Jump to content

Qmail: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Citation bot (talk | contribs)
Alter: template type. Add: doi, year, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Whoop whoop pull up | #UCB_webform 735/1429
Qreligious (talk | contribs)
m Added citations.
 
(15 intermediate revisions by 10 users not shown)
Line 35: Line 35:
{{Infobox software
{{Infobox software
| name = s/qmail
| name = s/qmail
| latest release version = 4.1.15
| latest release version = 4.2.29a
| latest release date = {{Start date and age|2022|03|06}}
| latest release date = {{Start date and age|2024|02|26}}
| website = {{URL|fehcom.de/sqmail/sqmail.html}}
| website = {{URL|fehcom.de/sqmail/sqmail.html}}
}}
}}
Line 42: Line 42:
{{Infobox software
{{Infobox software
| name = notqmail<ref>[https://schmonz.com/2019/08/20/announcing-notqmail/ Announcing notqmail ]</ref>
| name = notqmail<ref>[https://schmonz.com/2019/08/20/announcing-notqmail/ Announcing notqmail ]</ref>
| latest release version = 1.08
| latest release version = 1.09
| latest release date = {{Start date and age|2020|05|20}}
| latest release date = {{Start date and age|2024|05|06}}
| website = {{URL|notqmail.org/}}
| website = {{URL|notqmail.org/}}
| repo = {{URL|github.com/notqmail/notqmail}}
| repo = {{URL|github.com/notqmail/notqmail}}
}}
}}


'''qmail''' is a [[mail transfer agent]] (MTA) that runs on [[Unix]]. It was written, starting December 1995, by [[Daniel J. Bernstein]] as a more [[computer security|secure]] replacement for the popular [[Sendmail]] program. Originally [[license-free software]], qmail's [[source code]] was later dedicated in the [[public domain]] by the author.<ref name="source-pd">{{cite web
'''qmail''' is a [[mail transfer agent]] (MTA) that runs on [[Unix]]. It was written, starting December 1995,<ref>{{Cite web |last=Bernstein |first=Daniel J. |title=Some thoughts on security after ten years of qmail 1.0 |url=https://cr.yp.to/qmail/qmailsec-20071101.pdf}}</ref><ref>{{Cite web |title=Qmail Explained |url=https://everything.explained.today/Qmail/}}</ref> by [[Daniel J. Bernstein]] as a more [[computer security|secure]] alternative to the popular [[Sendmail]] program. Originally [[license-free software]], qmail's [[source code]] was later dedicated to the [[public domain]] by the author.<ref name="source-pd">{{cite web
|url=http://cr.yp.to/qmail/dist.html
|url=http://cr.yp.to/qmail/dist.html
|title=Information for distributors
|title=Information for distributors
Line 58: Line 58:


===Security===
===Security===
When first published, qmail was the first security-aware mail transport agent; since then, other security-aware [[Mail transfer agent|MTA]]s have been published. The most popular predecessor to qmail, [[Sendmail]], was not designed with security as a goal, and as a result has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the [[SMTP]] listener component of qmail runs with different [[User identifier (Unix)|credentials]] from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the [[C standard library]], and as a result has not been vulnerable to [[Stack buffer overflow|stack]] and [[Heap overflow|heap]] overflows, [[format string attack]]s, or temporary file [[race condition]]s.
When first published, qmail was the first security-aware mail transport agent; since then, other security-aware [[Mail transfer agent|MTA]]s have been published. The most popular predecessor to qmail, [[Sendmail]], was not designed with security as a goal and, as a result, has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the [[SMTP]] listener component of qmail runs with different [[User identifier (Unix)|credentials]] from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the [[C standard library]] and, as a result, has not been vulnerable to [[Stack buffer overflow|stack]] and [[Heap overflow|heap]] overflows, [[format string attack]]s or temporary file [[race condition]]s.


===Performance===
===Performance===
When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way for managing large mailing lists.
When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way to manage large mailing lists.


===Simplicity===
===Simplicity===
Line 75: Line 75:
: qmail introduced the concept of user-controlled wildcards. Out of the box, mail addressed to "user-''wildcard''" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management.
: qmail introduced the concept of user-controlled wildcards. Out of the box, mail addressed to "user-''wildcard''" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management.


qmail also introduces the Quick Mail Transport Protocol (QMTP), an e-mail transmission protocol that is designed to have better performance than Simple Mail Transfer Protocol (SMTP), the de facto standard;<ref>{{cite web |title=Quick Mail Transfer Protocol (QMTP) |url=http://cr.yp.to/proto/qmtp.txt |date=February 1, 1997 |access-date=6 May 2023}}</ref> and Quick Mail Queuing Protocol (QMQP), a network protocol designed to share e-mail queues between several hosts.<ref>{{cite web |title=QMQP: Quick Mail Queueing Protocol |url=http://cr.yp.to/proto/qmqp.html |access-date=6 May 2023}}</ref>
qmail also introduces the [[Quick Mail Transport Protocol]] (QMTP) and [[Quick Mail Queuing Protocol]] (QMQP) protocols.


===Modularity===
===Modularity===
Line 83: Line 83:


===Security reward and Georgi Guninski's vulnerability===
===Security reward and Georgi Guninski's vulnerability===
In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable [[security hole]] in the latest version of the software.<ref name=guarantee>
In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable [[security hole]] in the latest software version.<ref name=guarantee>
{{cite web
{{cite web
|url=http://cr.yp.to/qmail/guarantee.html
|url=http://cr.yp.to/qmail/guarantee.html
Line 113: Line 113:
| title = Life with qmail; History
| title = Life with qmail; History
| access-date = 2007-12-01
| access-date = 2007-12-01
}}</ref> New features were initially provided by third party patches, from which the most important at the time were brought together in a single meta-patch called ''netqmail''.<ref>{{Cite web|title=netqmail|url=http://netqmail.org/|url-status=live|access-date=2021-03-03|website=netqmail.org}}</ref>
}}</ref> New features were initially provided by third-party patches, from which the most important at the time were brought together in a single meta-patch called ''netqmail''.<ref>{{Cite web|title=netqmail|url=http://netqmail.org/|access-date=2021-03-03|website=netqmail.org}}</ref>


===Standards compliance===
===Standards compliance===
qmail was not designed to replace [[Sendmail]], and does not behave exactly as [[Sendmail]] did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages (a format called QSBMF) differs from the standard format of [[bounce message|delivery status notifications]] specified by the [[IETF]] in <nowiki>RFC 1894</nowiki>,<ref>{{Cite journal|last1=Vaudreuil|first1=Gregory M.|last2=Moore|first2=Keith|title=An Extensible Message Format for Delivery Status Notifications|url=https://tools.ietf.org/html/rfc1894.html|access-date=2021-03-03|website=tools.ietf.org|year=1996 |doi=10.17487/RFC1894 |language=en}}</ref> meanwhile advanced to [[Internet standard#Draft Standard|draft standard]] as <nowiki>RFC 3464</nowiki>,<ref>{{Cite journal|last1=Vaudreuil|first1=Gregory M.|last2=Moore|first2=Keith|title=An Extensible Message Format for Delivery Status Notifications|url=https://tools.ietf.org/html/rfc3464.html|access-date=2021-03-03|website=tools.ietf.org|year=2003 |doi=10.17487/RFC3464 |language=en}}</ref> and recommended in the [[Simple Mail Transfer Protocol|SMTP]] specification.
qmail was not designed as a drop-in replacement for [[Sendmail]], and does not behave exactly as [[Sendmail]] did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages (a format called QSBMF) differs from the standard format of [[bounce message|delivery status notifications]] specified by the [[IETF]] in <nowiki>RFC 1894</nowiki>,<ref>{{Cite journal|last1=Vaudreuil|first1=Gregory M.|last2=Moore|first2=Keith|title=An Extensible Message Format for Delivery Status Notifications|url=https://tools.ietf.org/html/rfc1894.html|access-date=2021-03-03|website=tools.ietf.org|year=1996 |doi=10.17487/RFC1894 |language=en}}</ref> meanwhile advanced to [[Internet standard#Draft Standard|draft standard]] as <nowiki>RFC 3464</nowiki>,<ref>{{Cite journal|last1=Vaudreuil|first1=Gregory M.|last2=Moore|first2=Keith|title=An Extensible Message Format for Delivery Status Notifications|url=https://tools.ietf.org/html/rfc3464.html|access-date=2021-03-03|website=tools.ietf.org|year=2003 |doi=10.17487/RFC3464 |language=en}}</ref> and recommended in the [[Simple Mail Transfer Protocol|SMTP]] specification.


Furthermore, some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions.<ref>{{cite journal|url=https://linuxgazette.net/131/moen.html |title=On Qmail, Forged Mail, and SPF Records |first=Rick |last=Moen |journal=[[Linux Gazette]] |issue=131 |date=October 2006}}</ref> In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.
Some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions.<ref>{{cite journal|url=https://linuxgazette.net/131/moen.html |title=On Qmail, Forged Mail, and SPF Records |first=Rick |last=Moen |journal=[[Linux Gazette]] |issue=131 |date=October 2006}}</ref> In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.


===Copyright status===
===Copyright status===
Line 126: Line 126:
| title = Bernstein releases code into the public domain
| title = Bernstein releases code into the public domain
| access-date = 2007-11-30
| access-date = 2007-11-30
}}</ref> Until November 2007, qmail was [[license-free software]], with permission granted for distribution in source form or in pre-compiled form (a "var-qmail package") only if certain restrictions (primarily involving compatibility) were met. This unusual licensing arrangement made qmail non-free according to some guidelines (such as the [[DFSG]]), and was a cause of controversy.
}}</ref> Until November 2007, qmail was [[license-free software]], with permission granted for distribution in source form or in pre-compiled form (a "var-qmail package") only if certain restrictions (primarily involving compatibility) were met. This unusual licensing arrangement made qmail non-free according to some guidelines (such as the [[DFSG]]) and was a cause of controversy.


qmail is the only broadly deployed [[public domain software]] message transfer agent ([[Message transfer agent|MTA]]).
qmail is the only broadly deployed [[public domain software]] message transfer agent ([[Message transfer agent|MTA]]).
Line 142: Line 142:
==External links==
==External links==
* {{Official website}}, maintained by the author.
* {{Official website}}, maintained by the author.
* {{webarchive |url=https://web.archive.org/web/20190615185717/http://www.qmail.org/ |date=June 15, 2019 |title=qmail.org, maintained by [[Russ Nelson]]}}
* [http://qmail.org qmail.org], maintained by Russ Nelson
* [http://sourceforge.net/projects/qmail-ldap-ui/ qmail-LDAP-UI] – qmail-LDAP-UI is a Web-based User Administration tool
* [http://sourceforge.net/projects/qmail-ldap-ui/ qmail-LDAP-UI] – qmail-LDAP-UI is a Web-based User Administration tool
* [http://www.qmailtoaster.com/ Qmailtoaster] – Distributes RPM files for appropriate distros to install qmail quickly and easily. Has a wiki and mailing list.
* [http://www.qmailtoaster.com/ Qmailtoaster] – Distributes RPM files for appropriate distros to install qmail quickly and easily. Has a wiki and mailing list.
* pkgsrc [http://pkgsrc.se/mail/qmail qmail] and [http://pkgsrc.se/mail/qmail-run qmail-run], a pair of easy-to-install cross-platform qmail source packages included in [http://www.pkgsrc.org/ pkgsrc]
* pkgsrc [http://pkgsrc.se/mail/qmail qmail] and [http://pkgsrc.se/mail/qmail-run qmail-run], a pair of easy-to-install cross-platform qmail source packages included in [http://www.pkgsrc.org/ pkgsrc]
* [https://web.archive.org/web/20080723183108/http://qmail.faqts.com/ The qmail section of FAQTS], an extensive knowledgebase built by qmail users
* [https://web.archive.org/web/20080723183108/http://qmail.faqts.com/ The qmail section of FAQTS], an extensive knowledgebase built by qmail users
* [http://www.qmailwiki.org/ qmailWiki] is a relatively new [[wiki]] about qmail, hosted by Inter7
* [https://web.archive.org/web/20180824123533/http://www.qmailwiki.org/Main_Page qmail wiki] formerly hosted by Inter7
* [http://qmail.jms1.net/ J.M.Simpson qmail site] Useful Information about qmail, including explanations and patches, by John M. Simpson (Updated regularly)
* [http://qmail.jms1.net/ J.M.Simpson qmail site] Useful Information about qmail, including explanations and patches, by John M. Simpson (Updated regularly)
* [https://archive.today/20120630212728/http://home.pages.de/~mandree/qmail-bugs.html Unofficial qmail Bug and Wishlist]
* [https://archive.today/20120630212728/http://home.pages.de/~mandree/qmail-bugs.html Unofficial qmail Bug and Wishlist]
* [https://web.archive.org/web/20080923121814/http://xzdev.com/qmail_queue.html qmail queue messages deliver (PHP)]
* [https://web.archive.org/web/20080923121814/http://xzdev.com/qmail_queue.html qmail queue messages deliver (PHP)]
* [http://code.google.com/p/qmail-distributions qmail-distributions] – qmail patches combined into easy to use distributions
* [http://code.google.com/p/qmail-distributions qmail-distributions] – qmail patches combined into easy-to-use distributions
* [https://notes.sagredo.eu/en/qmail-notes-185/qmail-vpopmail-dovecot-roberto-s-qmail-notes-8.html Roberto's qmail notes] – An English/Italian howto on qmail and related software. A big patch is included. Updated regularly.
* [https://notes.sagredo.eu/en/qmail-notes-185/qmail-vpopmail-dovecot-roberto-s-qmail-notes-8.html Roberto's qmail notes] – An English/Italian howto on qmail and related software. A big patch is included and is updated regularly.


{{Email servers}}
{{Email servers}}

Latest revision as of 09:03, 11 November 2024

qmail
Original author(s)Daniel J. Bernstein
Final release
1.03 / June 15, 1998; 26 years ago (1998-06-15)
Repositorycr.yp.to/software/qmail-1.03.tar.gz
Written inC
Operating systemUnix-like
TypeMail transfer agent
Licensepublic domain[1]
Websitecr.yp.to/qmail.html
netqmail
Final release
1.06 / November 30, 2007; 17 years ago (2007-11-30)
Repositorynetqmail.org/netqmail-1.06.tar.gz
Websitenetqmail.org
s/qmail
Stable release
4.2.29a / February 26, 2024; 9 months ago (2024-02-26)
Websitefehcom.de/sqmail/sqmail.html
notqmail[2]
Stable release
1.09 / May 6, 2024; 7 months ago (2024-05-06)
Repositorygithub.com/notqmail/notqmail
Websitenotqmail.org

qmail is a mail transfer agent (MTA) that runs on Unix. It was written, starting December 1995,[3][4] by Daniel J. Bernstein as a more secure alternative to the popular Sendmail program. Originally license-free software, qmail's source code was later dedicated to the public domain by the author.[5]

Features

[edit]

Security

[edit]

When first published, qmail was the first security-aware mail transport agent; since then, other security-aware MTAs have been published. The most popular predecessor to qmail, Sendmail, was not designed with security as a goal and, as a result, has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the SMTP listener component of qmail runs with different credentials from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the C standard library and, as a result, has not been vulnerable to stack and heap overflows, format string attacks or temporary file race conditions.

Performance

[edit]

When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way to manage large mailing lists.

Simplicity

[edit]

At the time of qmail's introduction, Sendmail configuration was notoriously complex, while qmail was simple to configure and deploy.

Innovations

[edit]

qmail encourages the use of several innovations in mail (some originated by Bernstein, others not):

Maildir
Bernstein invented the Maildir format for qmail, which splits individual email messages into separate files. Unlike the de facto standard mbox format, which stored all messages in a single file, Maildir avoids many locking and concurrency problems, and can safely be provisioned over NFS. qmail also delivers to mbox mailboxes.
Wildcard mailboxes
qmail introduced the concept of user-controlled wildcards. Out of the box, mail addressed to "user-wildcard" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management.

qmail also introduces the Quick Mail Transport Protocol (QMTP), an e-mail transmission protocol that is designed to have better performance than Simple Mail Transfer Protocol (SMTP), the de facto standard;[6] and Quick Mail Queuing Protocol (QMQP), a network protocol designed to share e-mail queues between several hosts.[7]

Modularity

[edit]

qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the qmail system with a different module as long as the new module retains the same interface as the original.

Controversy

[edit]

Security reward and Georgi Guninski's vulnerability

[edit]

In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable security hole in the latest software version.[8]

In 2005, security researcher Georgi Guninski found an integer overflow in qmail. On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution. Bernstein disputes that this is a practical attack, arguing that no real-world deployment of qmail would be susceptible. Configuration of resource limits for qmail components mitigates the vulnerability.[9]

On November 1, 2007, Bernstein raised the reward to US$1000.[1] At a slide presentation the following day, Bernstein stated that there were 4 "known bugs" in the ten-year-old qmail-1.03, none of which were "security holes". He characterized the bug found by Guninski as a "potential overflow of an unchecked counter". "Fortunately, counter growth was limited by memory and thus by configuration, but this was pure luck."[10]

On May 19, 2020, a working exploit for Guninski's vulnerability was published by Qualys[11] but exploit authors' state they were denied the reward because it contains additional environmental restrictions.

Frequency of updates

[edit]

The core qmail package has not been updated for many years.[12] New features were initially provided by third-party patches, from which the most important at the time were brought together in a single meta-patch called netqmail.[13]

Standards compliance

[edit]

qmail was not designed as a drop-in replacement for Sendmail, and does not behave exactly as Sendmail did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages (a format called QSBMF) differs from the standard format of delivery status notifications specified by the IETF in RFC 1894,[14] meanwhile advanced to draft standard as RFC 3464,[15] and recommended in the SMTP specification.

Some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions.[16] In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.

[edit]

qmail was released to the public domain in November 2007.[17] Until November 2007, qmail was license-free software, with permission granted for distribution in source form or in pre-compiled form (a "var-qmail package") only if certain restrictions (primarily involving compatibility) were met. This unusual licensing arrangement made qmail non-free according to some guidelines (such as the DFSG) and was a cause of controversy.

qmail is the only broadly deployed public domain software message transfer agent (MTA).

See also

[edit]

References

[edit]
  1. ^ a b "Some thoughts on security after ten years of qmail 1.0" (PDF). Retrieved 2007-12-01.
  2. ^ Announcing notqmail
  3. ^ Bernstein, Daniel J. "Some thoughts on security after ten years of qmail 1.0" (PDF).
  4. ^ "Qmail Explained".
  5. ^ "Information for distributors". I hereby place the qmail package (in particular, qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c) into the public domain. You are free to modify the package, distribute modified versions, etc.
  6. ^ "Quick Mail Transfer Protocol (QMTP)". February 1, 1997. Retrieved 6 May 2023.
  7. ^ "QMQP: Quick Mail Queueing Protocol". Retrieved 6 May 2023.
  8. ^ "The qmail security guarantee". Retrieved 2007-10-05.
  9. ^ Georgi Guninski. "Georgi Guninski security advisory #74, 2005". Retrieved 2007-10-05.
  10. ^ "Some thoughts on security after ten years of qmail 1.0 [Slide presentation]" (PDF). Retrieved 2008-01-17.
  11. ^ "'[oss-security] Remote Code Execution in qmail (CVE-2005-1513)' - MARC". marc.info. Retrieved 2021-03-03.
  12. ^ "Life with qmail; History". Retrieved 2007-12-01.
  13. ^ "netqmail". netqmail.org. Retrieved 2021-03-03.
  14. ^ Vaudreuil, Gregory M.; Moore, Keith (1996). "An Extensible Message Format for Delivery Status Notifications". tools.ietf.org. doi:10.17487/RFC1894. Retrieved 2021-03-03.
  15. ^ Vaudreuil, Gregory M.; Moore, Keith (2003). "An Extensible Message Format for Delivery Status Notifications". tools.ietf.org. doi:10.17487/RFC3464. Retrieved 2021-03-03.
  16. ^ Moen, Rick (October 2006). "On Qmail, Forged Mail, and SPF Records". Linux Gazette (131).
  17. ^ "Bernstein releases code into the public domain". Retrieved 2007-11-30.
[edit]