Les Mikesell wrote: > Christopher Chan wrote: > >> >> >>> By not-monolithic, I mean that now submission queuing, forwarding, and local >>> delivery are all different processes, each running with limited credentials most >>> of the time. And milters also can run under different uids. >>> >>> >>> >> All that means naught if there is a remote root exploit. sendmail 8.12.x >> already worked like that. >> > > How do you have a remote root exploit if you aren't running as root? > > Ask the sendmail advisories for 8.12.x. >>>> Unless the supporting stuff in the milters are as efficient as >>>> what you can get in postfix, sendmail + milters might be hard pressed to >>>> handle some environments that postfix can. >>>> >>>> >>> MimeDefang gets this right - it runs as a multiplexor that connects multiple >>> processes as needed so you don't have a 1:1 ratio of mailers to backend milters >>> and you don't have fast step waiting on slow steps to complete. See page 31 of >>> http://www.mimedefang.org/static/mimedefang-lisa04.pdf. Most other approaches >>> use simple pipelines that make everything wait while spamassin runs and have to >>> reparse the mime headers to break out attachments for each scanning step. Some >>> very large sites are running it. >>> >>> > > >> I fail to see how that becomes an advantage for sendmail. >> > > It lets you control load very precisely. You can limit sendmail to some number > of instances that can be much larger than the number of big/slow scanning > backend processes that you permit and the sendmails don't wait for the milters > until/unless they need one of their functions and you don't have to start a new > process for each message. > > > Sorry, I meant to say, an advantage for sendmail over postfix. >> I can very >> well pair postfix and mimedefang for just spamassassin and the rest of >> the stuff handled by native postfix features. >> > > Where does your virus scan go? Since spamassassin is perl, MimeDefang can run > it internally. > You know the answer to that one. If I am going to use MimeDefang for spamassassin and postfix obviously does not have anti-virus features (unless you call using body_checks to check for known patterns anti-virus support) where do you think I would plug in anti-virus support? Again, in a sendmail + mimedefang versus postfix + mimedefang, sendmail is the loser. > > That at the very least > >> cuts out another layer to go through for postfix. In the end, sendmail >> is at a disadvantage having to depend on a third party for extra features. >> > > On the contrary, having the ability to extend through external software gives > you unlimited options. Note that postfix eventually got around to copying this > feature. Also with mimedefang you can do most of your special configuration in > perl instead of having to learn yet another syntax. > > Simply because it made sense to use available existing tools that support spamassassin and virus scanners than make yet another interface. No more smtp proxying. Good riddance amavisd. postfix was after all a replacement for sendmail and it would be incomplete without milter support.