[HN Gopher] OpenSMTPD
___________________________________________________________________
OpenSMTPD
Author : rdpintqogeogsaa
Score : 82 points
Date : 2022-06-11 08:32 UTC (14 hours ago)
(HTM) web link (www.opensmtpd.org)
(TXT) w3m dump (www.opensmtpd.org)
| hardwaresofton wrote:
| This project looks cool but:
|
| https://maddy.email/
|
| https://blitiri.com.ar/p/chasquid/
| medo-bear wrote:
| but what?
| chasil wrote:
| This had a showstopper bug a few years ago that could completely
| compromise a host.
|
| I don't usually need this, so I disable it.
|
| https://blog.qualys.com/vulnerabilities-threat-research/2020...
| asveikau wrote:
| They actually had a few really bad code execution bugs in a
| tight space of time a few years ago when someone was auditing
| it. It's a good idea to subscribe to announce@openbsd.org if
| you run this daemon to get notified of issues.
|
| I was running it out of ports on FreeBSD at that time, and
| wound up patching from source because i didn't want to wait for
| the ports tree to update.
|
| I still see attempts to exploit these bugs in my logs. Even
| though they've been patched for years.
|
| That said, it's good that these were exposed and fixed, as
| opposed to not found. It's a relatively new daemon compared to
| other mail servers and it was still ironing things out.
| paulnpace wrote:
| The problem I find with this line of reasoning is at the end of
| the evaluation I've disconnected from all networks and powered
| down the devices after uninstalling all of the operating
| systems.
| ori_b wrote:
| The postmortem is worth reading:
|
| https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissec...
|
| It's worth reading through the systemic mitigations that would
| make a clone of this bug impossible in the future.
| chasil wrote:
| Interesting that the problem was introduced in a major
| architecture change to external MDAs, invoked with system(),
| and was specific to mbox format that requires elevated
| privilege.
|
| I think that I will keep this disabled.
| jacob019 wrote:
| How does it compare to postfix?
| traceroute66 wrote:
| > How does it compare to postfix?
|
| I haven't done a detailed comparison, but going how the OpenBSD
| guys go with other re-implementations (e.g. LibreSSL vs
| OpenSSL), I'm going to guess that it will have a reduced
| feature-set and capabilities.
|
| I've nothing against the OpenBSD guys, but sometimes its a case
| of "right tool for the job". OpenBSD is great for firewalls and
| routers. Of course OpenSSH is without competitor, its just
| awesome.
|
| But (some of) the rest of the OpenBSD toolset I'm not too sure
| ... for example Chrony is lightyears ahead of OpenNTPD etc.
|
| Postfix is an excellent MTA. Written from a security-first
| mentality. Its widely deployed, and hence battle tested. As a
| result of its wide deployment its pretty much a case of
| "everyone knows how it works", the Postfix mailing list is
| excellent in terms of getting support.
|
| TL;DR personally I see no reason to replace Postfix with
| anything, be it OpenSMTPD or anything else.
| swixmix wrote:
| OpenSMTPD is the right answer if you want a general purpose
| mail server [1] that is secure by default. [2]
|
| [1]:
| https://poolp.org/posts/2021-01-31/january-2021-opensmtpd-
| li...
|
| [2]: https://www.openbsd.org/security.html
| chasil wrote:
| I would guess that the IBM/Eclipse license was a major
| problem from a BSD perspective.
|
| "OpenSMTPD is a fairly complete SMTP implementation."
| traceroute66 wrote:
| Some might say "fairly complete" is in the eye of the
| beholder. ;-)
|
| Technically OpenNTPD is a "fairly complete implementation"
| too, but its a waste of time compared to Chrony.
| Beltalowda wrote:
| It's simple, works, synchronizes my clock, and doesn't
| have a manpage thousands of lines long.
|
| It's also explicitly intended not to solve every NTP use
| case but rather just the common "I want my laptop's clock
| to be roughly accurate" use case.
| yjftsjthsd-h wrote:
| It refuses to deal with a clock running fast, resulting
| in my laptop not being accurate. (It usually hovers
| around 10 minutes in the future)
| Beltalowda wrote:
| Oh okay, I never had any problems with it, and I've been
| using it for many years.
| atmosx wrote:
| Much easier to configure and operate. I don't know performance
| wise since I only run my personal smtpd on both more than 10
| years ago.
| daneel_w wrote:
| Leaps and bounds simpler and faster to configure. A basic setup
| for receiving and sending mail is about 10-12 lines of human-
| readable config.
| ape4 wrote:
| That's what people used to say about Postfix vs Sendmail
| lstodd wrote:
| And then about Exim4 vs Postfix
| jodersky wrote:
| I'm a very happy user of Maddy (https://maddy.email/).
| It's a single executable that contains everything you
| need for a send-and-receive email server, including all
| modern anti-spam features. In my experience, the
| configuration is simpler than Postfix, Exim and
| OpenSMTPD, and falls back to sane defaults.
|
| Another nice feature is what I would call its
| architecture: it does not try to be a service manager
| (instead, you are supposed to spawn it from your own
| favorite service manager, be that systemd, docker, or
| anything else, and you can hence really lock it down),
| hence it does not require root to run and does not rely
| on using system accounts by default.
|
| I've only used it for very basic setups, but for those I
| can highly recommend it.
| paulnpace wrote:
| As with most things, it depends on your use case. Except for
| some very high-volume or ancient features, it has pretty much
| everything.
|
| However, unlike Postfix, you can actually configure OpenSMTPD
| yourself without breaking it. Postfix suffers heavily from a
| Byzantium configuration that everyone is copy-pasting because
| understanding how to create a configuration from scratch
| requires man-months of reading their docs.
|
| The biggest downside to OpenSMTPD is the portable version is
| weakly supported, so it's only useful if you are running it on
| OpenBSD, which is a shame, really, because it's probably what
| most people would prefer if they could run it on their
| preferred OS.
| phsau wrote:
| We run Postfix at a large, high-volume scale and I can
| confirm OpenSMTPD does not have the feature/configuration set
| to work as a replacement. Postfix is great in this regard
| because it has near endless configurability, but it comes at
| the cost of complexity.
| paulnpace wrote:
| > We run Postfix at a large, high-volume scale
|
| At the other end of the spectrum, Postfix is incredible -
| it's FOSS, and it does all that.
| ok123456 wrote:
| I remember when postfix was the "easier" MTA software meant
| to replace Sendmail and all of its m4 macros for rules.
| Getting Sendmail to do anything other than be a completely
| open relay was not easy.
| Beltalowda wrote:
| Compared to that sendmail.cf and M4 macros that would
| generate it almost anything is "easy".
| YPPH wrote:
| OpenSMTPD is far easier to configure and far harder to
| mistakenly misconfigure.
| sylware wrote:
| self-hosted: wrote my own at the right scale.
| SahAssar wrote:
| I was hoping for this to be openttd but for routing email.
| gorgoiler wrote:
| Native SRS is a nice thing to have, especially if you are
| forwarding to Gmail.
|
| A shame that DKIM wasn't built in too, but there's a filter/plug-
| in architecture and you can add a third party filter to do DKIM
| for you.
|
| Sometimes a commitment to supporting a plug-in architecture can
| be a little overzealous. Yes, it's a nice general purpose puzzle
| to solve if you are the engineer writing the code. When DKIM is
| such a critical part of email in 2022, I wouldn't mind if it were
| treated as a special case and supported by default.
| thrwawway wrote:
| Very outdated experimental stuff, maybe during the first
| iteration of filter API, there was a native filter to do just
| DKIM signing https://github.com/OpenSMTPD/OpenSMTPD-
| extras/blob/filter-dk...
|
| These days one could leverage rspamd filter which does DKIM
| along with other useful stuff.
| swixmix wrote:
| Or try https://openports.se/mail/opensmtpd-filters/dkimsign
|
| And it has support for ed25519.
| daneel_w wrote:
| I use DKIMproxy. It's "abandonware" so there won't ever be any
| ed25519 support, but it gets the job done nevertheless.
___________________________________________________________________
(page generated 2022-06-11 23:00 UTC)