SMTP server for ISP

[ondra_knezour]

Hi all,

I have to prepare new SMTP server for an internet service provider and I am looking for recommendations and your experience.

There are two main modes of operation intended:
- take all messages from given networks, refuse viruses and spam and relay rest into the internet
- take messages from authenticated users (probably taken from LDAP or local passwd DB), refuse viruses and spam, apply DKIM and relay them to the internet

Some alerting on bursts of spammy messages, too many rejects etc. is welcome. Also some kind of web UI with queue overview and quarantine management would be nice.

I prefer Postfix on the FreeBSD at the moment, OpenSMTPd running on OpenBSD or FreeBSD is also considered as runner-up. I have several small Sendmail instances (FreeBSD base) running and I really hate the way Sendmail is configured so I would really like to avoid it.

Do you have any advice I can use? Nice or bad experience?

 

[trev]

I have to prepare new SMTP server for an internet service provider

The majority of local ISPs downunder do not run mail servers anymore for obvious reasons. Most of their customers these days use one of the paid/free web email services again for obvious reasons. Just saying.

I really hate the way Sendmail is configured so I would really like to avoid it.

You hate the .mc file? Why? (My mail servers have run sendmail since FreeBSD v2.1.)

 

[ondra_knezour]

Several thousands of customers here, many of them more than ten years with us, it would be major disruption told them we are removing something they are accustomed to. Being it two persons, I would personally visit them free of charge to set up something what is not my trouble any more for them

To be honest, I hate it because I do not fully understand it. Is it m4 syntax which I don't fully know either or something else? I want to be fully sure what I am doing, so I prefer either simple configuration in form of key=value or at least something using language which I understand. I never had to use and learn m4, but have to tweak sendmail config here and there on many occasions, enough to get me uneasy with it.

 

[usdmatt]

I really hate the way Sendmail is configured so I would really like to avoid it.

You hate the .mc file? Why? (My mail servers have run sendmail since FreeBSD v2.1.)

I used Sendmail for over 10 years and was generally happy with it, but only really because I didn't try anything else. I'm so glad I moved to Postfix. Configuring Sendmail reminds me of using FreeBSD back in the early days, when you really had to know what you were doing to actually make anything work...

I'm the same as @ondra_knezou though, I never really sat down and learnt it, just found out how to make the changes I needed. Not that I think mastering it would make much difference when compared to the plain text, practically self-explanatory Postfix config format.

 

[drhowarddrfine]

Configuring Sendmail reminds me of using FreeBSD back in the early days, when you really had to know what you were doing to actually make anything work.

Imagine that.

 

[ShelLuser]

I'm wondering what kind of advice you're looking for, also because the whole thing is quite a broad subject. Surely you already know about the basic aspects involved if you're currently working within this field?

Quite frankly I think you can't go wrong with either Sendmail or Postfix. Although I prefer the latter when it comes to specific extensions such as Postgrey I also think there's much to be said for using Sendmail. For example its 'integration' with FreeBSD itself: install FreeBSD, set up you configuration and you're good to go.

If you're only dealing with a very basic setup such as user authentication and network relaying I'd probably pick Sendmail over Postfix myself. Especially when we're talking about processing large amounts of e-mail.

But yeah, what advice? Careful with setting up open relays?

 

[sko]

I've configured OpenSMTPD (combined with spamd, pf and a lot of own scripts to do some fun stuff...) as a secondary MX a while ago just to try it and I instantly fell in love with the clean and simple configuration style of OpenSMTPD. If you've configured PF, you will feel right at home.

That being said: My primary mail server and the one at our company I'm also responsible for both run postfix + dovecot. I've been using Postfix for well over 10 years now and have become somewhat used to the caveats and tripwires its configuration may hold. It has evolved A LOT over this time, therefore some parts of the configuration or "postfix ecosystem" seem a little bit patchy and retrofitted (because they are). This is not a big deal as it works absolutely fine as long as you have the options and syntax right for your version - some old instructions/documentations may use deprecated (or now outright wrong) options or syntax. Refer to the recent/correct documentation on the project page and you should be fine. Apart from one time when I haven't read the changelogs thoroughly and the config broke after upgrading, postfix has never failed me even under heavy loads. Same can be said about Sendmail, which I really only used for local systems and/or relaying to the main MX (=postfix) but they sometimes also had quite some load spikes to manage (e.g. nagios alerts back when our old vpn routers were crashing every ~2 weeks... ).

IMHO it all boils down to what specific features you might need, what configuration style you like better or how much time effort is justifiable for the specific task. Try all of them, make benchmarks and pick the one that suits your needs and preferences.

 

[ondra_knezour]

Thanks for all the input so far. In fact, I know (exactly AFAIK) what have to be done, but there is so much tools in the wild, so I am looking for good/bad experiences in the first place.

Several years ago I was conviced that my next mail server would be running postfix (works fine, wide userbase, doesn't have to be an alien to understand configuration) + mailscanner (best antispam, period™) + baruwa (mailscanner web UI). Today postfix recommends to doesn't use mailscanner due its way of manipulating messages files directly, open source baruwa is discontinued etc. Some others tools I had in sight are likewise either abandoned or seems unfinished/lacking basic functionality even after years I am checking them.

May be, that ideal scenario I have in mind now would somewhat push somebody to share good or bad experinces with their tools?

So I am my new server, let's start
- I am listening for incoming connections and I understand plain text and STARTTLS (Let's Encrypt certificate here)
- If user authenticate, I would check if I have keys (DKIM) for envelope domain and if I do, I'll sign that message (this is meant only for ISP internal usage by his employees, not for wide public/customers)
- If user doesn't authenticate, I would accept message only from given IP ranges
- I would scan message for viruses (probably with ClamAV) and assert likelihood it is spam. Preferably during incoming SMTP session, so I can reject viruses/spam during this session and don't have to generate new error messages later. Some kind of quarantine with proceed/discard on each message and summarily based on source IP address may be handy
- I keep some kind of statistic about messages (sizes, source IP addresses, rates...) and about viruses found, spam rejected. Those statistics are easy to visualize and act upon, web UI prefered
- I can alert my human supervisors about traffic spikes, virus/spam rise etc. both globally and by source IP
- I can tag outgoing massages somewhat, so my cousin processing incoming messages for our personnel can search for such tag and refuse non-delivery notification for messages not belonging to our domains and not originated in our networks (backscatter mails)

 

[trev]

I started with mail/qmail and Mark Williams Company's Coherent, a clone of the UNIX V7 operating system for Intel 286s, nearly 30 years ago. I see mail/qmail is still around and claims to be the second most used MTA behind sendmail. Qmail is apparently used by the ubiquitous MessageLabs mail service.

I recall when changing from Coherent to FreeBSD 2.1 in 1995 that sendmail and its learning curve was substantial in comparison and necessitated my buying the O'Reilly Bat book at the time. I did consider going back to mail/qmail around 2001 but when sendmail milter functionality appeared that year in sendmail 8.12 I persevered with sendmail and wrote my own milter in C to accept/reject temporarily/reject permanently/discard email based on the relay (the config file which is automatically re-read when edited contains regex patterns for matching the relay). This milter alone eliminates 90% of spam to my mail servers. Along with other milters like mail/milter-regex and mail/milter-greylist and the spamhaus RBL less than 0.1% of spam makes it through (generally from compromised, but otherwise legitimate, mail servers).

So, yeah, I'd stick with sendmail.

 

[sko]

- If user doesn't authenticate, I would accept message only from given IP ranges

This is generally a bad idea unless in some *very special cases* and with RFC1918 networks (e.g. MX servers at remote branches connected via VPN to the mailserver).
Even then it is still highly desirable to *always* require authentication for outgoing mail.

- I keep some kind of statistic about messages (sizes, source IP addresses, rates...) and about viruses found, spam rejected. Those statistics are easy to visualize and act upon, web UI prefered

I use pflogsumm(1) and various awk-scripts for this. The results are sent to me by mail, but you could also feed the data to any monitoring tool.

- I can alert my human supervisors about traffic spikes, virus/spam rise etc. both globally and by source IP

If using spamd you can monitor the pf blacklist tables. From what I've seen on the secondary MX that is running spamd+PF, this is a pretty good indicator for upcoming/rolling spam waves. Even with the blacklist in the 5-digits range load never went significantly higher than usual; so I didn't bother alerting on such (regular) events.
I include them in the weekly reports generated with the data from pflogsumm, so I can look at the % blocked mail and % manually flagged spam (mails not filtered but moved manually to .Junk by users) to see if any substantial amount of spam came through and I need to take action.