qmail

qmail
Basic data
developer	Dan Bernstein
Current version	1.0.3 ; (June 15, 1998)
operating system	various Unix derivatives
programming language	C.
category	Mail Transfer Agent
License	public domain
German speaking	No
	cr.yp.to/qmail.html

qmail is a mail server for Unix systems. It was developed by Dan Bernstein .

safety

The main reason for developing qmail was the author's dissatisfaction with the existing solutions. In particular, the well-known mail server Sendmail attracted attention again and again due to security gaps . Therefore qmail was designed in such a way that it is as immune as possible to security-critical vulnerabilities. In March 1997, Bernstein offered a bonus of $ 500 for finding a vulnerability, and after the 10th anniversary of qmail's existence, this bonus doubled (see p. 2 in the PDF). This bonus has not yet been paid out, but Wietse Venema claims to have found a gap, which Daniel Bernstein has categorically denied so far. In 2005, Georgi Guninski found an exploitable integer overflow , but Bernstein refused to pay out, arguing that the vulnerability was only theoretical and could not be exploited in practice. Bernstein rejected the patch that would solve the problem, no new version was published. In 2020 Qualys published a working exploit that was able to actively exploit the same integer overflow in the standard configuration, among other things. Bernstein continues to refuse to acknowledge this vulnerability.

qmail has a modular structure, which means that each of the tasks on a mail server is performed by a different program. This is in contrast to most other MTAs, which mostly have a monolithic structure. This approach creates smaller programs that are easier to maintain and less prone to bugs in the code .

In addition to a mail transfer agent , the modules form a server for the Post Office Protocol . The ezmlm program, also written by qmail author Bernstein, can be used to manage mailing lists .

Innovations

Maildir is an e-mail storage concept that was introduced with qmail.
XVERP is an extension for ESMTP that reveals sources of bounce messages and goes back to qmail.
Delivered-To introduces an additional header line of emails , which prevents unnecessary deliveries and goes back to qmail.

Criticisms

The software is always a cause for discussion. The advocates of the mail server cite the simple structure and robust design. The opponents criticize, among other things, the lack of anti- spam / virus features that can be found in modern mail servers. The last official version of qmail is from 1998, when spam was not widely used.

Bernstein's unusual approach to the placement of qmail files in the file system together with the restrictions he imposed on the forwarding of preconfigured qmail packages, for example in Linux distributions, also offended many. The source code of qmail was available for download from Dan Bernstein's web server, but it was not - as is usual with other similar software - explicitly placed under a free software license, so that the copyright law prevented it from being changed and passed on to third parties. The passing on of modifications and extensions in the form of source code patches was tolerated , whereby numerous properties such as spam or virus protection, SMTP-After-POP or SMTP-Auth , which were implemented by third parties, could be "upgraded". However, maintaining such a qmail installation was more complex than, for example, using ready-made binary packages within a Linux distribution, as is possible for most other freely available mail servers - Bernstein's restrictive practice of only allowing the distribution of qmail binary packages If they corresponded exactly to its original source code, along with the fact that Bernstein's standard file structure for qmail contradicts the filesystem hierarchy standard for Linux, meant that most Linux distributions did not offer qmail binary packages.

Since the end of 2007, however, qmail has been in the public domain, which basically solves this problem. A number of qmail users have released netqmail , a package that contains a number of important bug fixes, but otherwise integrates only a few changes from Bernstein's last version. As before, important additional properties such as SMTP-Auth, TLS and virus protection must be implemented by third parties using additional source code patches, which puts qmail at a disadvantage compared to other modern mail servers such as Postfix . Debian introduced qmail binary packages with the move from Squeeze to Wheezy .

Web links

Life with qmail

swell

↑ Some thoughts on security after ten years of qmail 1.0 (PDF; 161 kB)
↑ Wietse Venema's slander
↑ '[oss-security] Remote Code Execution in qmail (CVE-2005-1513)' - MARC. In: marc.info. Retrieved May 21, 2020 .
↑ DJ Bernstein: Building a POP toaster .
↑ Postfix VERP Howto . White Venema. Retrieved July 27, 2011.
^ Postfix manual - local (8) . White Venema. Retrieved July 27, 2011.
↑ Qmail is public domain . In: Heise online . December 3, 2007.
↑ See http://qmail.org/netqmail/
↑ Software packages in "squeeze", Subsection mail . Software in the Public Interest, Inc ..
↑ Software packages in "wheezy", Subsection mail . Software in the Public Interest, Inc ..

[1] Some thoughts on security after ten years of qmail 1.0 (PDF; 161 kB)

[2] Wietse Venema's slander

[3] '[oss-security] Remote Code Execution in qmail (CVE-2005-1513)' - MARC. In: marc.info. Retrieved May 21, 2020 .

[4] DJ Bernstein: Building a POP toaster .

[5] Postfix VERP Howto . White Venema. Retrieved July 27, 2011.

[6] Postfix manual - local (8) . White Venema. Retrieved July 27, 2011.

[7] Qmail is public domain . In: Heise online . December 3, 2007.

[8] See http://qmail.org/netqmail/

[9] Software packages in "squeeze", Subsection mail . Software in the Public Interest, Inc ..

[10] Software packages in "wheezy", Subsection mail . Software in the Public Interest, Inc ..