qmail

Dan Bernstein is qmail's author.

The qmail server is the best MTA available.

It's modular and secure, it uses it's own system library replacements to avoid buffer overflow exploits.

Think of qmail, and the extensions available for it, as a toolbox of components to assemble into an efficient mail server that will fit any need.

If you're not that creative, you probably should use Postfix instead.

Links:

• • Life with qmail has instructions to install qmail.

  • See qmail.org for a subset of the available patches, tools and documentation.

  • Read this before you post a question to the mailing list, and please don't top post.

Online man pages:

• • ezmlm, fastforward, mess822 and qmail

  • qmail

Searchable mailing list archives, ordered by descending degree of completeness:

• • ORNL

  • Gossamer Threads

  • SecurePoint

  • MARC

  • Yahoo!

Recipient checking

box@host

A qmail server will normally accept email for any box part recipient address for a host that exists in control/rcpthosts.

One can go a step further and validate the box part by patching or replacing qmail-smtpd.

Attempts to queue bogus messages during the initial SMTP conversation are therefore rejected.

Messages to non existent recipients are not accepted.

Also, joe job bounces to forged recipients aren't accepted, stopping them from becoming double bounces.

This will prevent using yet more CPU, I/O and bandwidth processing bounce messages later.

Here are several options, ordered as to how far a qmail server will be penetrated, until the attempt is rejected or the message discarded.

Implementing secure qmail-pop3d

Here are instructions to install openssl and sslserver for pop3s.

Notes:

The POP server that comes with qmail is capable, but not secure.

All usernames, passwords and messages are sent in snoopable plain text.

I prefer using sslserver, a tcpserver replacement, to encrypt communications.

It assumes that you will be using gcc, here is a simple patch that converts it to cc syntax.

Your POP clients should now SSL connect to port 995.

If you use an editor, remove each ? and the EOF, and remove the \ before each $.

Mac OS X and qmail

Here are instructions to install qmail, daemontools and ucspi-tcp.

It's a modified Life with qmail install.

Notes:

A simple patch is needed for the install on a single CPU Mac OS X Panther 10.3 or Tiger 10.4 machine.

Please read this note if you are using Mac OS X Tiger 10.4.

Xcode Tools must be installed, see Apple Developer Connection.

A dual CPU machine will crash under high load.

CHUD is a custom install option with Xcode Tools, it gives you a Hardware.prefPane to disable the second CPU.

You run nireport to see the assigned gids and uids, choose unique ones for qmail.

Changing mailq to qmailctl queue in /etc/periodic/daily/500.daily changes from Postfix to qmail.

Installing daemontools creates /etc/rc.local, it's not consulted during startup and can be removed.

Using SetFile makes ~/Maildir/ invisible to the Finder, this is optional.

Verify your install with inst_check, v2003-11-10 will show alias errors due to the passwd format.

Fix that by changing the 6 to a 9 in line 241.

The /usr/sbin/sendmail binary exists, /usr/lib/sendmail doesn't.

If you use an editor, remove each ? and the EOF, and remove the \ before each ` and $.

Other

The rblsmtpd-nodefaultrbl patch allows setting an RBLSMTPD action and response, without using external DNSBLs.

If your dynamic IP qmail server is being rejected, the qmail-remote[-fallback] patches route otherwise undeliverable messages through your ISP.

The netqmail-tls-remote-fallback.patch is a modified qmail-remote-fallback.patch that applies cleanly into netqmail-1.06 after

Frederik Vermeulen's netqmail-1.05-tls-20070408.patch or Bill Shupp's netqmail-1.05-tls-smtpauth-20070417.patch has been applied.

Eben Pratt