Most CMS (Joomla for example) comes with php mail()
as default and has the option of changing it to SMTP
if we want. I will be setting up both the webserver and mail server (Postfix) in the same VPS on Debian 7. What I am trying to understand is:
Delivery Reputation: Would using php mail() vs SMTP make any difference with the delivery rate? From what I understand, Postfix is going to be using SMTP protocol when communicating with other servers on the internet when delivering emails, so therefore is it safe to assume that it doesnt matter if the email was sent to postfix via php mail or smpt from localhost? Does any of these 2 methods affect the email reputation is any ways even in a small way?
Performance Load: Is there any performance difference between php mail and SMTP when sending emails? Say, if I am sending like 10,000 emails, which method would take the most resources (or time)? My assumption is that both can take a bit of time like: php mail for compiling the emails with headers, etc.. and SMTP for making connections each time. Which one consumes the most server resources?
Security Issue: When I searched for the difference between the two, many sites says about the security issue with php mail since a hacker can upload php script to send out spams. But I can also see another security issue with SMTP as well since the SMTP username and passwords are stored in configuration file in text which is not secure neither. Since there are security issues for both methods, does one weigh better than the other in any aspects?
Preference: If I am able to set up both phpmail and SMTP on my server, should I give preference to use one over the other for any reason? I mean, if I can use SMTP in my server, should I then try to use SMTP instead of phpmail due to various reasons covered in the above points?
Background: My machine is going to be a simple web server that uses postfix just for sending out emails from Joomla, newsletters and root email from various services.
You're right that it won't matter for others, but will certainly matter for you because when submitting over SMTP Postfix may refuse to accept your message for reasons beyond your control. Which means you'll have to use your own delivery queues and add other bloat code. In fact you will be doing Postfix's job.
Some may say that
mail()
may also fail, but it is itself works as simple as writing your message to a file. In other words, there isn't much to break.Bottom line: unless you're absolutely required to use SMTP, use your system's mailer.
In many cases, the spamming scripts are uploaded by an automated process after an automated scanner finds a vulnerability in your webapp. Those spam scripts almost always use php
mail()
function and not SMTP. If someone was to hack into your server and grab smtp passwords from config file, then you have lost the castle anyway. But in a lot of automated attacks on outdated CMSs etc., the spamming scripts just usemail()
. So I'd suggest that you disablemail()
in your postfix and use authenticated SMTP exclusively.No related of all. Postfix can receive email via both mail() and SMTP. After processing it, postfix will send via SMTP.
Benchmark it! I don't have any data on this.
Here what process involved in mail() and SMTP?
In mail() command, PHP invoke sendmail command and the program puts your email on a file in maildrop queue directory. Pickup daemon scan that directory, and move the email to cleanup daemon.
In SMTP one, PHP create connection to your postfix server via SMTPd. After finishing SMTP ritual, SMTPd will do checks if the emails allowed or not. If a email allowed, it will pass it to cleanup daemon.
Source: official documentation of postfix
As @Tutul said in another answer, you likely expect some spam script use mail() to send out the spam. Yes this is one of consideration to block mail command in php.
However, one principle holds: once someone success placed the script in your web-and-mail server, he can send use ability of PHP to send email either via mail() and SMTP.
In php itself, there are no protection to limit how many SMTP connection or mail() can be invoked by spammer. One place to place the defense line is in MTA (postfix). Unfortunately, you can't throttle incoming mail invoked from mail() command. However you can throttle how many sending request can made from SMTP connection. Policyd or postfwd can help postfix throttle it.
Note: Above explanation is about throttle process when receiving email. Of course you can throttle it when sending email. For example, you limit 20 email per minute to @gmail.com to avoid GMAIL blacklist daemon block you. See the docs about Postfix Performance Tuning
Final note
IMHO, I prefer to send email via SMTP. You can use MTA as additional protection from spam outbreak. You may have to handle another mail queue in PHP as @Sanmain said in another answer though :)