[CentOS] Kind of OT: internal imap server

Fri Aug 25 17:06:56 UTC 2006
Les Mikesell <lesmikesell at gmail.com>

On Fri, 2006-08-25 at 15:06 +0800, Feizhou wrote:
 
> > I think you've been misinformed. My MimeDefang checks the inbound
> > recipients via smtp to the final delivery server before DATA is
> > ever mentioned.  If there are no valid recipients (which the
> > outside relay wouldn't know directly) the message is rejected
> > before DATA. 
> 
> right, sorry, i have not actually used milter myself so I was not aware 
> that it was not limited to content filtering.

Why are knocking something you don't understand? 

>  In any case, this shows 
> one shortcoming of sendmail.

No, it show how the shortcoming has been fixed in the current version.

>  sendmail processes each the helo, sender, 
> recipient and client ip/rdns in separate rulesets and you cannot create 
> (at least I have not managed it yet) any rulesets that can make 
> decisions based on two or more of these and so you need to run a perl 
> program via milter to deal with these or perhaps in your case, you need 
> it to lookup a mysql table for the recipient. You call this efficient?

Yes it is efficient because you don't have to start a perl program
for every message.  You let a pre-initialized program do the processing
and respond in real time.  It's like the difference between a web
server running cgi scripts vs. mod_perl or fastcgi - that is, hundreds
of times faster.

> Right, so because qmail does not do recipient checking at the smtp level 
>   you write it off although there are options in qmail that you can take 
> to get the same effect and which, in fact, is what you are also doing 
> with sendmail + mimedefang from what you posted. It appears to me you 
> are being unfair in your treatment then of qmail nevermind the rest.

No, I write off qmail because circumstances and experience show that it
isn't going to get fixed.

> > 
> > The milter interface is a more extreme solution, since it gives
> > you separation of permissions for the parts on the other end
> > of the socket but you get its response when you need it.
> 
> sendmail runs as root in its entirety (others like qmail and postfix 
> only have one or two running as root and the rest run with other uids) 
> so the separation of permissions is necessary for sendmail. I don't see 
> anything extreme about this....this is standard elsewhere.

Since this is the centos list, perhaps we could talk about sendmail
as included in the distribution...  Sendmail runs as root long enough
to open port 25.  And separate components write into the queue and
deliver from it. Things running as milters can use whatver
uid/permissions
are appropriate.  Talking about anything else would be much like
elaborating on the 2 gig file size limit in Linux.

> I don't know what 
> checks you are doing with mimedefang but I think the chances are high 
> they can be done within the postfix provided framework without ever 
> hitting an external filter. postfix will handle far more traffic that 
> sendmail + mimedefang could have hope to in regard to before SMTP DATA 
> checks unless of course you do something in mimedefang that cannot be 
> done with the postfix framework. What do you do in mimedefang anyway?

I have a pair of internet relays in a DMZ that forward for firewalled
local mail servers. MimeDefang runs virus scans on all mail and
spamassassin on inbound mail, first checking that the user(s) actually
exist on the destination host with the included
md_check_against_smtp_server
function.  I don't think postfix offers that option, but I'd be
pleasantly surprised if it can.

> I will concede that sendmail does a good job for what it is designed to 
> do (read no virtual mailboxes and only supporting system account mbox 
> format mailboxes)

Sendmail has nothing to do with local delivery beyond starting the
selected delivery agent.  I've always provided additional services
like home directories, cvs, wiki's etc. on the same machine as used
for mail delivery so the users are real rather than virtual, although
different domains have different servers (with a recent exception of
using a vmware virtual server for one as it is being phased out). But
others are using it that way.

> which is suitable for small sites but I highly doubt 
> that it has any unique advantages in combination with mimedefang versus 
> postfix or exim out of the box or against qmail + patches + external 
> (qpsmtpd don't cut it).

It's real unique advantage is decades-long consistency and improvement.
With the milter interface you get the ability to add any additional
processing you want in the language of your choice - and with MimeDefang
pretty much all of that is already done for you.  If you are interested
in why it is a good approach, there is a very detailed description
if you follow the 'slides' link at the top of http://www.mimedefang.com.

-- 
  Les Mikesell
   lesmikesell at gmail.com