Qmail

From TheBestLinks.com

The title given to this article is incorrect due to technical limitations. The correct title is qmail.

qmail (sometimes incorrectly written "Qmail") is a mail transfer agent that runs on Unix. It was written by Daniel J. Bernstein as a more secure replacement for the popular sendmail program. Only two minor bugs have been found in qmail since version 1.0, and there is an as yet unclaimed $500 prize (http://cr.yp.to/qmail/guarantee.html) for the first person to publish a verifiable security hole in the latest version of the software.

qmail encourages the use of several innovations in mail (some originated by Daniel J. Bernstein, others not), including maildir format mailboxes for storing messages (mbox files are also supported, and encouragement to migrate is given along with a tool to convert mbox mailboxes to maildir mailboxes) and the QMTP and QMQP protocols.

qmail's major competitors are Exim and Postfix.

Table of contents

1 Copyright 2 Controversy 3 See also 4 External link

Copyright

qmail is copyrighted by its author, and distributed as freeware. Although Bernstein distributes the source code, qmail does not meet the OSI's Open Source Definition or the FSF's Free Software Definition because 3rd party modifications are not allowed to be redistributed. Users are allowed to modify the software themselves, and to distribute patches to the qmail source, so despite these restrictions there are still a number of qmail variants available. Bernstein has a page on his website about software users' rights (http://cr.yp.to/softwarelaw.html) which explains his stance on the issue. Many people have pointed out that qmail's licensing ambiguity has probably had a negative impact on it's popularity, as it is not included in several Linux distributions because it is considered "non-free", and modifications they would make to it are not allowed.

Controversy

There is some controversy among mail system operators over whether qmail is as standards-compliant as its author claims. Critics allege a number of variations from the SMTP standards, some of which they claim make qmail more vulnerable to certain kinds of abuse than other MTAs. [1] (http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html) Others counter many of these claims by pointing out that the standards are ambiguous, and in some cases are at variance with subsequent established best practice and thus unreasonable to be adopted by any mail software.

For example, critics comment on qmail's adoption of a different standard for bounce messages, QSBMF, to the one in RFC 1894. Others counter by pointing out that RFC 1894 has only been adopted by some mail systems, with other systems (just as qmail) employing different bounce message standards; and by asserting that the problem of widespread forgery of envelope senders and the trend in recent years towards single-hop transport have actually undermined the foundations of RFC 1894 and rendered many of its convolutions moot.

Another example of this controversy is that of the behaviour of the SMTP Relay server in qmail when it comes to mail addressed to non-existent mailboxes. Because of qmail's strong security partitioning between its SMTP Relay server and its local delivery agent (One consequence of this is that a spammer cannot enumerate user accounts by a dictionary attack, but this is not the sole reason for the strong security partitioning that runs the SMTP Relay server as a user without any special privileges and without the means to affect other user files and processes.), and because its local delivery agent allows users and administrators to employ "catch-all" wildcards and thus extend the range of valid mailbox name arbitrarily, qmail's SMTP Relay server has no direct knowledge of what local mailbox names are actually valid, and moreover not necessarily enough permissions to find out. As such, mail to non-existent mailboxes (whose domain parts are correct, of course) is accepted by qmail's SMTP Relay server, and qmail generates and sends bounce messages when the non-existent mailbox name is later detected, at the point of actual mailbox delivery.

Critics point out that qmail thus sends far more bounce messages than some other MTAs, which in contrast give their SMTP Relay servers direct access to and knowledge of local mailbox names and thus allow them to refuse mail addressed to non-existent mailboxes; and that spam or worm mail messages often employ the technique of sending messages to non-existent mailboxes on intermediary systems placing the actual target mailbox in envelope sender addresses, relying upon the ensuing bounce message from the intermediary to deliver the payload to the real target.

Others counter this criticism by pointing out

• that as long they support a user-specifiable "address extension" mechanism with wildcarding of some kind, even those other MTAs still have the same problem of mail that cannot be discovered to be undeliverable until after the SMTP Relay server has accepted it, and that thus this merely papers over the problem;
• that there is a fundamental conflict between preventing this sort of spam and a secure flexible design, that one has no choice but to trade the one for the other, and that the range of six different patches available (http://www.faqts.com/knowledge_base/view.phtml/aid/29482/fid/206) for modifying qmail's SMTP Relay server and their concomitant effects upon flexibility and security exemplify very well the different tradeoffs;

and

• that critics don't support the abandonment of other advances in the state of the art where the same problem occurs (Just as running the SMTP Relay server without privileges was an advance in the state of the art driven by security holes that allowed attackers to compromise local user accounts, the "Delivered-To:" is an advance in the state of the art driven by the problem of mail loops amongst mailing lists resulting in explosions of mail. Yet spammers and worms can employ "Delivered-To:" headers to cause mail to be bounced at the point of actual delivery, and thus to send their payloads to targets as bounce messages sent by intermediaries.).

See also

• DJBDNS

External link

• Official website (http://cr.yp.to/qmail.html)
• Not official website (http://www.qmail.org)
• A guide to qmail (http://www.lifewithqmail.org)
• A qmail guide with additional addons (http://www.qmailrocks.org/)
• Jonathan de Boyne Pollard's debunking of several myths relating to qmail (http://homepages.tesco.net./~J.deBoynePollard/FGA/qmail-myths-dispelled.html)
• Jonathan de Boyne Pollard's list of the several known problems in qmail (http://homepages.tesco.net./~J.deBoynePollard/FGA/qmail-problems.html)

fr:Qmail ja:Qmail

Related links

---

Top visited 0 of 0 links

[no links posted yet]

>> place link >>

Discussion

Last posted 0 of 0 messages

[no messages posted yet]

>> post message >>

Watch

You can add this article to your own "watchlist" and receive e-mail notification about all changes in this page.