s/qmail
s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.
s/qmail preserves the Qmail ecosystem (my mirror)
and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).
Scope and History
While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.
The new start: s/qmail 3.x
After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).
- s/qmail is available in Dan Bernstein's /package format, usually invoked by Daemontools.
- s/qmail provides TLS support based on the ucspi-ssl package.
- SMTP Authentication, Anti-Spam, and Anti-Virus features are supported out-of-the-box.
- Recipient and MAV capabilities in addition with powerful filters for SMTP envelope addresses.
- Scalable and reliable mail delivery is guaranteed by means of QMQ.
- Native IPv6 support for all communication modules.
The s/qmail 'universe' is illustrated here:
A new foundation: s/qmail 4.x & fehQlibs
Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.
Communication and security features
- s/qmail uses D. J. Bernstein's 'C' coding principles entirely.
- Full IPv6 compliance: Allow specific IPv6 bindings to any IPv6 address (even LLU) for all servers and clients (qmail-smtpd, qmail-qmqtpd; qmail-remote, qmail-smtpam, qmail-qmqpc).
- Unlike the original version, qmail-remote works multi-tenant, thus supporting different domains and senders with particular sending attributes (e.g. IP addresses, authentication, certificates) as well as providing particular bounce delivery, together with QMTP and QMTPS client capabilities.
- Distributed queueing: n:1, 1:n n:m with qualified authentication and authorization (enhanced 'QMQ').
- TLS enabling of most servers and particular clients for SMTP and QMTP as well as POP3.
- Together with ucspi-ssl (0.12.x) s/qmail is TLS 1.3 [RFC 8446] capable, provided OpenSSL/LibreSSL is installed and the respective ucspissl.a lib is build on top of it.
- LibreSSL (up to 3.7) and OpenSSL (1.1/3.0) are already considered within ucspi-ssl.
- s/qmail allows 'opportunistic' as well as mandatory TLS encryption together with easy X.509 certificate pinning.
- qmail-remote is TLSA/DANE and finally RFC 1870 enabled.
- Compliance with John Levine's RFC 7505.
- SPF capabilities have been added for qmail-smtpd using Jana Saout's development (used by permission); of course with full IPv6 support.
- Reversely, SRS is natively supported with the modules srsforward and srsreverse used in a dot-qmail file.
- SMPTUTF8 [RFC 6532] together with International Domain Names (aka E-mail Address Internationalisation - EAI ) is now supported by s/qmail provided the libidn2 is available.
- Conformance with the recent RFC 8314 ('Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access') even if former RFCs violated those principles.
- RFC 8314 'Implicit TLS' configurable for qmail-remote and qmail-smtpam.
- qmail-smtpd is now immune against ESMTP pipelining command injection and finally against Guninski's large alloc bug (report).
- Greylisting can be achieved using qmail-postgrey.
- DKIM signing with qmail-dksign and verification with qmail-dkverify for RSA or Ed25519 signatures, thus supporting RFC 6376 and RFC 8463.
- Hybrid DKIM signing and verification with both RSA SHA-256 and Ed25519 private and public keys are working now.
Protocol extension: QMTPS
The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.
s/qmail provides additionally the TLS-secured protocol QMTPS
to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for
QMTPS.
s/qmail's implementation of QMTPS supports together with sslserver X.509 client certificates enables qmail-qmtpd to relay email based on valid certificates used by qmail-remote.
Distributed Queueing
Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).
Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.
Included packages
The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):
- A versatile, CRAM enabled checkpassword compatible authentication PAM called qmail-authuser.
- The fastforward package is part of s/qmail.
- Including the qmailanalog package suited for s/qmail together with tai64nfrac.
- Additional qmail-mrtg frontend evaluating TAI64N timestamps in s/qmail's logs
(and replacing my previous version of qmail-mrtg)
for Tobias Oetiker's MRTG.
A working sample can be found for this site. - If you miss something like qmail-queuefix or qmHandle here it is: qmail-qmaint.
Supported Qmail packages
s/qmail provides full support for the following vanilla Qmail add-ons unaltered:
- Inter7's vpopmail
- Bruce Guenter's VMailMgr
- Dan Bernstein's ezmlm
- Fred Lindberg's and Bruce Guenter's ezmlm-idx
- procmail
- Andreas Aardal Hanssen's IMAP server BINC now available in version 2.0 here!
- Timo Sirainen's Dovecot (LDA)
Note 1: For those packages TLS encryption and
IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand
ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided
out-of-the-box for vpopmail
and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for
qmail-smtpd by means of the enhanced
qmail-authuser calling
doveadm to test
a specific socket connection.
My s/qmail extensions will work natively with Qmail:
- Newanalyse 2.x is tailored for s/qmail
- QMVC -- is working but the latetest release (in particular recognizing IPv6 addresses) is under way.
Dependencies and installation of s/qmail
The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:
- Easy installation and maintenance by means of slashpackage.
- Compliance with 64-bit architecture and current 'C' standards.
- Drop-in replacement for Qmail (same interface; same API), same user accounts; same module names.
- Ready-to-use integration into daemontools.
- systemd support is provided as well.
Dependencies
For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux) starting with version 1.1.1 or a compatile LibreSSL implementation.
In particular, the following packages are recommended:
- Mandatory: fehQlibs: The common foundation.
- Mandatory: ucspi-ssl: Additional TLS libraries.
- Optional: ucspi-tcp6: cdb generation, module rblsmtpd.
- Optional: daemontools: providing supervise and TAI64N timestamps by multilog.
- Attention: In order to include EIA/UTF8 support, you need to install the libidn2 together with the header file <idn2.h>.
Quick installation of s/qmail
s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:
- Daemontools is installed and /service is working.
- ucspi-ssl is installed in default location.
- ucspi-tcp6 is installed.
- Untar the s/qmail tar file under '/package'
- Move to /package/mail/sqmail/sqmail-V.R.F and
- do an initial: package/install.
Note: The package/install step respects your current Qmail settings.
Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)
s/qmail will preserve your current qmail installation entirely under the following circumstances:
- Install ucspi-ssl-XX and ucspi-tcp6-XX under /package.
- Untar s/qmail under /package and change to the install directory.
- Check and adjust the following conf-XX files (see below) to your
existing qmail installation:
conf-break, conf-cc, conf-ld, conf-home, and conf-split (the rest may stay unaltered). - Execute:
- package/ucspissl
- package/compile
- package/legacy
- package/man
- Verify your setting:
- ./compile/qmail-showctl
- ./compile/ipmeprint (you see the additional IPv6 addresses)
- You need to take care about the new IPv6 addresses and your SSL environment+settings, change your run scripts and adjust control files.
Configuration
s/qmail allows to split the main program (and it configuration files) and the queue at different locations of the file system. Thus you have now:
- conf-home -- home dir of s/qmail [/var/qmail]
- conf-queue -- high level location of the queue - may be different from conf-home [/var/qmail (/queue will be appended automatically)]
The (other) basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):
- conf-break -- the character for VERP addresses [-]
- conf-cc -- compiler (no change required)
- conf-delivery -- qmail-start default-delivery
- conf-groups*) -- s/qmail groups
- conf-idn2 -- customization path for IDN2 libraries
- conf-ids*) -- Unix ids for s/qmail
- conf-instances -- QMQ instances to be raised
- conf-ld -- loader options to be adjusted (for i386; AMD64 default, OmniOS needs particular setting)
- conf-log -- target dir of s/qmail logs [/var/log]
- conf-man -- target dir of man pages, usually automatically recognized
- conf-patrn -- s/qmail paternalism [002]
- conf-qmq -- QMQ environment settings
- conf-spawn -- silent concurrency limit [120]
- conf-split -- depth of s/qmail dirs [23]
- conf-svcdir -- supervise's directory [/service]
- conf-ucspissl -- path to UCSPI-SSL dirs
- conf-users*) -- user names
*) These files are coupled and need to be adjusted as one entity!
The basic s/qmail configuration is done by means of conf-XX
Step-by-step installation
For an individual step-by-step installation the following commands can be executed:
- package/dir -- sets up the directories
- package/ids -- sets up the s/qmail users
- package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
- package/compile -- compiles the sources
- package/upgrade -- potentially does the upgrade
- package/legacy -- installs the binaries in the qmail directory
- package/man -- installes the man pages
- package/control -- populates the mininmal required control files for running
- package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
- package/service -- sets up the run script for daemontools' /service and additionally the logging
- package/scripts setup optional, undocumented and unmaintained scripts
- package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module
Documentation
A concise documentation for s/qmail is close to be final:
- A 's/qmail Big Picture' is available providing the default settings (run scripts) for most services.
- You may want to check the README and brief INSTALL documentation first.
- The 'official' s/qmail documentation is (however) still in progress.
- The set of man-pages coming along with s/qmail have been converted into HTML and are accessible here.
- The standard LWQ documentation for Qmail is mostly still valid; except for the installation procedure of s/qmail (and its extensions of course).
s/qmail current release and download
Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.
Download
The current release(s) of s/qmail can be downloaded here:
Version & Download | Description | fehQlibs | Verification |
---|---|---|---|
sqmail-4.3.20 | The sixth 4.3 release is aiming for stability, compatibility,
convenience and compliance. Stability: Significant reduction of Syscalls for qmail-remote, qmail-dksign and qmail-dkverify. Compatibility: Improved qmail-authuser (BincIMAP) and qmail-vmailuser. Convenience: The queue can be detached from the binary and configuration files. It also complies with modern 'C' compilers (GCC 14.2 and Clang 18.1; now with correct function signatures for 'token822'). Compliance: Arch, Debian, FreeBSD, OmniOS, OpenBSD, and OpenSuSE supporting their FSH layout. This version provides a fix for the very rare situation for DKIM signing messages with invalid 'From:' header. Improved compatibility with GCC 14.2 and POSIX-strict 'echo' implementations. Caveate: The qmail-ldapam is still not yet there (in usable form). Includes now experimental support for John Levine's RFC 7505 and small fixes for qmail-qstat and qmail-dkverify and now also for srsforward. | fehQlibs-25/26 |
MD5: 6035c3b5be31742761a71d29a17d1338 Build: 20250116173953 |
sqmail-4.2.29a | The tenth 4.2 release allows now the usage of DKIM RSA and Ed25519 keys
in parallel for signing and verification. While it uses refactored
ALT-NT's libdkim C++ modules, it is deeply incorporated
into s/qmail and provides multi-tenant signing. Ed25519 signatures
are supported given the recent OpenSSL as well LibreSSL versions. Its RECIPIENTS mechanism is enhanced to semi-automatically consider qmail-newu's cdb, which is now available as assign.cdb. Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included. Includes fix for the potential qmail-smtpd AUTH misbehavior and upddates the mkdkimkey.sh script. Includes small fix for misspelled prototype in smtpdlog.h. Additional fix included for control/domainips which erroneously adds a '\0' to the helohost greeting. Backported improved TLSA (TA) evaluation for qmail-remote from s/qmail 4.3. Improved robustness of DKIM signing considering erroneous keys and an unclean DKIM stage area. Included backported fixes for EHLO X-* announcements, assign.cdb evaluation by the Recipients extension, and a correct treatment of file ids in case of wrong DKIM keys. |
fehQlibs-22/23 (a must for SPF!) |
MD5: dcef0e6d9b1faadb3e913f0ed75b7188 Build: 20240226150615 |
sqmail-4.1.18e | The eleventh 4.1 release providing
Greylisting capabilities by means of qmail-postgrey.
This version is a backport from s/qmail-4.2. Additional trimming for
qmail-remote's cafile and ciphers handling. qmail-remote is enhanced to support TLSA lookups and (PKIX-EE) automatic X.509 cert validation and (now with an additional CNAME lookup and finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs. Added module qmail-qmaint to check the queue sanity and to remove mails from here. TLSA evaluation is now complete and working seamlessly after further adjustments coping with various DNS server settings. Malfunctioning OpenSSL X509_pubkey_digest() calculation replaced. Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included. |
fehQlibs-20/ fehQlibs-21 |
MD5 c6a802a93d7854e2e8b305912e0f8063 Build: 20230924113858 |
sqmail-4.0.10a | The eighth 4.0 release now demanding fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle. | fehQlibs-15 | MD5: a266b85355b48b58a2656273cf4af67d Build: 20230311180733 |
sqmail-3.3.25 | The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd. | None. | MD5: 1182e3860f49a09595e61117ab3a8250 Build: 20200729153744 |
sqmail-3.2.19 | The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99). | None. | MD5: 8a4fd942c1a1271619b0696d934c401a Build: 220170408184513 |
sqmail-3.1.9 | This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers. | None. | MD5: cb4da2ca52a05fda6668850c1d41359f Build: 20160724111506 |
sqmail-3.0.2 | The third fully integrated release; don't use it/just for reference. | None. | MD5: 4045d0a85fe4857fcf9c118fcfa13d1f |
The code of the current release can be viewed in a doxygen archive.
Addendum
Two patches are currently available for s/qmail 4.1 and 4.2 which are incorporated into the last builds, but also can be applied to previous builds:
- mkdkimkey.sh version 0.48 script. You need to redfine the HOME variable.
- Fix for EXIST clause evaluating SPF records: spfdnsip.c.patch - prevents wrong SPF results for this case (only).
- Fix for BADMIMETYPE evaluation: qmail-smtpd.c.patch - for convenience ony; otherwise simply use BADMIMETYPE=" " instead.
Additional packages
I also recommend to use
- Newanalyse 2.x which allows long-haul logging and easy finding of delivered mails from the logs.
- Tobias Oetiker's MRTG to visualize s/qmail's logs together with qmail-mrtg.
Release Management & Defects
Naming conventions:
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
Open defects:
Reference | Type | Description | State |
---|---|---|---|
[20170630#1] | Rfc | Add flexible uid configuration. | Confirmed, pending |
[20200509#1] | Rfc | Add qmail-ldapam for authentication. | Confirmed; an external package is required swallowing the code from s/qmail-4.3 (work in progress) |
[20200715#1] | Rfc | VERP address should be automatically accepted by qmail-smtpd's recipient extension | Rejected; better to include those with an additional entry here. |
[20220324#1] | Rfc | The RECIPIENTS mechanism does not support qmail-users's cdb | Done; starting with version 4.2 the cdb generated by qmail-newu will be consulted for valid recipients semi-automatically; however, the resulting cdb is renamed assign.cdb. |