Coming soon: OpenSMTPD

By Jonathan Corbet
May 27, 2009

Back in November, the OpenBSD development community first heard about the OpenSMTPD project. OpenSMTPD is an all-new mail transfer agent implementation for OpenBSD; it is getting ready for release sometime soon. It is an interesting exercise in wheel reinvention which may well prove to be a useful project.

OpenSMTPD is developing most of the features that one would expect from an SMTP daemon. It can speak the SMTP protocol, including the SSL-based versions for added security. Virtual domains are supported, as are forward files and external delivery agents like procmail. There are plans to add a sendmail-like "milter" capability for mail-filtering extensions. In summary, it is growing to the point that it can do most of the basic things that the other MTA implementations do.

Given that those implementations represent a great deal of development and debugging time, and that a new mail daemon will surely bring new bugs and even security problems, one might well wonder why the OpenSMTPD developers are doing it. It appears to come down to a combination of licensing issues and a desire for a simpler and more OpenBSD-like tool.

The OpenBSD Journal article which brought OpenSMTPD to the community's attention includes this quote from Gilles Chehade, who started this project:

A few months ago, I had to dive into the configuration of sendmail to make a very small change. It turns out I spent almost an hour trying to make sense out of a maze of files that were plain unreadable. Even the slightest changes would cause me to stand a couple minutes thinking, just trying to make sure I really wanted to make that change.

It is a rare mail system administrator who has not had a moment like this; the lowest levels of sendmail configuration are a thing which must be seen to be believed. The higher-level "language" implemented with a set of M4 macros has helped to keep an entire generation of administrators sane, but it still presents its challenges. The end result is that, even though sendmail seems to be long past its period where new remote root exploits were a weekly experience, it is still a program with roots in the 1980's that many administrators prefer to avoid.

So what about Postfix? It turns out that Gilles likes Postfix reasonably well, but there is a fundamental problem with it: the IBM Public License under which Postfix is distributed includes copyleft-style source availability requirements. Copyleft is not particularly popular in OpenBSD circles, so that license ensures that Postfix will never be a part of the OpenBSD source tree. For Gilles, that meant that he needed to install Postfix separately after each OpenBSD installation; it also means that Postfix does not receive the same level of attention from OpenBSD's code auditors. So it seems that OpenSMTPD is being developed, at least partially, out of a desire to have an MTA under a permissive license which is less intimidating than sendmail.

Needless to say, the licensing issue is enough to exclude GPL-licensed solutions like exim as well.

Beyond licensing, though, it seems that the OpenSMTPD developers want to have an MTA which has more of an OpenBSD-like feel. The configuration file format will be simplified and have a format very similar to that of the "pf" packet filter. Techniques like privilege separation have been designed into the program almost since the beginning. And, of course, it will be a part of the unified OpenBSD source tree; it has been in the OpenBSD CVS repository since November.

Some people within the OpenBSD community have questioned the need for this kind of project, given the number of mail transfer agents already available. Certainly there are projects which are not worth the effort which goes into them, but, that said, it is usually a mistake to criticize the work of people who have decided to scratch a particular itch. Interesting things can come from such developments. From OpenSMTPD we may get an MTA which sheds a lot of legacy requirements (sendmail still has features that come from a time when one had to worry about routing a message via two DECnet hops, over the NSFnet, then into a CSNet node) and which, presumably, will offer a high degree of security.

Once it's stable, it would not be entirely surprising to see a Linux port of OpenSMTPD as well. Whether it will take off in the Linux world remains to be seen. Tools like OpenSSH are nearly universal on Linux systems; OpenCVS is ... less so. But options are usually good, and the OpenSMTPD developers are busily working toward the creation of another option for a crucial system component. It will be interesting to see how it turns out.

Coming soon: OpenSMTPD

Posted May 28, 2009 3:13 UTC (Thu) by flewellyn (subscriber, #5047) [Link] (3 responses)

If it turns out to be stable, fast, secure, and easy to configure and use, I for one welcome our new OpenSMTPD overlord.

Coming soon: OpenSMTPD

Posted May 28, 2009 9:03 UTC (Thu) by tzafrir (subscriber, #11501) [Link] (2 responses)

I just stick with postfix.

Coming soon: OpenSMTPD

Posted May 28, 2009 14:56 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

Ditto. One of the first things after getting a fresh Linux install done is purging the likes of sendmail and exim in favor of Postfix. I've been quite happy with it and it's the first SMTP thing that I've run across that I can actually configure well enough to make me confortable about using it on the internet.

Coming soon: OpenSMTPD

Posted Oct 16, 2009 9:55 UTC (Fri) by quotemstr (subscriber, #45331) [Link]

I actually prefer exim to postfix --- it has the power of sendmail without the arcane configuration. Postfix, on the other hand: well, I gave that up after the recommended solution to one problem I was having with it involved looping a message through the mail queue three times.

Qmail?

Posted May 28, 2009 7:18 UTC (Thu) by melo@simplicidade.org (subscriber, #4380) [Link] (6 responses)

I wonder why didn't they take Qmail code, now in public domain, and improve it...

It seems to match their requirements pretty well: privilege separation, simple configuration, virtual
hosts, etc.

Qmail?

Posted May 28, 2009 8:04 UTC (Thu) by elanthis (guest, #6227) [Link] (1 responses)

Have you looked at qmail's code, documentation, tools, configuration, or UI? It wouldn't be a matter of "improving" it -- it would be a matter of essentially writing OpenSMTPD with the additional onus of doing it while refactoring existing code.

The fact that qmail has some features that are desirable for OpenSMTPD does not at all mean that the specifics of that code are desirable.

Qmail?

Posted May 28, 2009 13:38 UTC (Thu) by melo@simplicidade.org (subscriber, #4380) [Link]

Actually, yes I have. Using qmail for more than 9 years now. Some of those years, I was running or
helping run sites with 300k accounts.

The core of qmail is very good. You need to replace the smtpd and write a tool to parse the
openSMTPD config file into qmail control/ files.

If you need LDAP, you could also start with qmail-ldap, which has already a much better smtpd
component.

Qmail?

Posted May 28, 2009 9:53 UTC (Thu) by copsewood (subscriber, #199) [Link] (2 responses)

Qmail had this great idea of improving the engineering of an MTA through it being more modular. Unfortunately that meant that the server module that accepted and spooled client relay requests didn't know which were the valid prefixes for the part of the address before the domain name - that was the job of a separate delivery module. Consequently unpatched Qmail installations accepted and then bounced invalid spam to innocent third parties being joe jobbed, based on message headers rather than rejecting it. Rejection is correct behaviour as this makes sending a DSN (undeliverable response to sender) the responsibility of the SMTP client, the operator of which is more likely to have a relationship with the message sender.

Until Qmail was recently placed into the public domain the license for it placed the onus of patching it onto the site administrator, rather than the software distributor, and many Qmail site administrators understood neither the need nor the process for patching this security fault.

Qmail?

Posted May 28, 2009 12:43 UTC (Thu) by charlieb (guest, #23340) [Link] (1 responses)

Nobody in their right mind continues to use unpatched qmail-smtpd on an Internet exposed mail server. qmail's modular design, however, makes it trivial to replace qmail-smtpd by something more complete, e.g. qpsmtpd or mailfront.

Qmail?

Posted May 28, 2009 13:35 UTC (Thu) by melo@simplicidade.org (subscriber, #4380) [Link]

Of course running an unpatched qmail-smtpd is idiotic, hence my question to use qmail as the
basis of OpenSMTP and *improve* it.

I think that with qmail security track record, OpenSMTPD-qmail-based would start as a very secure
MTA from day one.

Personally I use and recommend qpsmtpd as the qmail-smtpd replacement. Happy user.

Qmail?

Posted May 28, 2009 15:30 UTC (Thu) by iabervon (subscriber, #722) [Link]

Qmail is pretty firmly not like any daemon on OpenBSD (or any daemon anywhere other than djbdns). It seems to me like they could adopt a bunch of functions from it and a bunch of design features, but anything that's recognizably an improvement of qmail is not going to be suitable as a native-style daemon.

Coming soon: OpenSMTPD

Posted May 28, 2009 7:22 UTC (Thu) by tzafrir (subscriber, #11501) [Link] (1 responses)

What about SendmailX?

http://www.sendmail.org/sm-X/

sendmail-X?

Posted May 31, 2009 0:43 UTC (Sun) by vonbrand (subscriber, #4458) [Link]

This was superseeded by MeTA1. It is also a set of processes (like the other MTAs offered as alternatives), and comes with a license very similar to the one of sendmail 8, essentially BSD 3-clause.

This is definitely a case of Not Invented Here syndrome.

Coming soon: OpenSMTPD

Posted Oct 16, 2009 9:03 UTC (Fri) by rjamestaylor (guest, #339) [Link] (2 responses)

This reminds me of the Apache JAMES project -- why it was necessary to run POP, IMAP, SMTP,
NNTP in a single JVM is *beyond* me. But I did have the joy of supporting it in the early stages
(v. 1) for a J2EE project of which I was a part. Painful days of instability, reimplementation of old
vulnerabilities, etc., all because our project team was more comfortable with a Java based
platform than anything else. (Note: at that time the JAMES project was *not* rated for production
use; on a few occasions when I exchanged email with the developers they were astounded how
we were relying on the project at that state -- it's probably very robust now at v3).

Exim for Debian due to GPL, JAMES for Java, OpenSMTPD for BSD...is a RoR MTA far behind? Say,
Erlang is getting popular... *sigh*

Choice is good - I just wish the reasons for taking on a complete re-write were for reasons
other than license, runtime platform, language, framework or which ever reason was given for
these other projects. Guess this is why I prefer Postfix and qmail -- they were rewritten to
provide security, scalability, ease of configuration -- regardless which implementation on prefers
(I like Postfix, personally).

Coming soon: OpenSMTPD

Posted Oct 16, 2009 17:25 UTC (Fri) by bronson (subscriber, #4806) [Link]

The biggest reason for the rewrite is the license. If DJB didn't write such weird (but secure!) software, maybe they could have started with public domain qmail. Everything else out there just has unacceptable strings attached.

http://freshbsd.org/?branch=&project=&committer=&...

Huh, looks like development is ongoing. Wonder how mature it feels. I'll have to check it out the next time I need an smtpd.

Has anyone tried using it?

Coming soon: OpenSMTPD

Posted Oct 16, 2009 20:01 UTC (Fri) by nix (subscriber, #2304) [Link]

I'm reasonably certain that if you look hard enough you'll find MTAs
written in both gawk and GhostScript (in non -dSAFER mode). :)

Coming soon: OpenSMTPD

Posted Jul 19, 2011 5:08 UTC (Tue) by brad (guest, #77017) [Link]

My initial port of OpenBSD's smtpd.

https://aur.archlinux.org/packages.php?ID=50709