EMAIL ARCHITECTURE:
A ROUNDUP OF MTAs AND IMAP ALTERNATIVES		  
 

By Kris Buytaert, senior consultant, Stone-IT

      
     
 

As e-mail grows in usage and complexity, so have mail applications, including POP and IMAP servers. One serious challenge for systems administration is simply that there are so many different mail solutions around. Consider this brief overview of advantages and disadvantages of various message transfer agents (MTAs), IMAP alternatives, and ways to move toward what we try to define as a zero administration setup.

In the old days people read their mail from a file in /var/spool/mail. The mail was delivered to that file by the MTAs and user applications read that file. As this was the only file where mail was stored, corruption of the file meant loss of mail. Concurrent read and write operations could generate problems, as using NFS could create locking issues. Therefore a new system for delivering mail was developed by qmail, called Maildir.

In this setup, mail is no longer delivered to one file but to a directory in which each mail represents a separate file. An MTA this way can read and delete messages while other mail is still being delivered. The biggest advantage of this format is "NO LOCKS." Maildir even works without trouble over NFS, which is a big advantage for distributed environments and environments where mail is being left on the server for backup.

Along with single-file mail stores, the old way of storing users in /etc/passwd is becoming obsolete. More and more people are using virtual users, domains, or aliases stored in LDAP or MySQL. Users are no longer being created locally on a machine, which gives one central point for administration and an easier integration with billing and human resources tools.

Depending on your needs you may want to separate out two functionalities: Some business environments need a mail relay that sits in the DMZ, scans mails for viruses, and relays the mails further on to the local network where the actual mail-server is located. Other business environments want their actual mail-server to be in the DMZ. If you want to go for a low-maintenance architecture, integration with either LDAP or MySQL is a must.

The Lightweight Directory Access Protocol (LDAP) is a protocol for accessing online directory services. It runs directly over TCP, and can be used to access a standalone LDAP directory service or directory service back-ended by X.500. LDAP is becoming the central user management repository for the enterprise. More and more environments are relying on LDAP for user and resource management; MTAs and other applications get user information not from the old /etc/passwd but from a database, which in this case is an LDAP-based database.

MySQL Integration is easy to combine with billing infrastructures. You might even want to hand a part of the user administration to clients themselves by defining a web-based maintenance application.

Unfortunately, the documentation that typically comes with an MTA is often less than desirable. It may appear cryptic and you need to know what you are looking for before you can even begin searching for the correct syntax. Working with Sendmail? The general rule is that you need the bat book from O'Reilly. Looking for more about qmail? Then you need to read the FAQ and to try to find bits and parts on a chaotic website. If you are after exim, the better news is that exim has good basic installation documentation, but you’re on your own for the more complex stuff. As for postfix, you can learn the most from the README files that are delivered with the product.

Systems administrators know one thing to be very clear about MTAs: Security is a big hassle. MTAs are one of the most fragile services on the Internet. Remote exploits for MTAs have produced some of the biggest problems for system administrators. It was no surprise that people would eventually get tired of the security holes in Sendmail and try to offer something better. Security expert Wietse Venema developed his own MTA, released under the name of postfix, and Dan Bernstein came up with qmail. Venema and Bernstein have since discussed different security architectures in their MTA and both have made strong points about security design. Both postfix and qmail are comparatively secure products.

Knowing about the popularity of mail servers lends a clear sign of how much support will be available. Earlier this year, I did a search on the Google site on the four servers, postfix, qmail, exim, and sendmail, just to get an idea of which was being discussed the most.

Google Linux

  • postfix : 56,500
  • qmail : 84,300
  • exim  : 25,500
  • sendmail : 188,000

Google

  • postfix : 525,000
  • qmail: 581,000
  • exim : 390,000
  • sendmail : 1,230,000

This shows that sendmail, with all the talk about security holes, still is the most discussed MTA around. Nonetheless, the numbers also show that use of both postfix and qmail are widespread.

It’s always possible to configure an environment to test the actual performance of these mail-servers. For purposes of staying within the scope of this document, we can instead note a study that was performed by Matthias Andree which actually shows that postfix is the faster MTA available. See http://www-dt.e-technik.uni-dortmund.de/~ma/postfix/bench2.html

Here are some thumbnail summaries of the various MTA and IMAP solutions:

  
     
 

Sendmail

Current Version : 8.12.1

License : Open Source or Commercial License

 

The oldest and best known MTA around is sendmail, written by Eric Allman. Sendmail is available in an open and commercial license and is widely deployed. In its years of existence, some of the numerous security issues were fixed quickly, some later on. The fact that sendmail has so many features is also one of the reasons why there are security issues.

 

  
 

postfix

Current stable version is 20010228 Patch-level 08, experimental is 20011121

License: IBM PUBLIC LICENSE

 Postfix, formerly known as Vmailer, was developed by Wietse Venema, author of TCP Wrapper and Satan, both well-known security tools. Released by the end of 1998 as the IBM Secure Mailer, it has since lived on as postfix. As with qmail, postfix was written with security in mind. Postfix outperforms exim by a small margin.

  • Modular
  • Resembles sendmail in configuration concept, not syntax
  • Good LDAP, MySQL, and anti-SPAM integration
 
 

qmail

Current version is 1.03

License: Own License, free with restrictions

Developed by Dan Bernstein who was sick of the security holes in sendmail and other MTAs, qmail features security not just as a goal but as a requirement. The operating theory is that mail delivery is critical for users; it cannot be turned off, and it must be completely secure. Qmail also supports Maildir, a format where mail is not stored in one big file but in separate files in one directory.

Since qmail has its own way of distributing mail in a parallel way, it makes an ideal server for mailing lists that need fast outgoing email. According to the qmail site : "On a Pentium under BSD/OS, qmail can easily sustain 200,000 local messages per day. That’s separate messages injected and delivered to mailboxes in a real test! Although remote deliveries are inherently limited by the slowness of DNS and SMTP, qmail overlaps 20 simultaneous deliveries by default, so it zooms quickly through mailing lists.”

The qmail website, while chaotic, has lots of plug-ins available, some supported, some not. 

  
 

exim

Current Version : 3.32

License: GPL

As the lesser known child on the block, exim has good features but less support available. It started out as a university project seeking more elegant code. Exim is an MTA that was developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available under the terms of the GNU General Public License. In style, it is similar to Smail 3, but its facilities are more extensive. In particular, it has some defenses against mail bombs and unsolicited junk mail in the form of options for refusing messages from particular hosts, networks, or senders. Its author is Philip Hazel.

  • Modular
  • Simple configuration
  • Filtering functionality (integrated Perl)
  • Regular expressions are available in a number of configuration parameters
  • Integration with LDAP
  
  Cyrus IMAP

Current Version : 2.1.0 BETA

License : free for non-commercial use

The Cyrus IMAP is generally intended to be run on sealed servers, where normal users are not permitted to log in. The mailbox database is stored in parts of the file-system that are private to the Cyrus IMAP system. All user access to mail is through the IMAP, POP3, or KPOP protocols. The private mailbox database design gives the server large advantages in efficiency and scalability. Multiple concurrent read/write connections to the same mailbox are permitted.

 
 

WU-IMAP

Current Version : 2001a

License : University of Washington's Free-Fork License

WU IMAP is probably the most used IMAP / POP3 toolkit, installed as a default in Linux Red Hat distributions, amongst others. It has basic POP3 and IMAP functionality. It`s a straightforward installation with few options available. If you have a 10-user system with no LDAP or MySQL integration, you probably won't need an alternative.

 
 

Courier IMAP

Current Version : 1.4.0

License : GPL

Courier is the most flexible Maildir -based IMAP server available. It supports abstract authentication modules. Authentication of login user-id and password is wrapped up into a completely stand-alone module. Several modules are provided to authenticate using the traditional password/shadow files, via the PAM library, from a table on a MySQL server, or from an LDAP server (requires MySQL or Open-LDAP). An experimental authentication module for PostgreSQL is also available. You can write your own custom user-id/password validation program. A "custom" authentication module is included, which authenticates absolutely nothing. Add your own code to it in order to implement a site-specific authentication mechanism. Courier-IMAP is a server that provides IMAP access to Maildirs. This IMAP server does NOT handle traditional mailbox files (/var/spool/mail, and derivatives), it was written for the specific purpose of providing IMAP access to Maildirs.

The overall design goal of Courier-IMAP is to provide IMAP services to maildirs with the least amount of resources. For this reason there are many parameters that can be tuned during initial configuration and at runtime. Unwanted components can be removed completely, and they will not take up any resources. Few sites need the ability to search messages in 20 different character sets, so there's no need to waste memory storing large character set mapping tables. Sites that need multilingual searching and sorting abilities can selectively choose which character set tables will be supported by the server, individually. If SSL support is needed, it is available. If not, the SSL wrapper does not have to be installed at all. If the server does not have the sufficient resources to sort large folders, the server-based IMAP sorting function can be turned off. Courier does POP3 (+SSL) as well as being part of an integrated suite.

  • Only Maildir support

  • Integrated Courier suite

  • Extremely small footprint
  • Support directories
  • Support virtual mailboxes
  • Good LDAP integration
  • Good MySQL integration