Forum OpenACS Q&A: Qmail vs. Postfix

Collapse
Posted by Tom Ayles on

This thread has set me thinking about MTAs, and more specifically why OpenACS uses Qmail. I know that Qmail is deemed to be 'secure' - AFAIK in its lifetime, there has only been one remotely exploitable DoS attack found, and nothing else. But for all its secure architecture and coding, it remains a dog to configure - and as the thread I linked above demonstrates, if it isn't easy to configure, then it opens itself up to new security problems.

I used to use Qmail on my development machine, but I've now switched to Postfix. I admit this is in part due to laziness - on most systems one can run 'emerge postfix', 'rpm -ivh postfix' or whatever, spend a couple of minutes editing the superbly commented configuration file (10:1 comments to config lines ratio) and have it ready for use (I only use it for outgoing, I guess you'd want to spend a little more time if you were receiving too!). I manage live servers running both Qmail and Postfix as MTAs (again outgoing only), and aside from an easily patched bug with AOLServer 3.3 + Postfix, the only difference I noticed was that it took me a few hours to install a system that wasn't transparent with configuration split over several files (and has general wierdness like binaries and configuration stored in /var instead of their standard locations like /usr/bin and /etc) compared to a few minutes to install a system that I felt much more comfortable with and is fully integrated with my system package manager and configuration tools. Even Life with Qmail finds little to distinguish between Postfix and Qmail in terms of security etc.

So my question is this: why is Qmail part of the OpenACS reference platform and not Postfix?

As I see it, there is only one reason at the moment - because it is. Grepping through the code from head shows that there are a few references to Qmail-specific queues and programs in, e.g., notifications, ecommerce, acs-mail-lite, and webmail. However, this thread describes how you can configure ACS to use Postfix instead of Qmail for notification replies, and I can't believe that the other parts of code that require Qmail couldn't be rewritten to support generic MTAs.

My arguments for switching to Postfix would be easier configuration and easier installation. IMO, both these things reduce the complexity of setting up an OpenACS install, and seem as a lot of people gripe about how hard OpenACS is to install (say, just to demo), surely reducing this overhead should be a community objective? Then there's the issue of avoiding misconfigurations that lead to abuse of OpenACS servers.

This subject has been raised before, but that was back in 2000, and four years on, little has changed. Perhaps at a minimum we could offer Postfix as an alternative in the installation guide and cover the caveats that that brings? And how much effort would it take to achieve MTA independence?

I think I've said enough, I'll sit back and await the flames :-).

Collapse
2: Re: Qmail vs. Postfix (response to 1)
Posted by Malte Sussdorff on
No flames at all. Postfix works fine, not drawbacks and there should be an installation guide on how to get postfix to run acs-mail-lite and notifications. If it is missing someone might have to sit down and write it. After all it is fairly simple.
Collapse
3: Re: Qmail vs. Postfix (response to 2)
Posted by Joel Aufrecht on
Qmail is part of the recommended platform because it works, it is documented, and nobody has written documentation on how to use postfix instead.  If someone were to write some documentation, I would be happy to add it in parallel to the qmail docs (which are in an appendix).  Aside from a few lines in ecommerce, I believe that OpenACS in completely indifferent to the outgoing mailer - it uses ns_sendmail, which calls the sendmail binary, which is the de facto API for outgoing mail on unix.
On the incoming mail side, there are several proposals for how to get mail into OpenACS and I think the choice of MTA makes more difference.
Collapse
4: Re: Qmail vs. Postfix (response to 3)
Posted by Tom Ayles on

Having extolled the virtues of installing Postfix over Qmail, I guess I'd be a hypocrite if I didn't offer to write some documentation for it :-). As I mentioned, I've only ever had need for an outgoing only configuration, but when I've got some time, I'll have a crack at writing a parallel guide to installing Qmail. I'll make the setup functionally as close to that for Qmail as possible. What I can't do is offer any meaningful experience of using Postfix to process incoming mail queues and the like, though maybe I'll try and set up a test environment for that.

Regarding proposals for handling incoming mail, is there some location where these are gathered? I'd be interested in having a look, but all I've found was TIP #26, and 'incoming mail' is a sufficiently vague search term to not work so well. I believe Postfix can be configured to use Qmail-style Maildir mailboxes, which go some distance to providing compatibility.

Thx,
Tom

Collapse
5: Re: Qmail vs. Postfix (response to 4)
Posted by Mat Kovach on
OpenACS doesn't require qmail (to be fair qmail is never capitalized).  What id requires is maildir and verps.  Postfix is capable of doing both.  In fact almost every mail server can use those.

acs-mail-lite requires that mail be delivered into a maildir style mail folder.  This can be done using the safecat package, maildrop, or procmail as the mail delivery agent for the MTA.

Postfix, Sendmail, and EXIM can also be configured to VERPs in the style of qmail.

qmail is used because it has these features available by default.

Collapse
6: Re: Qmail vs. Postfix (response to 1)
Posted by Jade Rubick on
Tom, if you're able to write the documentation, that would be great!

There are some docs on writing documentation, if you haven't before. It's pretty easy:

https://openacs.org/doc/openacs-HEAD/docbook-primer.html

Collapse
7: Re: Qmail vs. Postfix (response to 3)
Posted by Bart Teeuwisse on
Despite the name of the library (qmail-procs.tcl) the ecommerce package doesn't require qmail since May 14, 2003: http://cvs.openacs.org/cvs/openacs-4/packages/ecommerce/tcl/qmail-procs.tcl?r1=1.3&r2=1.3.2.1

/Bart

Collapse
8: Re: Qmail vs. Postfix (response to 3)
Posted by Tom Jackson on

Unless there has been a drastic change, ns_sendmail is just a mail client and sends mail to the configured SMTP mail host, defaulting to localhost. It doesn't directly invoke the sendmail binary.

Collapse
9: Re: Qmail vs. Postfix (response to 8)
Posted by Tom Ayles on
Thanks for all the comments! This has really helped me clear up the issues concerning how Postfix can be used to replace fully qmail if desired. When I get the time (hopefully sooner rather than later), I'm going to spend a while testing out various configurations - particularly with regards to processing incoming mail - and when I'm done I should be able to produce something for the install docs. Thanks again.

Tom

Collapse
10: Re: Qmail vs. Postfix (response to 1)
Posted by Torben Brosten on
re: why is (was) Qmail part of the OpenACS reference platform and not Postfix?

Andrew Piskorski offers these insights about why qmail was used directly:

https://openacs.org/forums/message-post?parent_id=80275

https://openacs.org/forums/message-post?parent_id=81295

Collapse
11: Re: Qmail vs. Postfix (response to 10)
Posted by Tom Ayles on

Torben - I guess the first link is kind of related to my statement that qmail is used 'because it is': perhaps based more on the historical situation than the present. Certainly back in the day there was less competition, but now it seems as though there is little to distinguish between Postfix, qmail, exim, or whatever (except sendmail, which is mostly evil).

The second link interests me - is qmail-inject still used by anyone? I couldn't see any reference except in qmail-procs.tcl in ecommerce, and Bart said earlier that ecommerce doesn't depend on qmail. The reason it interests me is because earlier I came across a post comparing the performance of qmail/postfix/sendmail. The opinion there was that 'if you're using VERP (Variable Envelope Return Path), postfix is a little faster than qmail. if you're not using VERP, postfix is *MUCH* faster than qmail'. From this it seems as though sending a mail out to multiple recipients in a single SMTP session would be as efficient or more efficient than using qmail-inject.

Collapse
12: Re: Qmail vs. Postfix (response to 1)
Posted by James Harris on
I've recently switched my personal site from qmail to Postfix and had very little trouble doing so.  Installing one Postfix RPM easier than the fairly involved process of installing qmail.

Now that Postfix is the default MTA with Fedora and OS X.3 it seems like it might be fairly sensible to at least offer it as an option.  Configuring Spamassassin and RBL was also much easier than with qmail (which was the main reason I switched).

Collapse
13: Re: Qmail vs. Postfix (response to 1)
Posted by Steve Manning on
I've always used exim without giving it any thought and its never given me any problems - although mine is not a large site. Exim is solid and fast enough and works nicely with maildirs. It runs nicely alongside Courier-IMAP which I use for the message store and is also a native of maildirs land.

Rather than worry about MTAs we should really concentrate on finding a fix to the problem of message threads in the notifications. It would be really nice if we could crack that - I know its been discussed before and there is no easy solution but I thought I'd mention it :o)

    - Steve

Collapse
14: Re: Qmail vs. Postfix (response to 1)
Posted by Linux Unix on
WHY QMAIL vs. POSTFIX?????????
DOES ANYONE HERE TRIED USING POSTFIX AS THE EMAIL RECEIVER AND QMAIL AS EMAIL SENDER, INTEGRATED WITH THE MYSQL DB WITH VIRTUAL USERS???????????