Recent Entries
Popular articles
Topics
Recommended links

RSS icon Subscribe

» View my profile
Technorati

del.icio.us My links on del.icio.us

Tags
analysis antivirus application security auditing botnets breaches compliance crime cryptography DNS encryption forensics humor interesting Linux Malware marketing network pdf pentest phishing php Privacy rant reference software ssl standards sysadmin tool tools trends ubuntu Virtualization virtualization security vmware vulnerabilities vulnerability+assessment web web application security webappsec web security windows Windows security xss

« Previous article — Next article »

Postfix now supports milter

August 17th, 2006 Posted by D Webber

This is not quite breaking news, but I thought it worth noting that the latest production version of the Postfix mailer now officially supports the Sendmail "milter" API. This opens the world’s best mailer to a world of added functionality that previously was restricted to the Sendmail MTA.

Personally I’m conflicted about this. On the positive side, many email security add-ons that only worked with Sendmail can now also be used by Postfix. On the negative, there’s now further incentive for developers to keep writing for the milter API, keeping the crawling horror that is Sendmail alive for even more years.

We replaced Sendmail with Postfix on our mail servers and started installing it for clients back in 2001, and what a joy the past five years have been. Finally… a mailer with a secure architecture that’s fast and easy to configure. No more of the intentionally obtuse "explosion in a punctuation factory" syntax that Sendmail forces admins to endure and with an outstanding architecture, far less chance of root compromise than with Sendmail’s monolithic "runs as root" design.

As a bonus, Postfix is sponsored by IBM, making it easier to sell to management types, and it’s written by security pioneer Weitse Venema, author of TCP wrappers and co-author of The Coroner’s Toolkit (forensics tool) and SATAN (one of the first vulnerability scanners).

One small problem with ditching Sendmail was giving up add-ons like MIMEDefang that use the Sendmail-only "milter" API. Alternatives existed, and of course it was always an option to run Sendmail behind the protection of Postfix as a sort of massively clunky inline filter, but when you’re building email firewalls no one wants software with the security history of Sendmail anywhere near it.

As you might expect, the milter feature of Postfix comes with a list of caveats and gotchas. Not every milter in the world will work (including, I suspect, MIMEDefang). Still, popular ones like domainkeys-milter which adds Yahoo’s DomainKeys anti-spam capabilities apparently work. Some developers like Snertsoft have even starting writing milters with Postfix compatibility in mind.

Perhaps rather than extend the life of Sendmail, this new feature will have the opposite effect and make it easier for admins to finally upgrade to Postfix. If all that’s stopping them are things like lack of DomainKeys support, maybe someday the need to absorb 1232-page books to figure out syntax like "R$* < @ $* .$m. > $*" just to get email working will become a thing of the past.

Related posts:

Posted in Email security |
Tags: , , ,

2 Responses to “Postfix now supports milter”:

  1. gabi Says:
    August 23rd, 2006 at 6:30 pm

    anybody find a doc on how to set up domain keys signing with postfix 2.3 without using the old dk-filter

  2. D Webber Says:
    August 23rd, 2006 at 6:49 pm

    Can’t help you with that, but there have been a few domainkeys comments in the postfix mailing list. Try searching http://groups.google.ca/group/list.postfix.users or ask in that group.


Article contents copyright © Advosys Consulting Inc. Comments are copyright of the author
Icons courtesy Wikimedia Commons and are copyright of their authors.