Firewalling sendmail is straightforward it runs on port 25 tcp ipfwadm I a

Firewalling sendmail is straightforward, it runs on port 25, tcp: ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 25 ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 25 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 25 or ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 25 ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 25 ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 25 QMAIL

72 Qmail (like postfix) was created as a direct response to perceived flaws in Sendmail. Qmail is GPL with a no binary distribution clause meaning you must install it from source code. Very little code in Qmail runs as root, and it is very modular compared to sendmail (which is a pretty monolithic piece of code). You can download it from: . Postfix Postfix was written by Wietse Venema, who is also responsible for TCP_WRAPPERS. Postfix is somewhat ore modern then Sendmail or Qmail in the way it attempts to deliver email, and was written to be very secure. Like most IBM products it has a very funky license, but appears to be mostly open source and free. Postfix is available at: . Zmailer Zmailer is a GPL mailer available at: . It has crypto hooks and generally looks like it is well built. DMail DMail is a commercial mail server, and is not open source. You can download a trial version from: .

73 POPD WU IMAPD (stock popd) POP and IMAP are fundamentally related but very different, so I have split them apart. POP stands for “Post Office Protocol” and simply allows you to list messages, retrieve them, and delete them. There are many POP servers for Linux available, the stock one that ships with most distributions if perfect for the majority of users. The main problems with POP are similar to many other protocols, in that usernames and passwords are transmitted in the clear, making it a very good target for packet sniffing. POP can be SSL’ified, however not all mail clients support SSL secured POP. Most POP servers come configured to use TCP_WRAPPERS, which is an excellent method for restricting access. Please see the earlier section on TCP_WRAPPERS for more information. POP runs as root (since it must access user mailboxes) and there have been a number of nasty root hacks in various POP servers in the past. POP runs on ports 109 and 110 (109 is basically obsolete though), using the tcp protocol. The Washington University IMAPD server also comes with a pop server and is generally the ‘stock’ pop server that ships with most Linux distributions. You can get it from: . ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 110 ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 110 ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 110 or ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 110 ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 110 ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 110 Cyrus Cyrus is an imap (it also supports pop and kpop) server aimed at ‘closed’ environments. That