To be fair I've been running my infrastructure for years and it's usually fine.
The problem I have is that it's a pain in the ass to setup correctly and when things do go wrong it's really hard to figure out what's going on.
> Can you explain what you mean by attacks and exploits from spammers?
I haven't encountered a remote exploit (yet) but yes: accidentally running an open relay, backscattering, etc. You also have to worry about the system security of the box you're running it all on but let's treat that as a separate concern.
I'd been running my setup for years and as recently as August of last year I was dealing with an outage of my email server. I must've missed something somewhere because someone had figured it out and started using my server as a relay. It took me a few days to figure it out and I'm still not sure what the problem was or how I fixed it. Though my server stopped bouncing emails and started forwarding things again so... win?
As I was fixing this issue, not the first time, it occurred to me that it was just criminally easy to not know if your system is being exploited as a relay or not. There are a bunch of different configuration files in all different formats and guides that require working through dozens of steps. It's way too easy to get something wrong.
For someone like me who works at deploying software running on hundreds of nodes it seems manageable but I don't think it's ready for my cousin who's good with computers.
That's where the idea for a secure-by-default MTA that couldn't possibly be configured to be an open relay came from. Minimize the configuration so it was hard to get wrong even at the expense of flexibility.
I dunno, maybe it's not a great idea. But it's fun to hack on in the evenings when I've got nothing better to do and hopefully I'll have a fewer text files to manage in the future.
> That's where the idea for a secure-by-default MTA that couldn't possibly be configured to be an open relay came from.
You're close to describing the motivation behind Postfix. Between the design and the documentation, Postfix is hard to screw up, from a security perspective. And it is really easy to configure, at least in contrast to What Came Before - believe me, if you think this is complex, buy a crusty sysadmin a beer sometime and mention 'sendmail.cf'.
The problem here is that almost all mail servers need to selectively relay, and I don't see how the server is going to guess appropriate policy. For instance, trusted IP ranges (mynetworks, in Postfix). I suppose you could demand authentication unconditionally but that tends to break down when not all of your senders are made of meat[1]. Maybe that's acceptable to you, but it won't be for many.
In my other comment in this thread, I recommended gaining an clear understanding the architecture if you're going to do this. That includes things like knowing what (for postfix) mynetworks does - you can get mad at software for not intuiting local policy preferences, but I've never found that to get me very far.
[1] Getting better, but I still depend on a fair bit of software and hardware that doesn't speak SMTP auth.
The problem I have is that it's a pain in the ass to setup correctly and when things do go wrong it's really hard to figure out what's going on.
> Can you explain what you mean by attacks and exploits from spammers?
I haven't encountered a remote exploit (yet) but yes: accidentally running an open relay, backscattering, etc. You also have to worry about the system security of the box you're running it all on but let's treat that as a separate concern.
I'd been running my setup for years and as recently as August of last year I was dealing with an outage of my email server. I must've missed something somewhere because someone had figured it out and started using my server as a relay. It took me a few days to figure it out and I'm still not sure what the problem was or how I fixed it. Though my server stopped bouncing emails and started forwarding things again so... win?
As I was fixing this issue, not the first time, it occurred to me that it was just criminally easy to not know if your system is being exploited as a relay or not. There are a bunch of different configuration files in all different formats and guides that require working through dozens of steps. It's way too easy to get something wrong.
For someone like me who works at deploying software running on hundreds of nodes it seems manageable but I don't think it's ready for my cousin who's good with computers.
That's where the idea for a secure-by-default MTA that couldn't possibly be configured to be an open relay came from. Minimize the configuration so it was hard to get wrong even at the expense of flexibility.
I dunno, maybe it's not a great idea. But it's fun to hack on in the evenings when I've got nothing better to do and hopefully I'll have a fewer text files to manage in the future.