Sendmail Alternatives
Ron McCarty Sendmail (http://www.sendmail.org/), likely the Internet’s most used mail transport agent (MTA), is often the standard MTA of UNIX distributions. Sendmail has proven itself as an MTA in the largest of sites including acting as large central hubs of Internet service providers. Sendmail, however, has two often heard weaknesses: complicated configuration, and security issues. Both the complicated configuration and the security issues stem from the size and power of Sendmail. There is no other MTA that supports so many email-related RFCs, delivery methods, and customization. Sendmail can route and readdress email for other transport agents or local delivery. Most organizations require very little readdressing for various mail systems due mostly to the popularity and maturity of SMTP and the almost universal choice of SMTP as the preferred email protocol. Most readressing comprises simple aliases for various spellings of user’s names and multiple domain addresses where users have email addresses in several domains, such as user@domain.com and user@domain.net. While many organizations still have a centralized hub design for delivery of email that Sendmail lends itself to, the simple readressing, relaying, local delivery, and mailing lists do not require customized treatment and Sendmail can seem to be overkill. While most distributions of Sendmail contain a canned configuration that will serve most organizations’ needs, many administrators wish to have a good understanding of their MTA, but do not have the time to learn Sendmail. This month’s column covers an alternative to Sendmail: qmail. In addition to meeting most organizations’ needs, qmail is also a small streamlined MTA. The qmail distribution weighs in at a little over one megabyte. In addition to being small, qmail is also known for being secure. At one time a $1000 reward was offered to anyone finding a security bug in the software — the reward went unclaimed. (If anyone has seen a security advisory on qmail, please drop me an email with advisory or the URL.) qmail, like many of the “new” or recent Internet applications, does not have the time-proven record of older software; but unlike older software, it also does not have bloated or old code retained for legacy reasons leaving fewer lines of code that could be security weaknesses. qmail’s age should not be considered a major drawback. It has proven itself as a reliable MTA under the heaviest of loads including Microsoft’s own free email service, HotMail (http://www.hotmail.com/). HotMail has had some security issues; however, they were unrelated to qmail. Installation qmail, currently in version 1.03 can be downloaded from:
http://cr.yp.to/software/qmail-1.03.tar.gzqmail will run on most versions of UNIX. For a complete list of verified, systems see:
http://cr.yp.to/qmail/faq/ \ orientation.html#osThe installation instructions covered here are for RedHat 6.1, but are generally the same for every flavor of UNIX. If you are going to be replacing another MTA on a production system, you should practice the install process on a non-production environment to ensure you have an understanding of the procedure. Domain name system mail exchange records (MX) are beyond the scope of this article, but a backup MX record should be configured to ensure mail is queued during the transition to qmail. (Backup MX records should always be in place for short-term outages.) If Sendmail is just going to be temporarily disabled to test qmail, use the following command to shut it down:
killall -9 sendmailAs user root, place the qmail distribution in the directory where you keep your source files. I typically use /usr/local/src/, and these steps assume this directory. Start the installation by uncompressing and untaring the archive:
cd /usr/local/src/ gunzip qmail-1.03.tar.gz tar xvf qmail-1.03.tar cd qmail-1.03Review the README file in the /usr/local/src/qmail-1.03/ directory to check for any last minute changes to the source package. Also review the INSTALL file. Next, you can create the qmail home directory. In this example, I will use the standard, although somewhat non-conformant, directory /var/qmail. This directory will be the home directory of the seven qmail processes that qmail uses to delivery and process email: alias, qmaild, qmaill, qmailp, qmailq, qmailr, and qmails. These users are documented in the INSTALL.ids file. (Check the INSTALL.ids file for tips on other versions of UNIX.) Use:
mkdir /var/qmailto create the directory. Next, create the nofiles and qmail groups that these standard qmail processes belong to:
groupadd nofiles groupadd qmailAnd then add the users to the system:
useradd -g nofiles -d /var/qmail/alias alias useradd -g nofiles -d /var/qmail qmaild useradd -g nofiles -d /var/qmail qmaill useradd -g nofiles -d /var/qmail qmailp useradd -g qmail -d /var/qmail qmailq useradd -g qmail -d /var/qmail qmailr useradd -g qmail -d /var/qmail qmailsCompile qmail:
make setup checkThe make setup check command will also install the qmail system in /var/qmail/. qmail can now be configured. If the DNS resolver (client) is running properly on the server, where qmail is running and IP addresses to fully qualified domain names (reverse lookup) exist for all IP addresses on the server, then a simple:
./configwill run the configuration script. Should DNS not be completely functioning, then use:
./config-fast hostname.domainname.tldwhere hostname.domainname.tld is the fully qualified domain name made up of the host name, the domain name, and the top-level domain, such as .com or .net. If DNS is not functioning correctly and the ./config-fast is not used, then qmail will not be able to accept mail properly to do its built-in anti-relaying (spam control). qmail requires three aliases to be defined in order to notify the proper administrators of delivery or other problems: qmail-mailer-daemon, qmail-postmaster, and qmail-root. qmail uses individual files to define aliases and stores them in the alias subdirectory (/var/qmail/alias/ is our case). These aliases cannot point to root. For this example, I will assume one administrator receives all the email. Create the alias files:
echo mccartyr >/var/qmail/ \ alias/qmail-mailer-daemon echo mccartyr >/var/qmail/ \ alias/qmail-postmaster echo mccartyr >/var/qmail/ \ alias/qmail-rootIt’s always a good idea to also use the postmaster alias since users and automated processes send email to the address:
echo mccarty >/var/qmail/ \ alias/postmasterWe need to copy the standard rc startup script into qmail’s home diretory:
cp /var/qmail/boot/home \ /var/qmail/rcTesting qmail To receive email via SMTP over TCP, we also need to let inetd know about the service running on TCP port 25. Make the following entry in /etc/inetd.conf:
smtp stream tcp nowait \ qmaild /var/qmail/bin/tcp-env \ tcp-env /var/qmail/bin/qmail-smtpdand restart the inetd daemon:
killall -HUP inetdFinally, we can start all the qmail processes:
/var/qmail/rc &Make sure the qmail-send, splogger qmail, qmail-lspawn, qmail-rspawn, and qmail-clean processes are running with:
ps aux | grep qmailYou will not see the qmail-smtpd running, because inetd will only start it when a client connects to port 25. To ensure it is listening on port 25, use:
telnet localhost 25The system should respond with:
220 hostname.domain.tld ESMTPType:
quitto exit from the SMTP port. (To change what is printed in the 220 message, create /var/qmail/control/smtpgreeting with the text that should be printed in the 220 message.) From a remote machine, send an email message to an account on the qmail server. (Remember, MX records and DNS in general must be functioning and set up correctly or the remote host will not be able to deliver email remotely.) To test email delivery, use the qmail-inject program. (Using local mailers on a system that has Sendmail installed will work properly, because they will call Sendmail for delivery, but this does not ensure that qmail is making delivery. The INSTALL file contains instructions on linking Sendmail to qmail’s Sendmail program, which is actually the qmail-inject program.) To test qmail-delivery, use:
echo to: testuser@testdomain.tld | \
/var/qmail/bin/qamail-inject
If email is not delivered properly, check network connectivity and name server resolution from the host where qmail is installed. To see whether email is being delivered, use the /var/qmail/bin/qmail-stat command to view qmail’s queue. This program will show how many messages are queued and how many are waiting to be queued.Summary After completion of the above steps, qmail will be up and running and ready for testing. Although qmail has its own peculiarities for implementation, as shown here, it is much easier than a complete Sendmail install. Additionally, its easier configuration, tight security, and full administrative control may make it the right MTA for you. To fully utilize its advanced features, check the qmail Web site for tips on using Sendmail’s .forward capability, Sendmail aliases (“fastforward”), as well as user-owned distribution (mailing) lists.
About the Author
Ronald McCarty received his bachelor’s degree in Computer and Information Systems at the University of Maryland’s international campus at Schwaebisch Gmuend, Germany. After completing his degree, Ronald McCarty started his network career as network administrator at the Schwaebisch Gmuend campus. Ronald McCarty works for Lucent Technologies as a senior systems engineer on a customer team responsible for a major telecommunications carrier. He spends his free time with his two best friends in the world: his daughter, Janice, and his wife, Claudia. Ron can be reached at: ronald.mccarty@gte.net.
|