email server/webmail recommendations

Mon Apr 12 23:57:32 CDT 2004

On Monday, April 12, 2004 11:32 am, Rob Becker wrote:

> I'm looking to build out an email server to serve webmail and pop or
> imap.  What combinations have you used and liked?  What's a good server
> for security and stability?  What webmail packages do you like?  How
> about virus scanning and spam filtering?  Any thoughts, opinions, links
> appreciated.

I've built a couple of RedHat 7.x servers using the default RH packages for 
Sendmail and ipopd.  They have been very stable, and security has been good.  
The only problem is that they are getting a bit out-dated now, since RH 
doesn't supply patches, and trying to install new software can be a problem 
because the packages the software depends need to be more recent versions.

 You need to look carefully to make sure that everything you want to do will 
integrate with the packages you choose.  Some mailing list managers will only 
work with certain mailers.  Sendmail is the most common MTA, and you will 
find more packages that work with it than with the "alternative" MTA's.  Most 
of them will emulate sendmail for compatability.

Rumors of sendmail's insecurity are several years out of date, and are due to 
the fact that sendmail dates back to when the entire internet was pretty much 
without security.  Some older systems weren't updated soon enough, and gee, 
they were running sendmail.

Sendmail can do a LOT of different things, and therefore the configuration for 
it can be very difficult to understand.  Using a binary package from a good 
distro will help here.  Sticking with sendmail on a known distribution will 
also be easier because most documentation assumes that you are configuring 
sendmail, probably on RedHat.  

RH derivatives such as Mandrake and SuSE are very attractive if you're not 
into re-coding and re-compiling everything yourself, if you want a system 
that will pretty much run "out of the box" without a lot of time searching 
for active chat rooms and useful mailing list archives.

Squirrelmail is ok if all you want to do is web mail.  I've used the Horde 
system, which has good abilities for other options such as account 
management, calendars, address books, etc.  It can also be configured to use 
a different server from the web server as the mail server, or to allow users 
to connect to any mail server where they have a POP or IMAP account.

Unfortunately, Horde is in the midst of a complete re-write just now.  They 
are bringing out the release candidates for the new structure, which I 
haven't worked with, and it's not entirely clear that everything you need to 
actually get the older version Horde working is available from their servers.  
Still, it's worth looking into, especially if you're interested of something 
that can be more of a portal than just a webmail server.

I use John Hardin's Procmail Sanitizer 
(http://www.impsec.org/email-tools/procmail-security.html) which catches 
dangerous executables and attachments, and can also strip risky HTML out of 
messages, and spamassassin, which is currently catching just under 80% of 
traffic as spam with no false-positives. 

Horde: www.horde.org
Spamassassin: www.spamassassin.org
Sanitizer: http://www.impsec.org/email-tools/procmail-security.html
Securing your system in general, along with good tutorials about Firewalls, 
sendmail, etc.: http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html

I've been very happy with RH7, sendmail, and Horde.  If I were building a new 
server it would be SuSE 9x, sendmail, and possibly the new Horde.