Software MTA
  • Sendmail MTA (Eric Allman) - the original MTA, and still the most popular. It has a lot of features and a very powerful address re-writing language (which can be quite cryptic to the neophyte). It's monolithic (single process, no security barriers) design shows it's age, and, over time, has gained a bad reputation for security, although current versions of code contain no known vulnerabilities.
  • Postfix MTA (formerly vmailer) (Wietse Venema) - a new mail transport agent, designed with security and performance as primary goals. Wherever possible, the author has maintained compatiblity with sendmail, which makes migration quite a bit easier. This is the only MTA I would recommend at this time.
  • Exim MTA - a high performance MTA with plenty of anti-spam configuration options, but lacks sendmail's extensive support for address re-writing. Appears to be a monolithic design like sendmail, although I don't know of any vulnerabilities.
  • ZMailer MTA - don't know much about this one.
  • Qmail MTA - (Dan Bernstein) another new MTA written with security as it's primary goal. The author has very strong ideas about how things should be done, however, which means it can be a complete pig to migrate from any other MTA to Qmail.
  • The Porcupine Project - a research project to build a fault-tolerant clustered mail server that automatically discovers new nodes and distributes resources.
  • Client
  • popa3d - a tiny POP3 daemon, designed with security as the primary goal.
  • Solid POP - a POP3 daemon that supports APOP, virtual hosting, maildir or mailbox, bulletins and expiration of messages. Security design is similar to popa3d (above), and some code auditing has been performed.
  • CUCIPOP - a popular POP daemon - flexible and fast, and probably secure, although it hasn't been audited to my knowledge.
  • Courier IMAP - an IMAPD that supports maildir and abstracted authentication out of the box.
  • Project Cyrus - Carnegie Mellon Enterprise Electronic Mail Project
  • ACAP - Application Configuration Access Protocol (CMU)
  • Qpopper - Qualcomm's free POP server
  • IMP - PHP scripts that implement an IMAP based webmail system.
  • TWIG - The Web Information Gateway - a PHP based webmail system, more fully featured than IMP - as well as mail, it does scheduling, newsgroups, bookmarks, etc.
  • DRAC - Dynamic Relay Access Control - an implementation of pop-before-smtp.
  • Perdition - POP3 and IMAP4 redirection proxy. Supports regular expression, LDAP, NIS, GDBM, MySQL and PostgreSQL lookups.
  • LDA
  • procmail - the classic filtering local delivery agent. It has extensive support for filing into separate user mail folders. Unfortunately the code structure does not make a security audit easy, and anything that runs neophyte user code with input from the big bad internet has a fair bit of potential for harm (this is probably true of all filtering local delivery agents that allow user code to be executed).
  • maildrop LDA - mail delivery agent with filtering abilities
  • Virus
  • AMaViS - A Mail Virus Scanner: a perl script that can work with many common unix MTA's to extract mime attachments and run them through a third party virus file scanner (not supplied).
  • List
  • Majordomo - the original mailing list manager
  • Jason L Tibbitts III's Majordomo Page - includes information about his re-write of the majordomo list manager called Majordomo II.
  • Mailman - Neat GNU mailing list manager, written in Python. Includes comprehensive web interface.
  • Listar - "Modular Mailing List Management" - plugable modules, written in C.
  • EZMLM - a mailing list manager for qmail
  • Minordomo - minimalistic majordomo replacement, written in perl
  • Minimalist - minimalistic majordomo replacement, written in perl
  • E-mail List Management Software - Vivian Neou
  • MUA
  • MUTT - "All mail clients suck. This one just sucks less."
  • "Solutions"
  • Software.com - Carrier-scale Internet Messaging
  • Sendmail, INC
  • Critical Path - supplier of e-mail service to ISP's etc.
  • Messaging Direct - digital signed documents/statements/bills with round trip transaction processing. They also have an IMAP/POP solution that is apparently based on Cyrus.
  • ISOCOR - Internet Messaging and Directory Products
  • Bluetail
  • Mirapoint
  • Lyris - commercial mailing list manager software and hosting
  • Tuning
  • How to Get There From Here - Scaling the Enterprise-Wide Mail Infrastructure (Duke University)
  • Highly Scalable Electronic Mail Service Using Open Systems - Nick Christenson, Tim Bosserman, David Beckemeyer (EarthLink Networks)
  • High Capacity E-Mail - a paper by Simon Horman of VA Linux Systems.
  • Manageability, availability and performance in Porcupine: a highly scalable, cluster-based mail service - by Yasushi Saito, Brian N. Bershad, and Henry M. Levy
  • Papers by Brad Knowles - includes Sendmail Performance Tuning for Large Systems, and Design and Implementation of Highly Scalable E-mail Systems.
  • WING - a web based IMAP/NNTP gateway. Includes a link to a paper on the Oxford University mail cluster - a scalable mail server using open source software on comodity hardware.
  • What a Public Operator May Need from Servers - John Klensin (MCI Communications) (slides from a presentation)
  • Claus Assman's Patches, Additions and Known Problems for Sendmail
  • IMAP - general discussion of IMAP performance and some tweaks to the UW imapd.
  • Dynamic Relay Authorization Control (DRAC) - or POP before SMTP auth.
  • "Whoson" protocol - a proposed protocol to allow internet application determine if a particular dynamic IP has authenticated.
  • Organisations
  • The Internet Engineering Task Force
  • Internet Mail Consortium
  • RFCs Mesg
  • rfc822 Message format
  • rfc2076 Common Internet Message Headers
  • rfc2822 Message Format - replaces rfc822
  • SMTP
  • rfc821 SMTP
  • rfc1123 Requirements for Internet Hosts
  • rfc1845 SMTP Service Extension for Checkpoint/Restart - not commonly implemented.
  • rfc1869 SMTP Service Extensions - defines ESMTP (EHLO)
  • rfc1891 SMTP Service Extension for Delivery Status Notifications
  • rfc1870 SMTP Service Extension for Message Size Declaration - defines SIZE
  • rfc1985 SMTP Service Extension for Remote Message Queue Starting - defines ETRN
  • rfc2034 SMTP Service Extension for Returning Enhanced Error Codes
  • rfc2197 SMTP Service Extension for Command Pipelining
  • rfc2442 Batch SMTP
  • rfc2554 SMTP Service Extension for Authentication - defines AUTH
  • rfc2821 SMTP - replacement for rfc821
  • LMTP
  • rfc2033 Local Mail Transport Protocol
  • POP
  • rfc1725 POP3
  • rfc1734 POP3 AUTH
  • rfc1957 Some Observations on Implementations of POP3
  • rfc2195 IMAP/POP AUTHorize Extension for Simple Challenge/Response
  • rfc2449 POP3 Extension Mechanism
  • IMAP
  • rfc1176 IMAP2
  • rfc1730 IMAP4
  • rfc1731 IMAP4 AUTH
  • rfc1732 IMAP4 compatibility with IMAP2 and IMAP2bis
  • rfc2060 IMAP4rev1
  • rfc2342 IMAP4 namespace
  • SPAM
  • rfc2505 Anti-Spam Recommendations for SMTP MTAs
  • rfc2635 SPAM
  • MISC
  • rfc1918 Address Allocation for Private Internets
  • Other
  • "Reply-To" Considered Harmful - adding "Reply-To" headers to mailing list traffic is a Bad Thing. Read this to find why.
  • "Reply-To" Considered Useful - a rebuttal to the previous paper - I don't find their reasoning particularly convincing.
  • Mail-Followup-To and Mail-Reply-To - DJB's take on Reply-to:
  • Re: Mail-Followup-To: - and a counter view from Keith Moore
  • Content-Length is brain-damaged
  • Links
  • Electronic Mail Resources - Duke University, Office of Information Technology
  • Internet Mailing List Providers - Brian Edmonds
  • HTTP Mail User Agent inventory - CRU
  • [BACK]
    Andrew McNamara (andrewm@connect.com.au)