Re: exim/postfix comparisons

[Nate Duehr <nate@natetech.com>]

koffiejunkie wrote:

> > That's odd.  Someone who would go through the time/effort to set up 
> > qmail didn't secure their box?  Weird.
>
> Well, it's like this.  I work for a hosting company, a lot of our 
> clients use a certain hosting panel whose name I won't mention.  This 

Smells like Plesk.  (GRIN)

There, you didn't have to say it.  :-)

> I get at least one box that's compromised in one of the above ways per 
> day.  Clients call saying their mail isn't going out.  This is usually 
> because there are tens of thousands of mails in the queue and the box is 
> paralised.

Ick.  Do you monitor port 25 outbound at your border for spikes in 
traffic?  Seems like in some cases that would be the only way you'd ever 
see it when dealing with the low-end ultra-clueless hosted customers.

Ever had your entire netblock dumped into one of the major spam 
"fighting" sites... have seen that many years ago at a large 
datacenter... sure pissed off the other customers.

The "spam-fighters" were their usual unresponsive, uncaring selves and 
didn't care that they'd been overzealous in their "crusade" against 
spam.  Little discipline in many of those groups... but a lot of emotion.

I hate spam, but engaging in such a way as to cause mass collateral 
damage to real businesses and people trying to make a living to "make a 
point"?  Give me a break.  It's like someone coming to your 
brick-and-mortar store and pointing a gun at you and saying, "Get the 
guys next door to stop selling XYZ product!  And if you don't we stand 
here and you're out of business until you do!"  It's retarded.

(We had already found the problem in the original customer's server and 
stopped it from happening with them.  But getting an entire Class-C that 
was properly SWIP'ed and reverse-DNS tagged as NOT just being that one 
customer, off the spam lists, was a long and annoyingly difficult 
process, even when I could prove the other problem was gone, and that 
there WERE people overseeing that netblock who weren't criminal or 
insane spammers.)

The real answer has been, and always will be... a method to authenticate 
both servers and end-users of e-mail, end to end.  Until that day, spam 
reigns supreme, no matter how hard anyone tries.

> Take note, I'm talking about undeliverable mail.  qmail doesn't deal 
> well with this.  It is pretty fast if all the mail can be delivered 
> without problems.

Yep.  It sucks at that.  Ties up tons of resources.  The way the place I 
saw using it heavily dealt with that is that they had separate inbound 
and outbound servers... and more than one outbound... what a waste of 
time... but it worked for them.

> Postfix is quite a different beast.  The one and only time I saw it 
> straining under load, a client phoned and complained that his mail was 
> slow.  Turns out he set up a mysql backend, but couldn't get smtp 
> authentication working with it (forgot to install pam_mysql) and instead 
> decided to just allow relay for 0.0.0.0.  Let your imagination do the 
> rest.  His humble little server (I think it was a duron with 512MB ram 
> and a single IDE disc) had over a million mails in the queue, but was 
> still spitting out mail, just not as fast as he was used to.

LOL!

> What made this a pleasure to work with, was that after fixing the relay 
> issue, I could move all the mail in the active queue to the hold queue, 
> so mail was instantly flowing as normail, which gave me all the time in 
> the world to delete the spam and requeue the legitimate mail. qmail (to 
> the best of my knowledge) doesn't have a way to do this.

Yeah.  Managing mail via moving files is far more sane than dealing with 
specific mail queue commands, different on every system.  Moving files 
seems much more "Unix-like" to me.

> > Never seen a queue quite that high, but I would assume the box would 
> > get both CPU and I/O bound for most values of "box".  (GRIN)
> Yeah, it gets to them.  Another silly thing with qmail is that when you 
> restart it, it doesn't kill existing outgoing smtp sessions.  So if your 
> remoteconcurrency is set to 100, you'll now have 200 sessions, until the 
> first 100 all timed out.

Hahaha, I don't think I ever noticed that, but makes sense!

Well, maybe after reading along here, the original poster (if he's even 
still here or paying attention to the list...) is thoroughly scared off 
of qmail now.  Which probably isn't a Bad Thing(TM), since there's just 
better options available... and have been for quite a while...

Nate WY0X