qmail is a mail transfer agent that runs on Unix. It was written by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program. “Software development” redirects here. ... Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a professor at the University of Illinois at Chicago, a mathematician, a cryptologist, and a programmer. ... Code complete redirects here. ... is the 166th day of the year (167th in leap years) in the Gregorian calendar. ... Year 1998 (MCMXCVIII) was a common year starting on Thursday (link will display full 1998 Gregorian calendar). ... Code complete redirects here. ... is the 21st day of the year in the Gregorian calendar. ... Year 2004 (MMIV) was a leap year starting on Thursday of the Gregorian calendar. ... An operating system (OS) is the software that manages the sharing of the resources of a computer and provides programmers with an interface used to access those resources. ... Diagram of the relationships between several Unix-like systems A Unix-like operating system is one that behaves in a manner similar to a Unix system, while not necessarily conforming to or being certified to any version of the Single UNIX Specification. ... Computer software can be organized into categories based on common function, type, or field of use. ... A mail transfer agent or MTA (also called a mail transport agent, mail server, or a mail exchanger in the context of the Domain Name System) is a computer program or software agent that transfers electronic mail messages from one computer to another. ... A software license is a legal agreement which may take the form of a proprietary or gratuitous license as well as a memorandum of contract between a producer and a user of computer software. ... The public domain comprises the body of all creative works and other knowledge—writing, artwork, music, science, inventions, and others—in which no person or organization has any proprietary interest. ... A website (alternatively, Web site or web site) is a collection of Web pages, images, videos or other digital assets that is hosted on one or several Web server(s), usually accessible via the Internet, cell phone or a LAN. A Web page is a document, typically written in HTML... A mail transfer agent or MTA (also called a mail transport agent, mail server, or a mail exchanger in the context of the Domain Name System) is a computer program or software agent that transfers electronic mail messages from one computer to another. ... Filiation of Unix and Unix-like systems Unix (officially trademarked as UNIX®, sometimes also written as or ® with small caps) is a computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs including Ken Thompson, Dennis Ritchie and Douglas McIlroy. ... Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a professor at the University of Illinois at Chicago, a mathematician, a cryptologist, and a programmer. ... This article describes how security can be achieved through design and engineering. ... Sendmail is a mail transfer agent (MTA) that is a well known project of the open source, free software and Unix communities, which is distributed both as free software and proprietary software. ...

The author offered a US$500 reward for the first person to publish a verifiable security hole in the latest version of the software.^[2] As of 2006, these rewards still stand, though Georgi Guninski claims a bug is remotely exploitable.^{[3] [4]} Bernstein himself denies that Guninski's claim meets his qualifications.^[2] In computer software a security vulnerability is a software bug that can be used deliberately to violate security. ... 2006 is a common year starting on Sunday of the Gregorian calendar. ... An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). ...

qmail encourages the use of several innovations in mail (some originated by Bernstein, others not), including maildir format mailboxes for storing messages (mbox files are also supported, and encouragement to migrate is given along with a tool to convert mbox mailboxes to maildir mailboxes) and the QMTP and QMQP protocols. Maildir is a format for an e-mail spool that does not require file locking to maintain message integrity because the messages are kept in separate files with unique names. ... Mbox is the name for several different things, including an electronic mail file format. ... QMTP is the Quick Mail Trasport Protocol that works faster than SMTP. It was designed and implemented by DJB. QMTP has fewer round trips than SMTP and is suitable for low bandwidth networks such as serial links. ... QMQP is the Quick Mail Queing Protocol designed and implemented by DJB. ...

Unlike its competitors (the major ones being Postfix and Exim), qmail has not been updated by the author for several years and users have instead come to rely on third party patches to support new functionality. Postfix is a free software / open source mail transfer agent (MTA), a computer program for the routing and delivery of email. ... Exim is a mail transfer agent (MTA) used in Unix-like operating systems. ...

qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the Qmail system with a different module as long as the new module retains the same interface as the original.

Copyright status

qmail is license-free software, although permission is granted for distribution in source form or in pre-compiled form (a "var-qmail package") if certain restrictions are met. These restrictions mean that qmail does not qualify as either Open-source software or Free Software. As a consequence, some free or open source operating systems have chosen to not install, and possibly not include, qmail.^[5][6][7][8] Since other MTAs are commonly included in distributions, with their installation enforced by those distributions' package management systems, this may have negatively affected qmail's popularity. Nonetheless, qmail users point out that it is "free enough" for anyone to use; the source code is publicly available and open for inspection and modification by users; and the licensing issues haven't stopped a large number of feature-enhancing augmentations or several modified versions of qmail (namely netqmail, dqd, qmail-ldap and Debian's qmail-src package) from being published. Licence-free software is software that is copyrighted but which is not accompanied by a software licence. ... Open source software is computer software which source code is available under a license (or arrangement such as the public domain) that meets the Open_source_definition. ... Clockwise from top: The logo of the GNU Project, the Linux kernel mascot Tux, and the BSD Daemon Free software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions only... Debian is a free operating system. ...

Controversy

The quality of this article or section may be compromised by weasel words. You can help Wikipedia by removing weasel words.

There is some controversy among mail system operators over whether qmail is as standards-compliant as its author claims^[9]. Critics allege a number of variations from the SMTP standards, some of which they claim make qmail more vulnerable to certain kinds of abuse than other MTAs^{[citation needed]}. Others counter many of these claims by pointing out that the standards are ambiguous, and in some cases are at variance with subsequent established best practice and thus unreasonable to be adopted by any mail software^[10]. Image File history File links Emblem-important. ... Simple Mail Transfer Protocol (SMTP) is the de facto standard for email transmission across the Internet. ...

For example, critics comment^[11] on qmail's adoption of a different standard for bounce messages, QSBMF, from the one in RFC 1894^[12]. Others counter by pointing out that RFC 1894 has only been adopted by some mail systems, with other systems (just as qmail) employing different bounce message standards; and by asserting that the problem of widespread forgery of envelope senders and the trend in recent years towards single-hop transport have actually undermined the foundations of RFC 1894 and rendered many of its convolutions moot^{[citation needed]}.

Another example of this controversy is that of the behaviour of the SMTP Relay server in qmail when it comes to mail addressed to non-existent mailboxes. qmail features strong security partitioning between its SMTP Relay server and its local delivery agent^{[citation needed]}; the SMTP Relay server runs as a user without any special privileges and without the means to affect other users and processes. (One consequence of this is that a spammer cannot enumerate user accounts by a dictionary attack, but this is not the sole reason for the feature.) Because of this, and because qmail's local delivery agent allows users and administrators to employ "catch-all" wildcards and thus extend the range of valid mailbox name arbitrarily, qmail's SMTP Relay server has no direct knowledge of what local mailbox names are actually valid, and moreover not necessarily enough permissions to find out. As such, mail to non-existent mailboxes (whose domain parts are correct, of course) is accepted by qmail's SMTP Relay server, and qmail generates and sends bounce messages when the non-existent mailbox name is later detected, at the point of actual mailbox delivery. In the age of virtual mailboxes, where mailboxes don't usually correspond to shell accounts, the enumeration of mailbox names has become a lesser problem^{[citation needed]}. Consequently, some of the patches provide hooks or straightforward options to limit incoming mails to valid addresses. Two of these are the qmail-ldap patch which has a switch for this, and the QMAILQUEUE patch (included in the former) which can be used to implement arbitrary mail checks while the SMTP receiver is still talking to the client (thus enabling at least 550 after data). E-mail spam, also known as bulk e-mail or junk e-mail is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail. ... In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching a large number of possibilities. ... A bounce message, or Delivery Status Notification (DSN) message or, simply, a bounce is an automated electronic mail message from a mail system informing the sender of another message about a delivery problem. ...

Critics point out that qmail thus sends far more bounce messages than some other MTAs, which in contrast give their SMTP Relay servers direct access to and knowledge of local mailbox names and thus allow them to refuse mail addressed to non-existent mailboxes; and that spam or worm mail messages often employ the technique of sending messages to non-existent mailboxes on intermediary systems placing the actual target mailbox in envelope sender addresses, relying upon the ensuing bounce message from the intermediary to deliver the payload to the real target^{[citation needed]}. Another point worth noting is that a large number of undeliverable messages and bounces tends to cause a qmail server to "overload" and for the mail queue to fill to the point that message delivery can be delayed for hours, effectively allowing Denial of Service attacks^{[citation needed]}. The popular qmail-scanner-queue.pl (found at http://qmail-scanner.sourceforge.net/) program, to be used in conjunction with the aforementioned QMAILQUEUE patch, provides options to filter emails and suppress backscatter from mails which are "obviously" sent by eg. a worm. A typical spam advertisement Spam by e-mail is one type of spamming that involves sending identical or nearly identical messages to thousands (or millions) of recipients. ... A computer worm is a self-replicating computer program. ...

Others counter this criticism by pointing out

• that as long as they support a user-specifiable "address extension" mechanism with wildcarding of some kind, even those other MTAs still have the same problem of mail that cannot be discovered to be undeliverable until after the SMTP Relay server has accepted it, and that thus this merely papers over the problem^{[citation needed]};
• that there is a fundamental conflict between preventing this sort of spam and a secure flexible design, that one has no choice but to trade the one for the other, and that the range of six different patches available for modifying qmail's SMTP Relay server and their concomitant effects upon flexibility and security exemplify very well the different tradeoffs^{[citation needed]};

and

• that critics don't support the abandonment of other advances in the state of the art where the same problem occurs. (Just as running the SMTP Relay server without privileges was an advance in the state of the art driven by security holes that allowed attackers to compromise local user accounts, the "Delivered-To:" is an advance in the state of the art driven by the problem of mail loops amongst mailing lists resulting in explosions of mail^{[citation needed]}. Yet spammers and worms can employ "Delivered-To:" headers to cause mail to be bounced at the point of actual delivery, and thus to send their payloads to targets as bounce messages sent by intermediaries.)

It is worth noting that as qmail is a modular system, adding a different SMTP daemon that supports valid user checks is quite easy to accomplish. One popular one is magic-smtpd from LinuxMagic^[13] that is available as either an open source or commercial package. Another popular one is qpsmtpd from http://qpsmtpd.develooper.com. Open source refers to projects that are open to the public and which draw on other projects that are freely available to the general public. ... This article does not cite any references or sources. ...

References

1. ^ http://cr.yp.to/talks/2007.11.02/slides.pdf
2. ^ ^{a b} The qmail security guarantee. Retrieved on 2007-10-05.
3. ^ Georgi Guninski. Georgi Guninski security advisory #74, 2005. Retrieved on 2007-10-05.
4. ^ James Craig Burley. My Take on Georgi Guninski's qmail Security Advisories.
5. ^ Debian qmail-src. Debian packages. Retrieved on January 17, 2007.
6. ^ Debian qmail-run. Debian packages. Retrieved on January 14, 2006.
7. ^ Debian var-qmail. Debian packages. Retrieved on January 14, 2006.
8. ^ Why were DJB's packages removed?. openbsd-ports mailing list. Retrieved on April 3, 2007.
9. ^ Internet Engineering Task Force Meeting log
10. ^ Problems in the Klensin smtpupd drafts D.J. Bernstein
11. ^ Asinine anti-spam mechanisms (June 1999). Retrieved on 2007-08-26. “mail thread on the Internet Engineering Task Force mailing list”
12. ^ Minutes of the IESG Teleconferences. Internet Engineering Steering Group (1996-06-06).
13. ^ MagicSMTPD. Retrieved on 2007-09-04.

Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... For other uses, see 5th October (Serbia). ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... For other uses, see 5th October (Serbia). ... Daniel Bernstein Daniel Julius Bernstein (sometimes known simply as djb; born October 29, 1971) is a professor at the University of Illinois at Chicago, a mathematician, a cryptologist, and a programmer. ... 1999 is a common year starting on Friday Anno Domini (or the Current Era), and was designated the International Year of Older Persons by the United Nations. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 238th day of the year (239th in leap years) in the Gregorian calendar. ... The Internet Engineering Task Force (IETF) develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standard bodies; and dealing in particular with standards of the TCP/IP and Internet protocol suite. ... The Internet Engineering Steering Group is a body composed of the Internet Engineering Task Force Chair and Area Directors: Internet Area (int) Operations & Management Area (ops) Routing Area (rtg) Security Area (sec) Transport Area (tsv) Temporary Sub-IP Area (sub) and so on. ... Year 1996 (MCMXCVI) was a leap year starting on Monday (link will display full 1996 Gregorian calendar). ... is the 157th day of the year (158th in leap years) in the Gregorian calendar. ... Year 2007 (MMVII) is the current year, a common year starting on Monday of the Gregorian calendar and the AD/CE era in the 21st century. ... is the 247th day of the year (248th in leap years) in the Gregorian calendar. ...

See also

• qpsmtpd
• djbdns
• List of mail servers
• Comparison of mail servers

qpsmtpd is an SMTP daemon written in Perl. ... djbdns is a simple and secure DNS implementation created by Daniel J. Bernstein because he was fed up with repeated BIND security holes. ... This is a list of mail servers: mail transfer agents, mail delivery agents, and other computer software which provide e-mail services. ... It has been suggested that this article or section be merged with List of mail servers. ...

External links

• Official qmail website, maintained by the author
• Unofficial qmail website, maintained by Russ Nelson
• Life with qmail (aka LWQ) - a popular qmail manual
• Qmail-LDAP-UI - Qmail-LDAP-UI is a Web based User Administration tool
• netqmail - netqmail is qmail-1.03 plus minimal patches, and recommended by LWQ book. netqmail 1.05 released on February 2005.
• Mail Toaster - a complete qmail based email server
• QmailToaster - a popular rpm based qmail distribution
• qmail rocks, a qmail guide with additional addons
• Godshell qMail Toaster Wiki - a complete qmail based email server with plugin support
• pkgsrc qmail and qmail-run, a pair of easy-to-install cross-platform qmail source packages included in pkgsrc
• The qmail section of FAQTS, an extensive knowledgebase built by qmail users
• QmailWiki is a relatively new wiki about qmail, hosted by Inter7
• qmail-ldap patch build a high volume mailserver with qmail based on ldap-directories - and addresses several of the "problems" stated above ...
• Unofficial Qmail Bug and Wishlist
• Jonathan de Boyne Pollard. Some of what is said about qmail is wrong.. Frequently Given Answers. — Jonathan de Boyne Pollard's debunking of several myths relating to qmail
• Jonathan de Boyne Pollard. The known problems with Dan Bernstein's qmail. Frequently Given Answers. — Jonathan de Boyne Pollard's list of the several known problems in qmail
• vpopmail is a GPL software package that adds virtual domains and more to qmail. vpopmail 5.4.18 released on December 30, 2006.