTA using the same principles called Sendmail X, which was later renamed to Meta1 and released in 2014. Since then it didn't get much love, though, because the initial release from 2014 is still the most recent one. 

This is the CVE summary for Sendmail: https://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html
This is it for Exim: https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html

This is the one for Postfix instead: https://www.cvedetails.com/vulnerability-list/vendor_id-8450/product_id-14794/Postfix-Postfix.html

Sendmail has 27 entries, while Postfix only has 8. Exim has by the way 43, but a whole bunch of them was created in 2020 after some people made an extensive audit on it, and found 21 unique vulnerabilities.

This makes quite much sense, since Exim has a market share of 60% of the MTAs on the internet according to some researchers. I am pretty convinced if Sendmail would receive the same research vulnerability count would go up in a similar way.


----------



## facedebouc (Sep 4, 2021)

hardworkingnewbie said:


> This is the CVE summary for Sendmail: https://www.cvedetails.com/vulnerability-list/vendor_id-31/Sendmail.html
> This is it for Exim: https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html
> 
> This is the one for Postfix instead: https://www.cvedetails.com/vulnerability-list/vendor_id-8450/product_id-14794/Postfix-Postfix.html
> ...


Sendmail has only 3 entries since 2008 regarding the same time lapse than Postfix.


----------



## drhowarddrfine (Sep 4, 2021)

hardworkingnewbie said:


> Sendmail is more insecure than other MTAs due to its monilithic design.


A monolithic design does not make a program insecure. That complaint comes from such designs getting large and losing track of things along with the need to rebuild the whole thing when updating but, by itself, it does not make a program insecure by default.


----------



## dd_ff_bb (Sep 4, 2021)

Sendmail: Hail To The King



hruodr said:


> It is not anymore necessary to edit .cf files for common use of sendmail.



Yeah but whats the fun in that



Zirias said:


> They give you dma as well for quite some time, so you could avoid trying to shoot sparrows using a rocket launcher



Who doesn't loveeeee good ole explosion



hardworkingnewbie said:


> My advise: avoid it at all costs. It's not much in use nowadays, configuration is a nightmare and aside today there are better alternatives around.



Are you really telling me you never played with cf on the fly and bring down a company to its knees by mistake  oh by the way don't forget not to back up your original cf file while you are at it


----------



## hruodr (Sep 4, 2021)

hardworkingnewbie said:


> Aside that: Sendmail is more insecure than other MTAs due to its monilithic design. Same goes for Exim. There's a good reason why Sendmail was removed 2006 in NetBSD as default MTA because of that.


Why did OpenBSD, whose main goal is security, substitute much later sendmail, with his own opnsmtp?


----------



## zirias@ (Sep 4, 2021)

So, dd_ff_bb, in a nutshell, sendmail is cool cause it's so hard to use?

Reminds me a bit of the proud Gentoo user  – although, of course, with sendmail, it's more for real


----------



## hruodr (Sep 4, 2021)

Zirias said:


> But, seriously, if all you need is some local delivery – avoid the monster!


# ll sendmail.8.15.2.tar.gz
-rw-r--r--  1 user  user  2207417 Jun 20  2019 sendmail.8.15.2.tar.gz
# du -h sendmail-8.15.2/
...
6.5M    sendmail-8.15.2/
#

But otherwise, bloat is welcome everywhere.


----------



## dd_ff_bb (Sep 4, 2021)

Zirias said:


> So, _*dd_ff_bb*_, in a nutshell, sendmail is cool cause it's so hard to use?











						Definition of SENSE OF HUMOR
					

a personality that gives someone the ability to say funny things and see the funny side of things… See the full definition




					www.merriam-webster.com


----------



## drhowarddrfine (Sep 4, 2021)

Being harder to use sometimes means you are working with the thing at its lowest level. It might be that, there, it's at its most flexible and can do more than at a higher level which often means restricted movement and access.


----------



## Tieks (Sep 4, 2021)

drhowarddrfine said:


> It might be that, there, it's at its most flexible and can do more than at a higher level which often means restricted movement and access.


You have a point there. However, you will only be able to use that flexibility when you speak Sanskrit fluently.


----------



## drhowarddrfine (Sep 4, 2021)

Klaatu barada nikto


----------



## hruodr (Sep 4, 2021)

Tieks said:


> You have a point there. However, you will only be able to use that flexibility when you speak Sanskrit fluently.



Not only. You may, for example, have help of people that speak Sanskrit fluently.

The only time I dealt with cf configuration was with this:





__





						Virtual Domains — Cyrus IMAP 3.4.4 (stable) documentation
					





					www.cyrusimap.org
				




I wanted normal email for the users of the server, imap for non users with mail accounts (with other domain).

Is Cyrus imap not more complicated to deal with than sendmail? I had this impression.


----------



## Deleted member 30996 (Sep 5, 2021)

Well I will admit, figuring out how to set my email aliases was one of the hardest things to figure out about FreeBSD and took me longest, but I have tamed it and it does it's job well. pf makes sure it stays faithful to me.



Zirias said:


> They give you dma as well for quite some time, so you could avoid trying to shoot sparrows using a rocket launcher


Now I ave tried the lanuch command and it does not work for me. Check out my Harley screenshot with urxvt the launch command. My syntax must be off.

What is dma? Something to make sure I don't set sail with a Donated Music Archive in my hold?


----------



## drhowarddrfine (Sep 5, 2021)

Trihexagonal Dragonfly Mail Agent man 8 dma()


----------



## Deleted member 30996 (Sep 5, 2021)

The last time I had onboard mail was Win98SE. That was before naky pix of Britney Spears were something you couldn't keep from seeing everywhere. 

I only use webmail and have several accounts in different countries. I had a nice one in Israel with no scripting so the Mossad could keep track of me, and Gal Gidot could email me. My domain account what I use most and gives me most control over.

I got an offer to be a middleman to a person of royalty who wants to remain in the shadows recently. Lucky, lucky me. Good thing I speak Afrikaans, yah blut?

I don't configure sendmail beyond /etc/rc.conf, email aliases and a port 25 rule. I see it in top sometime but it does what it's supposed to and never needs winding or junk mail deleted.


----------

