Native SRS is a nice thing to have, especially if you are forwarding to Gmail.
A shame that DKIM wasn’t built in too, but there’s a filter/plug-in architecture and you can add a third party filter to do DKIM for you.
Sometimes a commitment to supporting a plug-in architecture can be a little overzealous. Yes, it’s a nice general purpose puzzle to solve if you are the engineer writing the code. When DKIM is such a critical part of email in 2022, I wouldn’t mind if it were treated as a special case and supported by default.
Interesting that the problem was introduced in a major architecture change to external MDAs, invoked with system(), and was specific to mbox format that requires elevated privilege.
They actually had a few really bad code execution bugs in a tight space of time a few years ago when someone was auditing it. It's a good idea to subscribe to announce@openbsd.org if you run this daemon to get notified of issues.
I was running it out of ports on FreeBSD at that time, and wound up patching from source because i didn't want to wait for the ports tree to update.
I still see attempts to exploit these bugs in my logs. Even though
they've been patched for years.
That said, it's good that these were exposed and fixed, as opposed to not found. It's a relatively new daemon compared to other mail servers and it was still ironing things out.
The problem I find with this line of reasoning is at the end of the evaluation I've disconnected from all networks and powered down the devices after uninstalling all of the operating systems.
As with most things, it depends on your use case. Except for some very high-volume or ancient features, it has pretty much everything.
However, unlike Postfix, you can actually configure OpenSMTPD yourself without breaking it. Postfix suffers heavily from a Byzantium configuration that everyone is copy-pasting because understanding how to create a configuration from scratch requires man-months of reading their docs.
The biggest downside to OpenSMTPD is the portable version is weakly supported, so it's only useful if you are running it on OpenBSD, which is a shame, really, because it's probably what most people would prefer if they could run it on their preferred OS.
We run Postfix at a large, high-volume scale and I can confirm OpenSMTPD does not have the feature/configuration set to work as a replacement. Postfix is great in this regard because it has near endless configurability, but it comes at the cost of complexity.
I remember when postfix was the "easier" MTA software meant to replace Sendmail and all of its m4 macros for rules. Getting Sendmail to do anything other than be a completely open relay was not easy.
I'm a very happy user of Maddy (https://maddy.email/). It's a single executable that contains everything you need for a send-and-receive email server, including all modern anti-spam features. In my experience, the configuration is simpler than Postfix, Exim and OpenSMTPD, and falls back to sane defaults.
Another nice feature is what I would call its architecture: it does not try to be a service manager (instead, you are supposed to spawn it from your own favorite service manager, be that systemd, docker, or anything else, and you can hence really lock it down), hence it does not require root to run and does not rely on using system accounts by default.
I've only used it for very basic setups, but for those I can highly recommend it.
I haven't done a detailed comparison, but going how the OpenBSD guys go with other re-implementations (e.g. LibreSSL vs OpenSSL), I'm going to guess that it will have a reduced feature-set and capabilities.
I've nothing against the OpenBSD guys, but sometimes its a case of "right tool for the job". OpenBSD is great for firewalls and routers. Of course OpenSSH is without competitor, its just awesome.
But (some of) the rest of the OpenBSD toolset I'm not too sure ... for example Chrony is lightyears ahead of OpenNTPD etc.
Postfix is an excellent MTA. Written from a security-first mentality. Its widely deployed, and hence battle tested. As a result of its wide deployment its pretty much a case of "everyone knows how it works", the Postfix mailing list is excellent in terms of getting support.
TL;DR personally I see no reason to replace Postfix with anything, be it OpenSMTPD or anything else.
I use OpenNTPD on my router. Apparently time on local network is "exact" (off by some 50 ms) which is good enough for me. I don't need my clocks to be light years ahead indeed.
A shame that DKIM wasn’t built in too, but there’s a filter/plug-in architecture and you can add a third party filter to do DKIM for you.
Sometimes a commitment to supporting a plug-in architecture can be a little overzealous. Yes, it’s a nice general purpose puzzle to solve if you are the engineer writing the code. When DKIM is such a critical part of email in 2022, I wouldn’t mind if it were treated as a special case and supported by default.