1995: Exim: The Most Popular Mail Server You've Never Heard Of

If you ask most people in technology to name an email server, they might say Gmail, Outlook, or maybe sendmail if they have some Unix background. Almost nobody outside of systems administration circles would name Exim. Yet by most measures, Exim handles more of the internet’s email than any other single mail transfer agent. It is the invisible engine behind millions of websites, the default MTA on the world’s most popular hosting control panel, and the program that most small business email has passed through at some point in its journey.

Exim is, quite possibly, the most important piece of software that most people have never heard of.

Cambridge Origins

Philip Hazel created Exim in 1995 at the University of Cambridge, where he worked in the university’s computing service. The name stood for “EXperimental Internet Mailer” — the kind of modest, self-deprecating label that British academics tend to give projects they fully intend to make permanent.

Hazel’s motivation was practical. Cambridge needed a mail server that could handle the university’s complex mail routing requirements while remaining flexible enough to accommodate the diverse needs of academic departments, colleges, and research groups. Sendmail could theoretically handle these requirements, but its configuration system made changes painful. Hazel wanted something with similar power but a configuration language that humans could actually work with.

The result was Exim’s Access Control List (ACL) system — a domain-specific language for defining mail routing rules. Exim’s ACLs allowed administrators to write policies in a relatively readable syntax that controlled every stage of mail processing: which connections to accept, which senders to allow, which recipients to route where, what content filtering to apply, and how to handle delivery. The language was more complex than Postfix’s parameter-based configuration but dramatically more readable than sendmail.cf, and far more powerful than either in terms of what could be expressed.

The Configuration Philosophy

Where Postfix optimized for simplicity and qmail optimized for security, Exim optimized for flexibility. Its configuration system was designed to let administrators express arbitrary policies without resorting to external scripts or custom code.

Consider a scenario where you want to accept email for local users, reject email from known spammers, rate-limit connections from suspicious networks, and forward email for certain domains to an external server. In Postfix, this might require combining main.cf parameters with external lookup tables and possibly a policy daemon. In Exim, it could all be expressed in a single, readable configuration file using ACLs, routers, and transports.

Exim’s configuration was organized around three core concepts. Routers determined where a message should go. Transports determined how it got there. ACLs determined what was allowed at each stage of the SMTP conversation. This three-layer model gave administrators extraordinary control over mail flow.

The trade-off was that Exim’s configuration file, while more readable than sendmail.cf, was still substantial. A production Exim configuration could easily run to several hundred lines. But unlike sendmail’s cryptic macros, each line was reasonably self-explanatory, and the Exim documentation — written by Hazel himself — was exceptionally thorough and well-organized.

The Debian Default

Exim’s first major break came when Debian Linux chose it as the default MTA. Mark Baker, a Debian developer, championed Exim’s inclusion, and starting with Debian 2.0 in 1998, Exim replaced smail as the distribution’s standard mail server. This was a consequential decision because Debian’s default packages propagate to numerous derivative distributions, and because Debian was the foundation of choice for many server deployments.

Being the Debian default meant that every Debian server installation included Exim unless the administrator explicitly chose something else. Given that many administrators never change defaults — especially for components they don’t directly interact with — this guaranteed Exim an enormous installed base. Every Debian-based web server, database server, and application server that needed to send system emails (cron job notifications, error alerts, log summaries) used Exim by default.

Ubuntu, Debian’s most popular derivative, chose Postfix as its default instead, which created an interesting split in the Linux world. Debian-oriented environments ran Exim; Ubuntu-oriented environments ran Postfix. Both camps defended their choice with the passion that open-source communities reserve for matters of deep technical consequence and mild personal preference.

The cPanel Effect

If Debian made Exim significant, cPanel made it dominant.

cPanel is the most widely used web hosting control panel in the world. It provides the graphical interface through which millions of shared hosting customers manage their websites, databases, and — crucially — their email. And cPanel uses Exim as its mail transfer agent.

This bundling decision, made in the early 2000s when cPanel was standardizing its technology stack, had enormous consequences. The shared hosting industry is vast. Companies like GoDaddy, HostGator, Bluehost, and thousands of smaller providers run cPanel on millions of servers, each serving dozens or hundreds of hosting accounts. Every one of those servers runs Exim.

The mathematics are striking. As of various surveys over the years, Exim consistently shows up as either the first or second most deployed MTA on the internet (trading positions with Postfix depending on the survey methodology). A large portion of that installed base comes from cPanel deployments — servers where the hosting company chose cPanel and Exim came along for the ride, and the end users (small business owners, bloggers, freelancers) have no idea that Exim even exists.

This is the paradox of Exim’s popularity: it has the largest or second-largest market share of any MTA, yet most of its users don’t know they’re using it. The small business owner who sends email from info@theirbusiness.com through their web hosting probably doesn’t know (or care) that Exim is processing those messages. They interact with webmail or an email client, and Exim works silently behind the scenes.

The Security Challenges

Exim’s flexibility and large codebase have made it a recurring target for security researchers and attackers. Unlike qmail’s minimalist attack surface or Postfix’s carefully segmented architecture, Exim’s comprehensive feature set means there’s more code to audit and more potential for vulnerabilities.

The most serious incident came in June 2019 with CVE-2019-10149, dubbed “Return of the WIZard” by the researchers who discovered it. This was a critical remote code execution vulnerability in Exim versions 4.87 through 4.91 that allowed attackers to run arbitrary commands on the mail server by sending specially crafted email addresses. The vulnerability was trivially exploitable and affected millions of servers worldwide.

The name “Return of the WIZard” was a reference to the ancient sendmail WIZ command that had enabled remote command execution in the 1980s. The parallel was intentional — and painful. Decades of progress in mail server security, and here was a vulnerability that allowed essentially the same attack.

The response was swift. Exim 4.92 (already released before the CVE was public) was not vulnerable, and patches were issued rapidly. But the incident highlighted the risks of running complex software on internet-facing servers, particularly on shared hosting platforms where patching might be delayed by hosting company bureaucracy.

Other significant vulnerabilities followed. In 2020, a set of 21 vulnerabilities collectively dubbed “21Nails” was disclosed, including several that allowed remote code execution. These findings reinforced concerns about Exim’s security posture and led to renewed calls for security auditing of the codebase.

The Invisible Infrastructure

Despite the security concerns, Exim’s position in the email ecosystem remains strong. Its integration with cPanel creates a self-reinforcing cycle: cPanel is the standard for shared hosting, Exim is the standard for cPanel, and changing either would require an industry-wide migration that nobody has sufficient incentive to initiate.

This is a pattern we see throughout internet infrastructure. The technologies that become truly dominant aren’t always the ones that win on technical merit alone. They’re the ones that get bundled, defaulted, and integrated into larger systems that make them effectively mandatory. Exim didn’t conquer the email world by being the most secure or the easiest to configure. It conquered by being the MTA that came with the control panel that came with the hosting that came with the website. Each layer of bundling added millions of installations.

The email infrastructure community built extensive tooling around Exim’s capabilities — from SpamAssassin integration recipes to sophisticated content scanning configurations. Services that provided cloud-based email filtering often worked most seamlessly with Exim-based hosting environments, since that’s where the majority of their customers ran.

Hazel’s Retirement and the Future

Philip Hazel retired from the University of Cambridge in 2007 but continued maintaining Exim for years afterward, eventually stepping back from active development. The project transitioned to community maintenance, with a group of developers continuing to maintain and update the codebase.

This transition highlighted a tension common in open-source infrastructure projects: the software was critical to millions of servers, but its long-term maintenance depended on volunteer effort. Unlike Postfix, which benefits from Wietse Venema’s sustained involvement, or sendmail, which had a commercial company behind it, Exim’s development relied on a relatively small group of community maintainers stewarding a large and complex codebase.

The Exim community has continued to deliver updates, security patches, and new features. Modern Exim versions support TLS encryption, DKIM signing, DMARC checking, and other contemporary email security requirements. But the pace of development is modest compared to Postfix, and some in the email community have questioned whether Exim’s complexity is sustainable in the long term without significant investment in security auditing.

The Unsung Workhorse

Exim’s story is not one of glamorous innovation or dramatic rivalry (though it has certainly been part of both. It’s the story of a well-engineered piece of software that found its way into a dominant position through institutional adoption and bundling, then stayed there through inertia and adequate performance.

That may not sound exciting, but it’s how most of the internet actually works. The infrastructure that keeps global communication running isn’t usually the newest or the most elegant technology. It’s the technology that got deployed, kept working, and became too entangled with everything else to replace. Exim is that technology for a huge portion of the internet’s email, and it will likely remain so for years to come.

Whether its security architecture is adequate for that role is a question the industry continues to grapple with. For our comparison of how Exim stacks up against its competitors on security, features, and usability, see our overview of The Great MTA Wars.

Infographic

Share this visual summary. Right-click to save.

Frequently Asked Questions

What is Exim?

Exim (EXperimental Internet Mailer) is an open-source mail transfer agent created by Philip Hazel at the University of Cambridge in 1995. It is the default MTA on Debian Linux and is bundled with cPanel, making it the most widely deployed MTA by server count on the internet.

Why is Exim so popular?

Exim's dominance comes primarily from being the default MTA in cPanel, the most widely used web hosting control panel. Since cPanel powers millions of shared hosting accounts worldwide, Exim is installed on an enormous number of servers — often without the server owner even knowing it.

Is Exim secure?

Exim has had several significant security vulnerabilities over the years, including the critical CVE-2019-10149 ('Return of the WIZard') that allowed remote code execution. Its large codebase and complex ACL system create a broader attack surface than more minimalist MTAs like qmail. Regular updates and proper configuration are essential.