qmail is a

mail transfer agent The mail or post is a system for physically transporting postcards, letters, and parcels. A postal service can be private or public, though many governments place restrictions on private systems. Since the mid-19th century, national postal syst ...

(MTA) that runs on

Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...

. It was written, starting December 1995, by Daniel J. Bernstein as a more

secure Secure may refer to: * Security, being protected against danger or loss(es) **Physical security, security measures that are designed to deny unauthorized access to facilities, equipment, and resources **Information security, defending information ...

replacement for the popular

Sendmail Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet. A descendant of the ...

program. Originally

license-free software License-free software is computer software that is not explicitly in the public domain, but the authors appear to intend free use, modification, distribution and distribution of the modified software, similar to the freedoms defined for free softwa ...

, qmail's

source code In computing, source code, or simply code, is any collection of code, with or without comments, written using a human-readable programming language, usually as plain text. The source code of a program is specially designed to facilitate the wo ...

was later dedicated in the

public domain The public domain (PD) consists of all the creative work A creative work is a manifestation of creative effort including fine artwork (sculpture, paintings, drawing, sketching, performance art), dance, writing (literature), filmmaking, ...

by the author.

Features

Security

When first published, qmail was the first security-aware mail transport agent; since then, other security-aware MTAs have been published. The most popular predecessor to qmail,

, was not designed with security as a goal, and as a result has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the

SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...

listener component of qmail runs with different credentials from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the C standard library, and as a result has not been vulnerable to stack and heap overflows,

format string attack Uncontrolled format string is a type of software vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem ...

s, or temporary file

race condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of t ...

Performance

When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way for managing large mailing lists.

Simplicity

At the time of qmail's introduction, Sendmail configuration was notoriously complex, while qmail was simple to configure and deploy.

Innovations

qmail encourages the use of several innovations in mail (some originated by Bernstein, others not): ; Maildir : Bernstein invented the

Maildir The Maildir e-mail format is a common way of storing email messages in which each message is stored in a separate file with a unique name, and each mail folder is a file system directory. The local file system handles file locking as messages are ...

format for qmail, which splits individual email messages into separate files. Unlike the ''de facto'' standard

mbox Mbox is a generic term for a family of related file formats used for holding collections of email messages. It was first implemented in Research Unix, Fifth Edition Unix. All messages in an mbox mailbox are concatenated and stored as plain text ...

format, which stored all messages in a single file, Maildir avoids many locking and concurrency problems, and can safely be provisioned over NFS. qmail also delivers to mbox mailboxes. ; Wildcard mailboxes : qmail introduced the concept of user-controlled wildcards. Out of the box, mail addressed to "user-''wildcard''" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management. qmail also introduces the

Quick Mail Transport Protocol The Quick Mail Transfer Protocol (QMTP) is an e-mail transmission Communications protocol, protocol that is designed to have better performance than Simple Mail Transfer Protocol (SMTP), the ''de facto'' standard. It was designed and implemented b ...

(QMTP) and

Quick Mail Queuing Protocol Quick Mail Queuing Protocol (QMQP) is a network protocol designed to share e-mail queues between several hosts. It was designed and implemented by Daniel J. Bernstein in qmail qmail is a mail transfer agent (MTA) that runs on Unix. It wa ...

(QMQP) protocols.

Modularity

qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the qmail system with a different module as long as the new module retains the same interface as the original.

Controversy

Security reward and Georgi Guninski's vulnerability

In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable

security hole Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

in the latest version of the software. In 2005, security researcher

Georgi Guninski Georgi may refer to: * Georgi (given name) * Georgi (surname) See also *Georgy (disambiguation) *Georgii (disambiguation) Georgii may refer to: ;Given name * Georgii Zantaraia (born 1987), Ukrainian judoka of Georgian origin * Georgii Karpechenko ...

found an

integer overflow In computer programming, an integer overflow occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits – either higher than the maximum or lower ...

in qmail. On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution. Bernstein disputes that this is a practical attack, arguing that no real-world deployment of qmail would be susceptible. Configuration of resource limits for qmail components mitigates the vulnerability. On November 1, 2007, Bernstein raised the reward to US$1000. At a slide presentation the following day, Bernstein stated that there were 4 "known bugs" in the ten-year-old qmail-1.03, none of which were "security holes". He characterized the bug found by Guninski as a "potential overflow of an unchecked counter". "Fortunately, counter growth was limited by memory and thus by configuration, but this was pure luck." On May 19, 2020, a working exploit for Guninski's vulnerability was published by

Qualys Qualys, Inc. provides cloud security, compliance and related services and is based in Foster City, California. Qualys provides vulnerability management solutions using a "software as a service" (SaaS) model. It has added cloud-based compliance a ...

but exploit authors' state they were denied the reward because it contains additional environmental restrictions.

Frequency of updates

The core qmail package has not been updated for many years. New features were initially provided by third party patches, from which the most important at the time were brought together in a single meta-patch called ''netqmail''.

Standards compliance

qmail was not designed to replace

, and does not behave exactly as

did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages (a format called QSBMF) differs from the standard format of delivery status notifications specified by the

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...

in RFC 1894, meanwhile advanced to draft standard as RFC 3464, and recommended in the

specification. Furthermore, some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions. In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.

Copyright status

qmail was released to the

in November 2007. Until November 2007, qmail was

, with permission granted for distribution in source form or in pre-compiled form (a "var-qmail package") only if certain restrictions (primarily involving compatibility) were met. This unusual licensing arrangement made qmail non-free according to some guidelines (such as the

DFSG The Debian Free Software Guidelines (DFSG) is a set of guidelines that the Debian Project uses to determine whether a software license is a free software license, which in turn is used to determine whether a piece of software can be included in De ...

), and was a cause of controversy. qmail is the only broadly deployed

public domain software Public-domain software is software that has been placed in the public domain, in other words, software for which there is absolutely no ownership such as copyright, trademark, or patent. Software in the public domain can be modified, distributed, ...

message transfer agent ( MTA).

References

External links

* , maintained by the author. *
qmail-LDAP-UI
– qmail-LDAP-UI is a Web-based User Administration tool
Qmailtoaster
– Distributes RPM files for appropriate distros to install qmail quickly and easily. Has a wiki and mailing list. * pkgsr
qmail
an
qmail-run
a pair of easy-to-install cross-platform qmail source packages included i
pkgsrc

The qmail section of FAQTS
an extensive knowledgebase built by qmail users
qmailWiki
is a relatively new

wiki A wiki ( ) is an online hypertext publication collaboratively edited and managed by its own audience, using a web browser. A typical wiki contains multiple pages for the subjects or scope of the project, and could be either open to the pu ...

about qmail, hosted by Inter7
J.M.Simpson qmail site
Useful Information about qmail, including explanations and patches, by John M. Simpson (Updated regularly)

qmail-distributions
– qmail patches combined into easy to use distributions

– An English/Italian howto on qmail and related software. A big patch is included. Updated regularly. {{Authority control Message transfer agents Free email server software Free software programmed in C Public-domain software with source code Email server software for Linux