Postfix vs Sendmail vs OpenSMTPD on FreeBSD

FreeBSD has a long history with email. Sendmail shipped with BSD since the early days. Postfix became the de facto standard for production mail. OpenSMTPD brought BSD minimalism to the MTA world. All three run well on FreeBSD, but they serve different needs and different skill levels.

This guide provides an in-depth comparison of these three MTAs on FreeBSD, covering configuration, security, performance, feature set, and operational complexity. By the end, you will know which one to deploy.

For the broader email stack (IMAP, webmail, anti-spam), see our Best Email Server Software for FreeBSD guide.

TL;DR -- Quick Verdict

Postfix: The production standard. Choose it for high-volume mail, complex routing, virtual domains, milter integrations (DKIM, DMARC, anti-spam), and maximum documentation. If in doubt, use Postfix.

OpenSMTPD: The minimalist choice. Choose it for simple mail setups, personal servers, small organizations, and when you value readable configuration over feature count. Excellent security, limited ecosystem.

Sendmail: The legacy option. Already in the base system. Choose it only if you have existing Sendmail infrastructure and deep M4/cf knowledge. Not recommended for new deployments.

Comparison Table

|---|---|---|---|

| Language | C | C | C |

| Lines for basic config | ~30 | ~15 | ~50+ (plus M4 boilerplate) |

| CVE count (2015-2025) | ~3 | ~5 | ~10 |

| LMTP delivery | Yes | Yes | Yes |

| Performance (msgs/sec) | 1000+ | 200-500 | 200-500 |

| Active development | Yes | Yes | Minimal maintenance |

Installation on FreeBSD

Postfix

sh
# Install Postfix
pkg install postfix

# Disable Sendmail (required)
sysrc sendmail_enable="NONE"
sysrc sendmail_submit_enable="NO"
sysrc sendmail_outbound_enable="NO"
sysrc sendmail_msp_queue_enable="NO"

# Enable Postfix
sysrc postfix_enable="YES"

# Install Postfix mailer.conf entries
# This makes 'mail', 'sendmail', and 'mailq' commands use Postfix
cp /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

# Stop Sendmail and start Postfix
service sendmail onestop
service postfix start

OpenSMTPD

sh
# Install OpenSMTPD
pkg install opensmtpd

# Disable Sendmail
sysrc sendmail_enable="NONE"
sysrc sendmail_submit_enable="NO"
sysrc sendmail_outbound_enable="NO"
sysrc sendmail_msp_queue_enable="NO"

# Enable OpenSMTPD
sysrc smtpd_enable="YES"

# Stop Sendmail and start OpenSMTPD
service sendmail onestop
service smtpd start

Sendmail

Sendmail is already in the base system. No installation needed.

sh
# Sendmail is enabled by default
# Verify in /etc/rc.conf
sysrc sendmail_enable="YES"

# Regenerate configuration from .mc files
cd /etc/mail
make
make install restart

Configuration Comparison

The most striking difference between these three MTAs is configuration style. Here is the same basic setup -- accept mail for example.com, deliver locally, relay outbound with TLS -- in all three.

Postfix Configuration

File: /usr/local/etc/postfix/main.cf

sh
# Basic identity
myhostname = mail.example.com
mydomain = example.com
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
inet_interfaces = all
inet_protocols = all

# Mailbox delivery
home_mailbox = Maildir/

# TLS for incoming connections
smtpd_tls_cert_file = /usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# TLS for outgoing connections
smtp_tls_security_level = may
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

# Restrictions
smtpd_helo_required = yes
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination

# Size limits
message_size_limit = 52428800
mailbox_size_limit = 0

File: /usr/local/etc/postfix/master.cf (add submission port):

sh
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

OpenSMTPD Configuration

File: /usr/local/etc/mail/smtpd.conf

sh
# TLS certificates
pki mail.example.com cert "/usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem"
pki mail.example.com key "/usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem"

# Tables
table aliases file:/etc/mail/aliases
table credentials passwd:/usr/local/etc/mail/credentials

# Listeners
listen on all tls pki mail.example.com
listen on all port 587 tls-require pki mail.example.com auth <credentials>

# Actions
action "local_mail" maildir alias <aliases>
action "outbound" relay

# Rules
match from any for domain "example.com" action "local_mail"
match for local action "local_mail"
match from local for any action "outbound"
match auth from any for any action "outbound"

That is the entire configuration. Fifteen lines for a fully functional mail server with TLS, authentication, local delivery, and outbound relay.

Sendmail Configuration

File: /etc/mail/freebsd.mc (M4 macro source):

sh
divert(-1)
include(`/usr/share/sendmail/cf/m4/cf.m4')
VERSIONID(`FreeBSD custom config')
OSTYPE(freebsd6)

FEATURE(access_db, `hash -T<TMPF> /etc/mail/access')
FEATURE(`blacklist_recipients')
FEATURE(`local_lmtp')
FEATURE(`mailertable', `hash /etc/mail/mailertable')
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')

define(`SMART_HOST', `')
define(`confBIND_OPTS', `-DNSRCH -DEFNAMES')
define(`confDOMAIN_NAME', `mail.example.com')

define(`CERT_DIR', `/usr/local/etc/letsencrypt/live/mail.example.com')
define(`confSERVER_CERT', `CERT_DIR/fullchain.pem')
define(`confSERVER_KEY', `CERT_DIR/privkey.pem')
define(`confCLIENT_CERT', `CERT_DIR/fullchain.pem')
define(`confCLIENT_KEY', `CERT_DIR/privkey.pem')

define(`confAUTH_OPTIONS', `A p y')
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')

DAEMON_OPTIONS(`Port=smtp, Name=MTA')
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')

MAILER(local)
MAILER(smtp)

sh
# Generate sendmail.cf from .mc file
cd /etc/mail
make
make install restart

The M4 macro system is powerful but opaque. Debugging Sendmail configuration requires deep knowledge of both M4 and Sendmail internals.

Security Comparison

Postfix Security Architecture

Postfix uses privilege separation extensively. The master process spawns worker processes (smtpd, smtp, local, etc.) that run as unprivileged users in chroot environments. No single vulnerability compromises the entire system.

Processes: master (root), workers (postfix user, chrooted)
Network-facing code runs as unprivileged user
Queue files have restrictive permissions
Memory-safe coding practices
Minimal CVE history

OpenSMTPD Security Architecture

OpenSMTPD follows the OpenBSD security philosophy: privilege separation, pledge(), and unveil() (on OpenBSD; reduced on FreeBSD). The design prioritizes security over features.

Separate processes for different functions (smtp, mta, mda, control)
Each process runs with minimal privileges
Small codebase (~20K lines vs Postfix's ~100K)
Fewer features means fewer attack vectors

Sendmail Security History

Sendmail has a well-documented history of security vulnerabilities, particularly in its early versions. Modern Sendmail (8.17+) has addressed many historical issues, but its monolithic architecture provides less isolation than Postfix or OpenSMTPD.

Monolithic daemon (single process handles everything)
Historical buffer overflows, race conditions
Root-level execution for parts of the mail pipeline
Complexity of configuration creates misconfiguration risks

Performance

Performance depends on hardware, configuration, and workload, but general benchmarks on FreeBSD (4-core, 8 GB RAM):

|---|---|---|---|

| Messages/second (local delivery) | 800-1200 | 200-400 | 200-400 |

| Messages/second (relay) | 500-800 | 150-300 | 150-300 |

| Memory per 10K queue messages | ~200 MB | ~100 MB | ~300 MB |

Postfix is significantly faster than both OpenSMTPD and Sendmail for high-volume mail. The difference matters at scale (>10K messages/day). For small servers (<1K messages/day), all three perform adequately.

Virtual Domain Hosting

Supporting multiple domains is a common requirement. Here is how each MTA handles it.

Postfix Virtual Domains

sh
# main.cf
virtual_mailbox_domains = hash:/usr/local/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual_alias
virtual_transport = lmtp:unix:private/dovecot-lmtp

# /usr/local/etc/postfix/virtual_domains
example.com     OK
example.org     OK

# /usr/local/etc/postfix/virtual_mailbox
user@example.com    example.com/user/
admin@example.org   example.org/admin/

# /usr/local/etc/postfix/virtual_alias
info@example.com    user@example.com
postmaster@example.org  admin@example.org

sh
# Rebuild hash maps
postmap /usr/local/etc/postfix/virtual_domains
postmap /usr/local/etc/postfix/virtual_mailbox
postmap /usr/local/etc/postfix/virtual_alias
postfix reload

OpenSMTPD Virtual Domains

sh
# smtpd.conf
table vdomains file:/usr/local/etc/mail/vdomains
table vusers file:/usr/local/etc/mail/vusers
table valias file:/usr/local/etc/mail/valias

action "virtual_delivery" lmtp "/var/dovecot/lmtp" virtual <vusers>
action "outbound" relay

match from any for domain <vdomains> action "virtual_delivery"

Sendmail Virtual Domains

sh
# Add to .mc file
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')

# /etc/mail/virtusertable
user@example.com    localuser
admin@example.org   localadmin
@example.com        catchall

# Rebuild
cd /etc/mail && make maps

Postfix offers the most flexible virtual domain handling with support for hash tables, MySQL, PostgreSQL, LDAP, and other backends. OpenSMTPD is clean but limited to file and SQLite tables. Sendmail works but the configuration is error-prone.

DKIM, DMARC, and SPF

Modern email requires authentication. Here is how to integrate DKIM signing with each MTA.

Postfix + Rspamd (Recommended)

sh
# Install Rspamd
pkg install rspamd

# main.cf -- add milter configuration
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_default_action = accept

Rspamd handles DKIM signing, DMARC verification, SPF checking, and spam filtering -- all through a single milter connection.

OpenSMTPD + filter-rspamd

sh
# Install filter-rspamd
pkg install opensmtpd-filter-rspamd

# smtpd.conf
filter "rspamd" proc-exec "filter-rspamd"

listen on all tls pki mail.example.com filter "rspamd"

Sendmail + OpenDKIM

sh
# Install OpenDKIM
pkg install opendkim

# Add to .mc file
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')

# Rebuild and restart
cd /etc/mail && make install restart

Queue Management

When things go wrong (remote server down, DNS issues), mail queues up. Managing the queue matters.

sh
# Postfix queue management
postqueue -p              # Show queue
postsuper -d ALL          # Delete all queued messages
postsuper -d MSGID        # Delete specific message
postsuper -r ALL          # Requeue all messages
postqueue -f              # Flush queue (retry now)

# OpenSMTPD queue management
smtpctl show queue        # Show queue
smtpctl remove MSGID      # Remove a message
smtpctl schedule all      # Retry all messages
smtpctl pause mta         # Pause outbound delivery
smtpctl resume mta        # Resume outbound delivery

# Sendmail queue management
mailq                     # Show queue
sendmail -bp              # Same as mailq
sendmail -q               # Process queue now
rm /var/spool/mqueue/qf*  # Nuclear option (don't do this)

Postfix and OpenSMTPD both provide clean queue management tools. Sendmail's queue management is primitive by comparison.

Migration Paths

From Sendmail to Postfix

Install Postfix alongside Sendmail.
Copy Sendmail aliases to Postfix format (usually compatible).
Migrate virtual domain tables.
Test with Postfix on a non-standard port.
Switch mailer.conf and disable Sendmail.

From Sendmail to OpenSMTPD

Install OpenSMTPD.
Translate Sendmail rules into OpenSMTPD match/action syntax.
Migrate aliases and virtual tables.
Test on a non-standard port.
Switch over.

From Postfix to OpenSMTPD

Only do this if you are simplifying. You will lose milter ecosystem breadth, lookup table diversity (no MySQL/LDAP), and some advanced features. The gain is configuration simplicity and a smaller codebase.

Which Should You Choose?

Choose Postfix if:

You handle more than a few hundred messages per day.
You need virtual domain hosting for many domains.
You want the broadest milter and integration ecosystem.
You need to integrate with LDAP, MySQL, or PostgreSQL for user lookups.
You are running an email service for customers.
You need maximum documentation and community support.

Choose OpenSMTPD if:

You run a personal or small-organization mail server.
You value readable, minimal configuration.
You prefer a small, auditable codebase.
Your needs are straightforward: send, receive, local delivery, relay.
You are on a FreeBSD or OpenBSD system and want to stay in the BSD ecosystem.

Choose Sendmail if:

You have an existing Sendmail setup that works and see no reason to migrate.
You have deep M4 and Sendmail expertise in your team.
You need something that works without installing packages (base system only).
You are maintaining legacy systems.

For new deployments in 2026, the choice is between Postfix and OpenSMTPD. Sendmail should not be chosen for new installations.

FAQ

Is Sendmail dead?

Not technically dead -- it still receives maintenance updates. But it is in maintenance mode with no significant new features. The community is shrinking, and finding Sendmail expertise is increasingly difficult. For new deployments, it is effectively dead.

Can OpenSMTPD handle high-volume email?

For most definitions of "high volume" (up to a few thousand messages per day), yes. For ISP-scale volumes (hundreds of thousands per day), Postfix is the better choice. OpenSMTPD's single-threaded architecture becomes a bottleneck at very high volumes.

Which MTA is most secure?

OpenSMTPD has the smallest attack surface due to its minimal codebase. Postfix has the strongest privilege separation architecture. Both are excellent choices from a security perspective. Sendmail has the weakest security posture due to its monolithic design and historical vulnerability track record.

How do I migrate from Sendmail to Postfix on FreeBSD?

Install Postfix via pkg, configure it to match your Sendmail setup, test on a non-standard port, then disable Sendmail (sysrc sendmail_enable="NONE") and enable Postfix (sysrc postfix_enable="YES"). Switch the mailer.conf to use Postfix's sendmail-compatible binary. The actual migration is usually a few hours of work.

Does FreeBSD still ship with Sendmail?

Yes, as of FreeBSD 14.x, Sendmail remains in the base system. There have been periodic discussions about removing it, but it persists for compatibility. The FreeBSD project may eventually remove or replace it with a simpler MTA like DragonFly Mail Agent (dma) for local delivery only.

Can I run Postfix and OpenSMTPD together?

Not on the same ports. You could theoretically run one for inbound and one for outbound on different ports, but there is no practical reason to do so. Pick one.