Qmail

Quality 0.50 · 1 view · Updated 2 months ago

Mail transfer agent for Unix

title: "Qmail" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["message-transfer-agents", "free-email-server-software", "free-software-programmed-in-c", "public-domain-software-with-source-code", "email-server-software-for-linux"] description: "Mail transfer agent for Unix" topic_path: "technology/operating-systems" source: "https://en.wikipedia.org/wiki/Qmail" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

::summary Mail transfer agent for Unix ::

::data[format=table title="Infobox software"]

Field	Value
name	qmail
author	Daniel J. Bernstein
latest release version	1.03
latest release date
operating system	Unix-like
programming language	C
genre	Mail transfer agent
license	public domain
url	http://cr.yp.to/qmail/qmailsec-20071101.pdf
title	Some thoughts on security after ten years of qmail 1.0
access-date	2007-12-01
website
repo
discontinued	yes
::

qmail is a mail transfer agent (MTA) that runs on Unix. It was written, starting December 1995, by Daniel J. Bernstein as a more secure alternative to the popular Sendmail program. Originally license-free software, qmail's source code was later dedicated to the public domain by the author.{{cite web |url=http://cr.yp.to/qmail/dist.html |title=Information for distributors |quote=I hereby place the qmail package (in particular, qmail-1.03.tar.gz, with MD5 checksum 622f65f982e380dbe86e6574f3abcb7c) into the public domain. You are free to modify the package, distribute modified versions, etc.

Features

Security

When first published, qmail was the first security-aware mail transport agent; since then, other security-aware MTAs have been published. The most popular predecessor to qmail, Sendmail, was not designed with security as a goal and, as a result, has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the SMTP listener component of qmail runs with different credentials from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the C standard library and, as a result, has not been vulnerable to stack and heap overflows, format string attacks or temporary file race conditions.

Performance

When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way to manage large mailing lists.

Simplicity

At the time of qmail's introduction, Sendmail configuration was notoriously complex, while qmail was simple to configure and deploy.

Innovations

qmail encourages the use of several innovations in mail (some originated by Bernstein, others not):

; Maildir : Bernstein invented the Maildir format for qmail, which splits individual email messages into separate files. Unlike the de facto standard mbox format, which stored all messages in a single file, Maildir avoids many locking and concurrency problems, and can safely be provisioned over NFS. qmail also delivers to mbox mailboxes.

; Wildcard mailboxes : qmail introduced the concept of user-controlled wildcards. Out of the box, mail addressed to "user-wildcard" on qmail hosts is delivered to separate mailboxes, allowing users to publish multiple mail addresses for mailing lists and spam management.

qmail also introduces the Quick Mail Transport Protocol (QMTP), an e-mail transmission protocol that is designed to have better performance than Simple Mail Transfer Protocol (SMTP), the de facto standard; and Quick Mail Queuing Protocol (QMQP), a network protocol designed to share e-mail queues between several hosts.

Modularity

qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the qmail system with a different module as long as the new module retains the same interface as the original.

Controversy

Security reward and Georgi Guninski's vulnerability

In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable security hole in the latest software version. |url=http://cr.yp.to/qmail/guarantee.html |title=The qmail security guarantee |access-date=2007-10-05

In 2005, security researcher Georgi Guninski found an integer overflow in qmail. On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution. Bernstein disputes that this is a practical attack, arguing that no real-world deployment of qmail would be susceptible. Configuration of resource limits for qmail components mitigates the vulnerability. |author = Georgi Guninski |title = Georgi Guninski security advisory #74, 2005 |url = http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html |access-date= 2007-10-05

On November 1, 2007, Bernstein raised the reward to US$1000. At a slide presentation the following day, Bernstein stated that there were 4 "known bugs" in the ten-year-old qmail-1.03, none of which were "security holes". He characterized the bug found by Guninski as a "potential overflow of an unchecked counter". "Fortunately, counter growth was limited by memory and thus by configuration, but this was pure luck." |url=http://cr.yp.to/talks/2007.11.02/slides.pdf |title=Some thoughts on security after ten years of qmail 1.0 [Slide presentation] |access-date=2008-01-17

On May 19, 2020, a working exploit for Guninski's vulnerability was published by Qualys but exploit authors' state they were denied the reward because it contains additional environmental restrictions.

Frequency of updates

The core qmail package has not been updated for many years. | url = http://www.lifewithqmail.org/lwq.html#history | title = Life with qmail; History | access-date = 2007-12-01

Standards compliance

qmail was not designed as a drop-in replacement for Sendmail, and does not behave exactly as Sendmail did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages (a format called QSBMF) differs from the standard format of delivery status notifications specified by the IETF in RFC 1894, meanwhile advanced to draft standard as RFC 3464, and recommended in the SMTP specification.

Some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions. In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.

Copyright status

qmail was released to the public domain in November 2007. | url = http://video.google.com/videoplay?docid=-3147768955127254412&q=%22Bernstein+releases+code+to+public+domain%22&total=1&start=0&num=10&so=0&type=search&plindex=0 | title = Bernstein releases code into the public domain | access-date = 2007-11-30

qmail is the only broadly deployed public domain software message transfer agent (MTA).

References

[https://schmonz.com/2019/08/20/announcing-notqmail/ Announcing notqmail ]
Bernstein, Daniel J.. "Some thoughts on security after ten years of qmail 1.0".
(February 1, 1997). "Quick Mail Transfer Protocol (QMTP)".
"QMQP: Quick Mail Queueing Protocol".
"'[oss-security] Remote Code Execution in qmail (CVE-2005-1513)' - MARC".
"netqmail".
(1996). "An Extensible Message Format for Delivery Status Notifications".
(2003). "An Extensible Message Format for Delivery Status Notifications".
Moen, Rick. (October 2006). "On Qmail, Forged Mail, and SPF Records". [[Linux Gazette]].

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::