Scalix Forums

Is there a way to disable sendmail dependency check?

I'm running Scalix with postfix and every time I need to upgrade Scalix I have to
- install sendmail
- upgrade scalix
- de-install sendmail and put postfix back

thx

has anyone find a solution for the dependeny check?
i have same problem by the upgrade.

we will not remove the dependency check at this time as currently sendmail is the only supported MTA for Scalix.

Florian.

i didnt want that scalix remove the dependency check, i want only know if it's possible to disable the dependency as a option.

thats my risk

by the way florian
why should somebody use sendmail when it is possible to use postfix????
can you give me the advance of sendmail or whats the reason why scalix supported only sendmail???
Postfix is intended to be a sendmail replacement. For this reason it tries to be compatible with existing infrastructure. Postfix is considered much easier to use. You can edit the config file by hand as there is no need to use m4 to generate a macro file for the config,his is a leading advantage of postfix. It is also significantly easier to integrate complex authentication setups into postfix.

the dependency at this point is implemented as a RPM dependency on the scalix-server package, so there is technically no way to make this optional or conditional on a switch. You can use some --force option on the rpm command to install this. If you want to do this in the context of scalix-installer, you can also mod that as it is open source and python-based.

Now, the bigger question is - why would you want to do that?

I will not go into any discussion about sendmail vs. postfix, this is really very much a matter of personal preference. Even the distros disagree, and while SuSE and debian-based distros usually have postfix setup as a default, everything that's Red Hat-based (RHEL, Fedora, CentOS) comes with sendmail enabled as a standard.

The other arguments don't seem to be too relevant. I consider sendmail.mc my config file, everything else is a parsed/generated config that I don't care about, so it's a single place where I do my changes. Actually in Postfix these days you are not supposed to edit config files directly but use the command line tool to do the validation. The remaining arguments don't seem to fly either - for me the only config I need to do on the sendmail side in 99% of all cases is the SmartHost, which is a single-line config and very straightforward. Authentication is not necessary as Scalix uses sendmail only as it's MTA for OUTGOING email - inbound stuff and message submission is handled by the Scalix SMTP Relay, which is preconfigured for authentication and else. Since 11.4, even AntiSpam/AntiVirus setups don't require sendmail mods anymore as we have implemented the MILTER interface right on the SMTP relay.

For this reason, I fail to see any specific advantages for Postfix in a Scalix environment. On the downside, we could not simply drop support for sendmail if we chose to support Postfix - too many installations out there that know how to monitor, operate and configure it. And supporting both is simply a matter of resources on our side - not only would we need to implement the integration, but we'd also have to maintain it, and, and that's the biggest obstancle, run all our server-side testcases on every platform on both MTAs. That would actually double our testing matrix, which is already horrendously large and it would make us spend more money on something that's not highly useful instead of working on relevant new features. Or it would make new Scalix releases and patches take longer to get out of the building, again a huge disadvantage in my book.

So ... I'm yet to be convinced on this one!

Florian.

I had the same problem and solved it successfully in an "unclean" way:
- install sendmail
- install postfix and ignore the dependency check here (don't remove sendmail!)
- disable sendmail (on SuSE: insserv -r sendmail; on CentOS/RHEL: chkconfig sendmail off)
- enable postfix (insserv postfix; chkconfig postfix on)

So sendmail is still in the rpm database, but won't work, but postfix does.

of course, you have to do some changes in the postfix config files

This installation has "survived" all scalix-upgrades on SuSE 10.1, 10.3 and now CentOS 5.1 and 5.2 from Scalix 10 to Scalix 11.4.1 until now without any problems

jhinrichs,

why would you do this to create an unsupported configuration and what are you doing with postfix that sendmail woudln't do for you?

Tx,
Florian.

Postfix is definitiv faster than Sendmail and Postfix uses a modular design whereas Sendmail uses a monolithic design. The problem with security and a monolithic design is that it tends to be all or nothing. In a monolithic design, a security breach in one aspect of the system leads to a security breach of the whole system. Much of the security problems of Sendmail in the past has been that it must run as a privileged user to perform most of it’s tasks. Postfix is able to run as the least privileged user and has the ability to turn off modules not used by the system, thus limiting the security issues. The Postfix mail server isolates processes from each other so that they do not depend on as much communication between processes.
maybe now is sendmail better, but my experience in the past was that postfix is the better mta!!
but we have change the mta only because we have much more knowhow with postfix in our company.

But sendmail isn't a security risk, because it isn't accessible.

It's blocked to the outside world, as people connect to Scalix's SMTP server.

Inside, this is the same, except that UAL connections will make a UAL connection rather than a SMTP one. Even there though, the message will be handled through Scalix, rather than Sendmail..

Messages are passed to sendmail only if the user has been given the ability to relay through your server, and if you've given that to someone attacking your server, then the game is over regardless of the MTA.

I guess, if the attacker attacks your server over port 127.0.0.1/8, then you're at risk too, but again, I don't really see this as an MTA problem.

If code is submitted through Scalix, and is processed as an attack against sendmail, I'd still see it as a Scalix problem, personally.

If speed is your issue, I wouldn't advise resolving it by making your server unsupported.

This all goes for Exim too, BTW.

But you're running software that allows you to make that choice. I guess it's up to you. At least you HAVE a choice.

Kev.

There are several reasons I used this unsupported configuration:
At first, I came from a cyrus-based mailserver with a well configured postfix-amavis configuration wich I could leave nearly unchanged. As we have users working with Windows-clients (Outlook) and users using the linux-command line sending mail with the "mail" command it was important to have their localuser@hostname.localdomain.local adress mapped to the external user@domain.tld adress, which I didn't get configured with sendmail but in an easy way with postfix (sender_canonical). So the last reason is that I do not really need much support with postfix (so it does'nt matter it's unsupported) but I would need a lot of support with sendmail...