s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.
s/qmail preserves the Qmail ecosystem (my mirror)
and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).
Scope and History
While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.
The new start: s/qmail 3.x
After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).
- s/qmail is available in Dan Bernstein's /package format, usually invoked by Daemontools.
- s/qmail provides TLS support based on the ucspi-ssl package.
- SMTP Authentication, Anti-Spam, and Anti-Virus features are supported out-of-the-box.
- Recipient and MAV capabilities in addition with powerful filters for SMTP envelope addresses.
- Scalable and reliable mail delivery is guaranteed by means of QMQ.
- Native IPv6 support for all communication modules.
The s/qmail 'universe' can be depict from here:
A new foundation: s/qmail 4.x & fehQlibs
Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.
Communication and security features
- s/qmail uses D. J. Bernstein's 'C' coding principles entirely.
- Full IPv6 compliance: Allow specific IPv6 bindings to any IPv6 address (even LLU) for all servers and clients (qmail-smtpd, qmail-qmqtpd; qmail-remote, qmail-smtpam, qmail-qmqpc).
- Unlike the original version, qmail-remote works multi-tenant, thus supporting different domains and senders with particular sending attributes (e.g. IP addresses, authentication, certificates) as well as providing particular bounce delivery, together with QMTP and QMTPS client capabilities.
- Distributed queueing: n:1, 1:n n:m with qualified authentication and authorization (enhanced 'QMQ').
- TLS enabling of most servers and particular clients for SMTP and QMTP as well as POP3.
- Together with ucspi-ssl (0.12.x) s/qmail is TLS 1.3 [RFC 8446] capable, provided OpenSSL/LibreSSL is installed and the respective ucspissl.a lib is build on top of it.
- LibreSSL(3.1) and OpenSSL (1.1/3.0) are already considered within ucspi-ssl.
- s/qmail allows 'opportunistic' as well as mandatory TLS encryption together with easy X.509 certificate pinning.
- qmail-remote is TLSA/DANE and finally RFC 1850 enabled.
- Compliance with John Levin's RFC 7505.
- SPF capabilities have been added for qmail-smtpd using Jana Saout's development (used by permission); of course with full IPv6 support.
- Reversely, SRS is natively supported with the modules srsforward and srsreverse used in a dot-qmail file.
- SMPTUTF8 [RFC 6532] together with International Domain Names (aka E-mail Address Internationalisation - EAI ) is now supported by s/qmail provided the libidn2 is available.
- Conformance with the recent RFC 8314 ('Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access') even if former RFCs violated those principles.
- RFC 8314 'Implicit TLS' configurable for qmail-remote and qmail-smtpam.
- qmail-smtpd is now immune against ESMTP pipelining command injection and finally against Guninski's large alloc bug (report).
- Greylisting can be achieved using qmail-postgrey.
Note: DKIM is still under investigation.
Protocol extension: QMTPS
The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.
s/qmail provides additionally the TLS-secured protocol QMTPS
to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for QMTPS.
Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).
Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.
The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):
- A versatile, CRAM enabled checkpassword compatible authentication PAM called qmail-authuser.
- The fastforward package is part of s/qmail.
- Including the qmailanalog package suited for s/qmail together with tai64nfrac.
- Additional qmail-mrtg frontend evaluating TAI64N timestamps in s/qmail's logs
(and replacing my previous version of qmail-mrtg)
for Tobias Oetiker's MRTG.
A working sample can be found for this site.
- If you miss something like qmail-queuefix or qmHandle here it is: qmail-qmaint.
Supported Qmail packages
s/qmail provides full support for the following vanilla Qmail add-ons unaltered:
- Inter7's vpopmail
- Bruce Guenter's VMailMgr
- Dan Bernstein's ezmlm
- Fred Lindbergs' and Bruce Guenter's's ezmlm-idx
- Andreas Aardal Hanssen's IMAP server BINC (Note: An up-to-date version is under development)
- Timo Sirainen's Dovecot (LDA)
Note 1: For those packages TLS encryption and
IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.
My s/qmail extensions will work natively with Qmail:
- Newanalyse 2.x is tailored for s/qmail
- QMVC -- is working but the latetest release (in particular recognizing IPv6 addresses) is under way.
Dependencies and installation of s/qmail
The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:
- Easy installation and maintenance by means of slashpackage.
- Compliance with 64-bit architecture and current 'C' standards.
- Drop-in replacement for Qmail (same interface; same API), same user accounts; same module names.
- Ready-to-use integration into daemontools.
- systemd support is provided as well.
For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux).
In particular, the following packages are recommended:
- Mandatory: fehQlibs: The common foundation.
- Mandatory: ucspi-ssl: Additional TLS libraries.
- Optional: ucspi-tcp6: cdb generation, module rblsmtpd.
- Optional: daemontools: providing supervise and TAI64N timestamps by multilog.
- Attention: In order to include EIA/UTF8 support, you need to install the libidn2 together with the header file <idn2.h>.
Quick installation of s/qmail
s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:
- Daemontools is installed and /service is working.
- ucspi-ssl is installed in default location.
- ucspi-tcp6 is installed.
- Untar the s/qmail tar file under '/package'
- Move to /package/mail/sqmail/sqmail-V.R.F and
- do an initial: package/install.
Note: The package/install step respects your current Qmail settings.
Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)
s/qmail will preserve your current qmail installation entirely under the following circumstances:
- Install ucspi-ssl-XX and ucspi-tcp6-XX under /package.
- Untar s/qmail under /package and change to the install directory.
- Check and adjust the following conf-XX files (see below) to your
existing qmail installation:
conf-break, conf-cc, conf-ld, conf-home, and conf-split (the rest may stay unaltered).
- ./compile/ipmeprint (you see the additional IPv6 addresses)
The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):
- conf-break -- the character for VERP addresses [-]
- conf-cc -- compiler (no change required)
- conf-delivery -- qmail-start default-delivery
- conf-groups*) -- s/qmail groups
- conf-home -- home dir of s/qmail [/var/qmail]
- conf-idn2 -- customization path for IDN2 libraries
- conf-ids*) -- Unix ids for s/qmail
- conf-instances -- QMQ instances to be raised
- conf-ld -- loader options to be adjusted (for i386; AMD64 default)
- conf-log -- target dir of s/qmail logs [/var/log]
- conf-man -- target dir of man pages, usually automatically recognized
- conf-patrn -- s/qmail paternalism 
- conf-qmq -- QMQ environment settings
- conf-spawn -- silent concurrency limit 
- conf-split -- depth of s/qmail dirs 
- conf-svcdir -- supervise's directory [/service]
- conf-ucspissl -- path to UCSPI-SSL dirs
- conf-users*) -- user names
*) These files are coupled and need to be adjusted as one entity!
The basic s/qmail configuration is done by means of conf-XX
For an individual step-by-step installation the following commands can be executed:
- package/dir -- sets up the directories
- package/ids -- sets up the s/qmail users
- package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
- package/compile -- compiles the sources
- package/upgrade -- potentially does the upgrade
- package/legacy -- installs the binaries in the qmail directory
- package/man -- installes the man pages
- package/control -- populates the mininmal required control files for running
- package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
- package/service -- sets up the run script for daemontools' /service and additionally the logging
- package/scripts setup optional, undocumented and unmaintained scripts
- package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module
A concise documentation for s/qmail is close to be final:
- A 's/qmail Big Picture' is available providing the default settings (run scripts) for most services.
- You may want to check the README and brief INSTALL documentation first.
- The 'official' s/qmail documentation is (however) still in progress.
- The set of man-pages coming along with s/qmail have been converted into HTML and are accessible here.
- The standard LWQ documentation for Qmail is mostly still valid; except for the installation procedure of s/qmail (and its extensions of course).
s/qmail current release and download
Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.
The current release(s) of s/qmail can be downloaded here:
|Version & Download||Description||fehQlibs||Verification|
|sqmail-4.1.17|| The tenth 4.1 release providing
Greylisting capabilities by means of qmail-postgrey.
qmail-remote is enhanced to support TLSA lookups and (PKIX-EE) automatic X.509 cert validation and (now with an additional CNAME lookup and finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs.
Added module qmail-qmaint to check the queue sanity and to remove mails from here.
TLSA evaluation now complete and working seamlessly after further adjustments coping with various DNS server settings. Malfunctioning OpenSSL X509_pubkey_digest() calculation replaced.
|sqmail-4.0.10||The eighth 4.0 release now requriering fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle.||fehQlibs-15|| MD5: d020c26eaae7f6a65db7135a4bbf8b32
|sqmail-3.3.25||The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd.||None.|| MD5: 1182e3860f49a09595e61117ab3a8250
|sqmail-3.2.19||The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99).||None.||MD5: 8a4fd942c1a1271619b0696d934c401a
|sqmail-3.1.9||This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers.||None.|| MD5: cb4da2ca52a05fda6668850c1d41359f
|sqmail-3.0.2||The third fully integrated release; don't use it/just for reference.||None.||MD5: 4045d0a85fe4857fcf9c118fcfa13d1f|
The code of the current release can be viewed in a doxygen archive.
- A bug in version 4.7.2 of the gcc C-compiler is apparent and making qmail-smtpd abend. To circumvent this issue, modify conf-cc and replace -O2 with -O0. Reinstall s/qmail going to compile and call ./install. Otherwise, remove the compile dir and call package/install.
- Hotfix: Please apply the fix [20170626#1/3.3.6] to versions prior of 3.3.
I also recommend to use
- Newanalyse 2.x which allows long-haul logging and easy finding of delivered mails from the logs.
- Tobias Oetiker's MRTG to visualize s/qmail's logs together with qmail-mrtg.
Release Management & Defects
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
|[20170630#1]||Rfc||Add flexible uid configuration.||Confirmed, pending|
|[20200509#1]||Rfc||Add qmail-ldapam for authentication.||Confirmed; included in s/qmail-4.2 (work in progress)|
|[20200715#1]||Rfc||VERP address should be automatically accepted by qmail-smtpd's recipient extension||Rejected; better to include those with an additional entry here.|
|[20220324#1]||Rfc||The RECIPIENTS mechanism does not support qmail-users's cdb||Accepted; starting with version 4.2 the cdb generated by qmail-newu will be consulted for valid recipients semi-automatically.|
- [CVE-2020-15955] StartTLS command injection (closed in 4.0.08)
- [CVE-2005-1513] Integer overflow on 64 bit platforms (closed in 4.0.08)
- [20220315#1/4.1.16] qmail-remote fails to bind IPv4 address in case it is given in localip.
- [20220329#1/4.1.16] qmail-remote erratic logging of 'greylisting'.
- [20220225#1/4.1.14] qmail-remote shows up wrong 'Greylisting' infomation in log.
- [20211218#1/4.1.13] qmail-remote conforms to RFC 6698 PKIX-EE certificate verification for TLSA. [20211021#1/4.1.12] qmail-remote TLSA checking working again correctly.
- [20210824#1/4.1.11] Fixed qmail-smtpam segfaults on call.
- [20210818#1/4.1.11] qmail-vmailuser is unable to validate vpopmail's Mailboxes.
- [20210801#1/4.1.10] Fixed wrong SIZE evaluation for QMTP sending within qmail-remote.
- [20210622#1/4.1.09] Fixed wrong SIZE and UTF8 announcement for qmail-remote together with an incomplete TLSA record checking.
- [Flaw:20210212#1/4.1.08] Removed hardcoded domain name 'spf.pobox.com' in SPF default expansion.
- [20120312#1/4.1.08] Using both qmail-smtpd's badmailfrom and badrcptto may interfere and reject mails erroneously.
- [Flaw:20201112#1/4.1.08] qmail-remote's smtproutes allows now binding to specific local IP address.
- [Flaw:20210213#1/4.1.08] qmail-remote's smtproutes are not authenticating.
- [20201123#1/4.1.08] Binding problem to IPv4 addresses for qmail-remote resolved.
- [20200724#1/4.0.10] Compatibility with GCC 10 is finally provided now.
- [20200724#1/4.0.08] Fixes for qmail-smtpd to cope with CVE-2011-0411 (ESMTP pipelining command injection).
- [20200713#1/4.0.08] Fixes for qmail-vmailuser not respecting vpopmail's home directory.
- [20200509#1/4.0.08] Fixes for qmail-smtpd to cope with CVE 2005-1513 (Guninski alloc bug report) and solved via fehQlibs-15.
- [20200514#1/4.0.07] Fixes for qmail-smtpd considering other DNS TXT as none-existing SPF records (and potentially rejecting connections).
- [20200423#1/4.0.06] qmail-smtpd may segfault while evalutating SPF records from Google.
- [20200410#1/4.0.05] qmail-remote and qmail-smtpam is not SMTP-UTF8 enabled by default (and now without compiler flag).
- [20200408#1/4.0.05] qmail-remote has wrong mangling of RCPT TO: addresses in case of a CNAME.
- [20200303#1/4.0.04] qmail-smtpd may segfault for mails with more than one RCPT TO:.
- [20200227#1/4.0.02] Added SRS capabilities with the modules srsforward and srsreverse.
- [20190116#1/4.0.00] qmail-remote fails to authenticate to some servers fixed.
- [20191216#1/3.3.25] qmail-smtpd segfaults in case SPF is set and no HELO/EHLO greeting is received. Workaround for previous version: Set HELOCHECK="!".
- [20190801#1/3.3.24] Cipher setting for qmail-remote reworked.
- [20180617#1/3.3.23] Integration bug in SPF evaluation for qmail-smtpd fixed.
- [20180928#1/3.3.22] Error in qmail-smtpd not requiring strict TLS during SMTP Auth, even if requested.
- [20180829#1/3.3.22] Crash of qmail-remote if domain in control/domaincerts is included as '*' (tx. Oleg).
- [20180618#1/3.3.21] Error in qmail-smtpam not reading control/tlsdestinations (tx. U.H.).
- [20180618#1/3.3.20] Bug in qmail-remote not handling '...|domain' correctly, if given in control/tlsdestinations (tx. J.W.).
- [20180305#1/3.3.19] Fix for qmail-remote in case control/domaincerts is not correctly populated (tx. J.C.B.).
- [20171103#1/3.3.17] WONTFIX -- broken gcc 4.7.2 compiler needs to have '-O0' in conf-cc.
- [20171029#1/3.3.15] Fix for wrong evaluation of qmail-remote 'tlsdestinations'.
- [20171027#1/3.3.14] Fix for Arch Linux OpenSSL 1.1.0f.
- [20170817#1/3.3.13] Two small bugs (fixed) related to SMTPTUF8 in qmail-remote and a tiny one in qmail-smtpd, where the first may impact sending SMTPUTF8 mails.
- [20170813#1/3.3.12] Bug: qmail-remote does not evaluate control/tlsdestinations correctly for a given FQDN.
- [20170812#1/3.3.11] Error: qmail-smtpd rejects bounces, Out-of-office Replies, and Caller Verification with 'Mail From:
- ' in case MFDNSCHECK is enabled (introduced in version s/qmail 3.2.19).
- [20170714#1/3.3.10] Error: Wrong call of qmail-authuser for Dovecot Auth.
- [20170630#1/3.3.6] Bug: Wrong parsing and display of (some) compactified IPv6 addresses.
- [20170626#1/3.3.6] Bug: qmail-remote TLS bug
and potential abend if tlsdestinations or domaincerts
includes a line like -: or *:.
Fix: Download and install tls_remote.c as replacement for all versions s/qmai < 3.3.
- [20170405#1/3.3.6] Rfc: Using Dovecot-auth as backend for qmail-smtpd authentication.
- [20170625#1/3.3.5] Bug: Wrong IP addresss display in qmail-remote log if lowest MX is IPv6 and connection is IPv4.
- [20170307#1/3.2.19] Bug: Wrong behavior of qmail-smtpd's badmailfrom due to wrong nesting.
- [20170224#1/3.2.18] (Error) Badmailfrom check in qmail-smtpd fails for 'extended' addresses.
- [20170109#1/any] OpenSSL 1.1 compatibility added with ucspi-ssl-0.99.
- [20161004#1/3.2.16] Recipient PAMs for vpopmail and vmailmgr included.
- [20161001#1/3.2.15] (OpenBSD) qmail-remote TLS abend resolved.
- [20161001#1/3.2.13] (OpenBSD) Segfault in fastforward solved.
- [20160712#1/3.1.9] Bug in qmail-send not releasing FDs for bounces, in case bouncemaxbytes is undefined/0.
- [20160615#1/3.1.8] Bug in qmail-smtpd not to return exceeding 'databyte' limits.
Client (eg. qmail-remote) might hang; thus never ending SMTP transaction.
- [20160527#1/3.1.7] RfC to cope with OpenBSD's missing 'pw' within package/ids.
- [20160514#2/3.1.7] Bug in qmail-smtpd's badmailfrom '?' evaluation (wrong RC).
- [20160514#1/3.1.7] Bug in qmail-smtpd's address parser; abending if 'Mail From: <.. @[...]>' (in particular double bounces).
- [20160414#1/3.1.6] RfC hook for File Descriptor > 1024.
- [20160428#1/3.0.4] Strict Auth error in qmail-smtpd.
- [20160131#1/3.0.1] Error in qmail-smtpd's RSET behaviour (RFC 5321).
- [20160110#1/3.0.0] Bug in some package/XX scripts due to missing 'eval' statement (i.e. sslenv).
- [20160108#1/3.0.0] Error in qmail-remote not recognizing 'fast' 5xy rejection issued upon SMTP greeting.
- [20160106#1/3.0.0] Bug in skeleton script run_qmqpd. Wrong binary referenced.
- [Since last public beta/2.6.06] Bug in qmail-tcpto displaying wrong information.
Bug in qmail-mrtg -2 shows only one output value (while MRTG expects two).
Note: The given release number following the defect number tells, in which version of s/qmail this change was applied.
s/qmail will be maintained and my release plan includes the following topics:
Version 3.0 is the first complete release(done).
- Version 3.1 will be used for additional enhancements (done).
- Version 3.2 includes SPF capabilities and LibreSSL as well OpenSSL 1.1 hooks have been added within ucspi-ssl 0.99 (done).
- Version 3.3 is scheduled for performance enhancements (EXTTODO; done).
- Version 3.4 is forseen for integrating
DJBDNSCurve6fehQlibs and adding SRS capabilities (done as 4.0).
Version 3.5 ... let's see: DANE support? ... and probably DKIM as well.
- Version 4.0 uses fehQlibs and thus its DNS stub resolver routines (done).
- Version 4.1 shall provide
a DKIM API(posponed to furthcoming version) and perhaps DANE support (done).
- Version 4.2 is forseen to support DKIM (both sending and receiving) together with qmail-ldapam.
- Version 4.3 could try to use SMTP pipeling in qmail-remote (desperately missing).
- Version 5.0 UUID identifier for files in the queue?
Tickets, Change Requests, communication
An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file
- Defects (bug reports) and
- Change Requests (enhancements).
To inscribe use: s/qmail mailing list
I can't guarantee a certain response level; but reasonable issues will be answered.