Consulting djbware Publications

s/qmail

s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.

s/qmail preserves the Qmail ecosystem (my mirror) and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).

Phoenix

Scope and History

While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.

The new start: s/qmail 3.x

After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).

The s/qmail 'universe' can be depict from here:

Figure: The s/qmail 'Big Picture' (available as PDF)

A new foundation: s/qmail 4.x & fehQlibs

Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.

Communication and security features

Note: DKIM is still under investigation.

Protocol extension: QMTPS

The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.

s/qmail provides additionally the TLS-secured protocol QMTPS to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for QMTPS.

s/qmail's implementation of QMTPS supports together with sslserver X.509 client certificates enables qmail-qmtpd to relay email based on valid certificates used by qmail-remote.

Distributed Queueing

Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).

Figure: The s/qmail 'channels' and distributed queueing

Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.

Included packages

The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):

Supported Qmail packages

s/qmail provides full support for the following vanilla Qmail add-ons unaltered:

Note 1: For those packages TLS encryption and IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.

My s/qmail extensions will work natively with Qmail:

Dependencies and installation of s/qmail

The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:

 

https://xkcd.com/1654/

Dependencies

For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux).

In particular, the following packages are recommended:

Quick installation of s/qmail

s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:

Note: The package/install step respects your current Qmail settings.

Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)

s/qmail will preserve your current qmail installation entirely under the following circumstances:

Configuration

The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):

*) These files are coupled and need to be adjusted as one entity!

 

https://xkcd.com/1770/

The basic s/qmail configuration is done by means of conf-XX

Step-by-step installation

For an individual step-by-step installation the following commands can be executed:

  1. package/dir -- sets up the directories
  2. package/ids -- sets up the s/qmail users
  3. package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
  4. package/compile -- compiles the sources
  5. package/upgrade -- potentially does the upgrade
  6. package/legacy -- installs the binaries in the qmail directory
  7. package/man -- installes the man pages
  8. package/control -- populates the mininmal required control files for running
  9. package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
  10. package/service -- sets up the run script for daemontools' /service and additionally the logging
  11. package/scripts setup optional, undocumented and unmaintained scripts
  12. package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module

Documentation

 

https://xkcd.com/1513/

A concise documentation for s/qmail is close to be final:

s/qmail current release and download

Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.

Download

The current release(s) of s/qmail can be downloaded here:

Version & Download Description fehQlibs Verification
sqmail-4.1.17 The tenth 4.1 release providing Greylisting capabilities by means of qmail-postgrey.
qmail-remote is enhanced to support TLSA lookups and (PKIX-EE) automatic X.509 cert validation and (now with an additional CNAME lookup and finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs.
Added module qmail-qmaint to check the queue sanity and to remove mails from here.
TLSA evaluation now complete and working seamlessly after further adjustments coping with various DNS server settings. Malfunctioning OpenSSL X509_pubkey_digest() calculation replaced.
fehQlibs-18/fehQlibs-19 MD5 b8ed44fa07dafdb98c3d60b03d15e9ad
Build: 20220422100343
sqmail-4.0.10 The eighth 4.0 release now requriering fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle. fehQlibs-15 MD5: d020c26eaae7f6a65db7135a4bbf8b32
Build: 20200920203533
sqmail-3.3.25 The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd. None. MD5: 1182e3860f49a09595e61117ab3a8250
Build: 20200729153744
sqmail-3.2.19 The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99). None. MD5: 8a4fd942c1a1271619b0696d934c401a
Build: 220170408184513
sqmail-3.1.9 This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers. None. MD5: cb4da2ca52a05fda6668850c1d41359f
Build: 20160724111506
sqmail-3.0.2 The third fully integrated release; don't use it/just for reference. None. MD5: 4045d0a85fe4857fcf9c118fcfa13d1f

The code of the current release can be viewed in a doxygen archive.

Addendum

Additional packages

I also recommend to use

Release Management & Defects

Naming conventions:

Open defects:

ReferenceType DescriptionState
[20170630#1] Rfc Add flexible uid configuration. Confirmed, pending
[20200509#1] Rfc Add qmail-ldapam for authentication. Confirmed; included in s/qmail-4.2 (work in progress)
[20200715#1] Rfc VERP address should be automatically accepted by qmail-smtpd's recipient extension Rejected; better to include those with an additional entry here.
[20220324#1] Rfc The RECIPIENTS mechanism does not support qmail-users's cdb Accepted; starting with version 4.2 the cdb generated by qmail-newu will be consulted for valid recipients semi-automatically.
 

https://xkcd.com/1700/

Mitre CVEs:

  1. [CVE-2020-15955] StartTLS command injection (closed in 4.0.08)
  2. [CVE-2005-1513] Integer overflow on 64 bit platforms (closed in 4.0.08)

Closed defects:

Note: The given release number following the defect number tells, in which version of s/qmail this change was applied.

Release plan

s/qmail will be maintained and my release plan includes the following topics:

Tickets, Change Requests, communication

An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

To inscribe use: s/qmail mailing list

I can't guarantee a certain response level; but reasonable issues will be answered.