What is the best mail server on Linux?

When businesses come to choose for an an Internet service provider, mail transport agents are not on their radar screen. They ask questions about uptime, reliability and support but usually only think about what mail servers are available after they sign up and go through the installation process.

A mail transport agent (MTA) handles the behind-the-scenes work of safely and securely transferring mail among hosts. Of all the MTAs, message transfer agents and mail relays in use, Exim, Postfix and Sendmail control roughly 85 percent of the market share for SMTP services.

Of the many MTAs available, Exim, Postfix, and Sendmail have the most number of users. This article describes five MTAs, with an emphasis on years in use, popularity, security, ease of configuring, documentation and overall reputation. Each review includes a link to the MTA’s website and notes the year introduced and the number of servers using it as of July 2013.

Exim – 1995 – 546,000 servers

Exim is the most widely used MTA. It resides on nearly 50 percent of the servers attached to the Internet.

Philip Hazel wrote Exim in 1995 for use in the University of Cambridge Computing Service’s email systems. The name initially stood for EXperimental Internet Mailer and was based on an older MTA, namely Smail-3. It has since diverged from Smail-3 with a new design philosophy and a new security strategy.

Exim uses the Sendmail design model where a single binary controls all the facilities of the MTA. This monolithic design is inherently less secure due to the lack of binary separation between the individual components of the system. Exim separates processes and has well-defined stages where it gains or loses privileges.

Postfix – 1997 – 298,000 servers

According to the Red Hat Reference Guide, Postfix was “originally developed at IBM by security expert and programmer Wietse Venema[.] Postfix is a Sendmail-compatible MTA that is designed to be secure, fast, and easy to configure.”

Postfix has a modular design to improve security over Qmail. A master daemon (a background process) launches other smaller processes with limited privileges that do specific tasks related to the various stages of mail delivery. The modular approach limits the effects of attacks.

Postfix is easily configurable to accept network connections from remote hosts. It also provides many configuration options and third-party add-ons, resulting in a versatile and full-featured MTA.

Unlike Sendmail, Postfix configuration files are human-readable and support more than 250 directives. Postfix does not require macro processing to launch changes. Over the years, users have documented the most commonly used options.

Sendmail – 1982 – 113,000 servers

Sendmail is the default MTA shipped with many Linux distribution sets and is the most well-known. It is easy to configure but had the most security loopholes, partly because it was designed long before hackers started attacking email systems. Developers fix most security issues quickly, but because it has the most number of users, it is still the biggest target for hackers.

According to Red Hat, “Sendmail is highly configurable, allowing control over almost every aspect of how email is handled, including the protocol used. Many system administrators elect to use sendmail as their MTA due to its power and scalability.”

Sendmail blocks most junk mail spamming techniques by default. Version 8.9 disabled forwarding of SMTP messages. Sendmail’s access control feature prevents connections from unwanted hosts and blocks unauthorized access to the server.

Qmail – 1996

“When first published,” one Wiki article says, “Qmail was the first security-aware mail transport agent. In contrast to Sendmail, Qmail has a modular architecture composed of mutually untrusting components; for instance, the SMTP listener component of Qmail runs with different credentials than the queue manager, or the SMTP sender.” Qmail is less vulnerable to attacks than the others available MTAs.

Qmail has configuration documents readily available but is more difficult to configure than it’s counterparts. It is a redesign of the UNIX mail concept and is not a pure open-source solution.

Fetchmail – 2007

Fetchmail retrieves emails from remote servers and delivers it to the local MTA. Red Hat notes, “Many users appreciate the ability to separate the process of downloading their messages located on a remote server from the process of reading and organizing their emails in an MUA.”

Fetchmail is a well-documented remote-mail retrieval and forwarding utility for on-demand TCP/IP links. It supports every remote-mail protocol. It retrieves mail from remote mail servers and forwards it via SMTP so the normal mail user agents can then read it.

According to Fetchmail’s website, “Fetchmail offers better protection against password-sniffing than any other Unix remote-mail client.” Administrators can start it automatically as a system daemon at boot time.

Summary

Exim has the largest user community but has the same base security challenger as Sendmail. Exim resembles Smail 3 while being more user-friendly. With over 50 percent of the market share, it is now the de facto standard MTA.

Postfix is a Sendmail-compatible MTA designed as a secure, fast, and easy-to-configure relay. Postfix has a modular design to improve security over Qmail. While both are being similar, Postfix has more of a pure UNIX interface for easier configuring. It is less versatile than Exim but more secure. It is easily configurable to accept network connections from remote hosts and provides many configuration options and third-party add-ons resulting in a versatile and full-featured MTA.

As the granddaddy of MTAs, Sendmail is the default MTA shipped with most Linux distribution sets and hence is the most known. It is easy to configure but has more known security loopholes because it was designed before security was a major concern.

By number of servers with an MTA installed, Exim is the hands-down winner. Postfix is number two and the original MTA; Sendmail is fading over time. Postfix appears to be the most secure because of its modular design.