Qmail

From Wikipedia, the free encyclopedia

The correct title of this article is qmail. The initial letter is shown capitalized due to technical restrictions.
qmail
Developer: Daniel J. Bernstein
Latest release: 1.03 /
OS: Unix-like
Use: Mail transfer agent
License: Licence-free software
Website: http://cr.yp.to/qmail.html

qmail is a mail transfer agent that runs on Unix. It was written by Daniel J. Bernstein as a more secure replacement for the popular Sendmail program. The author offered a $500 prize for the first person to publish a verifiable security hole in the latest version of the software. As of 2006, these rewards still stand, though Georgi Guninski claims a number of bugs are remotely exploitable.[1][2] Bernstein himself denies that Guninski's claim meets his qualifications.[3]

Qmail encourages the use of several innovations in mail (some originated by Bernstein, others not), including maildir format mailboxes for storing messages (mbox files are also supported, and encouragement to migrate is given along with a tool to convert mbox mailboxes to maildir mailboxes) and the QMTP and QMQP protocols.

Qmail's major competitors are Exim and Postfix. Unlike qmail's competitors, qmail has not been updated by the author for several years and users have instead come to rely on third party patches to support new functionality.

Qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the Qmail system with a different module as long as the new module retains the same interface as the original.

Contents

[edit] Copyright status

Qmail is license-free software, although permission is granted for distribution in source form or in pre-compiled form (a "var-qmail package") if certain restrictions are met. As a consequence, some Linux distributions will not install, and possibly not even include, qmail because by their rules they classify such software as "non-free".[4][5] Since other MTAs are commonly included in distributions, with their installation enforced by those distributions' package management systems, this may have negatively affected qmail's popularity. Nonetheless, qmail users point out that it is "free enough" for anyone to use; the source code is publicly available and open for inspection and modification by users; and the licensing issues haven't stopped a large number of feature-enhancing augmentations or several modified versions of qmail (namely netqmail, dqd, qmail-ldap and Debian's qmail-src package) from being published.

[edit] Controversy

There is some controversy among mail system operators over whether qmail is as standards-compliant as its author claims. Critics allege a number of variations from the SMTP standards, some of which they claim make qmail more vulnerable to certain kinds of abuse than other MTAs. Others counter many of these claims by pointing out that the standards are ambiguous, and in some cases are at variance with subsequent established best practice and thus unreasonable to be adopted by any mail software.

For example, critics comment on qmail's adoption of a different standard for bounce messages, QSBMF, to the one in RFC 1894. Others counter by pointing out that RFC 1894 has only been adopted by some mail systems, with other systems (just as qmail) employing different bounce message standards; and by asserting that the problem of widespread forgery of envelope senders and the trend in recent years towards single-hop transport have actually undermined the foundations of RFC 1894 and rendered many of its convolutions moot.

Another example of this controversy is that of the behaviour of the SMTP Relay server in qmail when it comes to mail addressed to non-existent mailboxes. Because of qmail's strong security partitioning between its SMTP Relay server and its local delivery agent (One consequence of this is that a spammer cannot enumerate user accounts by a dictionary attack, but this is not the sole reason for the strong security partitioning that runs the SMTP Relay server as a user without any special privileges and without the means to affect other user files and processes.), and because its local delivery agent allows users and administrators to employ "catch-all" wildcards and thus extend the range of valid mailbox name arbitrarily, qmail's SMTP Relay server has no direct knowledge of what local mailbox names are actually valid, and moreover not necessarily enough permissions to find out. As such, mail to non-existent mailboxes (whose domain parts are correct, of course) is accepted by qmail's SMTP Relay server, and qmail generates and sends bounce messages when the non-existent mailbox name is later detected, at the point of actual mailbox delivery.

Critics point out that qmail thus sends far more bounce messages than some other MTAs, which in contrast give their SMTP Relay servers direct access to and knowledge of local mailbox names and thus allow them to refuse mail addressed to non-existent mailboxes; and that spam or worm mail messages often employ the technique of sending messages to non-existent mailboxes on intermediary systems placing the actual target mailbox in envelope sender addresses, relying upon the ensuing bounce message from the intermediary to deliver the payload to the real target. Another point worth noting is that a large number of undeliverable messages and bounces tends to cause a qmail server to "overload" and for the mail queue to fill to the point that message delivery can be delayed for hours, effectively creating a Denial of Service attack vector.

Others counter this criticism by pointing out

  • that as long they support a user-specifiable "address extension" mechanism with wildcarding of some kind, even those other MTAs still have the same problem of mail that cannot be discovered to be undeliverable until after the SMTP Relay server has accepted it, and that thus this merely papers over the problem;
  • that there is a fundamental conflict between preventing this sort of spam and a secure flexible design, that one has no choice but to trade the one for the other, and that the range of six different patches available for modifying qmail's SMTP Relay server and their concomitant effects upon flexibility and security exemplify very well the different tradeoffs;

and

  • that critics don't support the abandonment of other advances in the state of the art where the same problem occurs (Just as running the SMTP Relay server without privileges was an advance in the state of the art driven by security holes that allowed attackers to compromise local user accounts, the "Delivered-To:" is an advance in the state of the art driven by the problem of mail loops amongst mailing lists resulting in explosions of mail. Yet spammers and worms can employ "Delivered-To:" headers to cause mail to be bounced at the point of actual delivery, and thus to send their payloads to targets as bounce messages sent by intermediaries.).

It is worth noting that since qmail is a modular system, adding a different SMTP daemon that supports valid user checks is quite easy to accomplish. One popular one is magic-smtpd from LinuxMagic that is available as either an open source or commercial package.

[edit] References

  1. ^ Georgi Guninski (2005-05-31). Georgi Guninski security advisory #74, 2005. Retrieved on September 23, 2005.
  2. ^ James Craig Burley (2005-05-31). My Take on Georgi Guninski's qmail Security Advisories.
  3. ^ Bernstein, D. J. "The qmail security guarantee." Accessed July 2006.
  4. ^ Debian qmail-run. Debian packages. Retrieved on January 14, 2006.
  5. ^ Debian var-qmail. Debian packages. Retrieved on January 14, 2006.

[edit] See also

[edit] External links