s/qmail

s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.

s/qmail preserves the Qmail ecosystem (my mirror) and ought to be a drop-in replacement for most sites.

s/qmail's mascot is the phoenix (SQRP).

While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.

The new start: s/qmail 3.x

After now 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).

s/qmail is available in Dan Bernstein's /package format, usually invoked by Daemontools.

is available in Dan Bernstein's /package format, usually invoked by Daemontools. s/qmail provides TLS support based on the ucspi-ssl package.

provides support based on the ucspi-ssl package. SMTP Authentication, Anti-Spam, and Anti-Virus features are supported out-of-the-box.

Recipient and MAV capabilities in addition with powerful filters for SMTP envelope addresses.

capabilities in addition with powerful filters for SMTP envelope addresses. Scalable and reliable mail delivery is guaranteed by means of QMQ .

. Native IPv6 support for all communication modules.

The s/qmail 'universe' can be depict from here:

Figure: The s/qmail 'Big Picture' (available as PDF

A new foundation: s/qmail 4.x & fehQlibs

Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.

Note: DKIM is still under investigation.

The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.

s/qmail provides additionally the TLS-secured protocol QMTPS to couple several s/qmail instances and distributed queues among different nodes.

IANA has now assigned port 6209 for QMTPS.

s/qmail's implementation of QMTPS supports together with sslserver X.509 client certificates enables qmail-qmtpd to relay email based on valid certificates used by qmail-remote.

Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).

Figure: The s/qmail 'channels' and distributed queueing

It's light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.

The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):

A versatile, CRAM enabled checkpassword compatible authentication PAM called qmail-authuser.

The fastforward package is part of s/qmail .

. Including the qmailanalog package suited for s/qmail together with tai64nfrac.

together with tai64nfrac. Additional qmail-mrtg frontend evaluating TAI64N timestamps in s/qmail's logs (and replacing my previous version of qmail-mrtg) for Tobias Oetiker's MRTG.

A working sample can be found for this site.

s/qmail provides full support for the following vanilla Qmail add-ons unaltered:

Inter7 's vpopmail

's vpopmail Bruce Guenter 's VMailMgr

's VMailMgr Dan Bernstein 's ezmlm

's ezmlm Fred Lindbergs ' and Bruce Guenter 's's ezmlm-idx

' and 's's ezmlm-idx procmail

Andreas Aardal Hanssen 's IMAP server BINC (Note: An up-to-date version is under development)

's IMAP server BINC (Note: An up-to-date version is under development) Timo Sirainen's Dovecot (LDA)

Note 1 : For those packages TLS encryption and IPv6 capabilities for any data-in-flight is possible with s/qmail.

Note 2 : s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.

Note 3 : Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.

Note 4 : Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.

My s/qmail extensions will work natively with Qmail:

Newanalyse 2.x ist tailored for s/qmail

QMVC -- is working but the latetest release (in particular recognizing IPv6 addresses) is under way.

The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:

Easy installation and maintenance by means of slashpackage .

. Compliance with 64-bit architecture and current 'C' standards.

Drop-in replacement for Qmail (same interface; same API), same user accounts; same module names.

Ready-to-use integration into daemontools.

systemd support is provided as well.

For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux).

In particular, the following packages are recommended:

Mandatory: fehQlibs: The common foundation.

Mandatory: ucspi-ssl: Additional TLS libraries.

Optional: ucspi-tcp6: cdb generation, module rblsmtpd .

generation, module . Optional: daemontools: providing supervise and TAI64N timestamps by multilog .

and TAI64N timestamps by . Attention : In order to include EIA/UTF8 support, you need to install the libidn2 together with the header file <idn2.h> .

s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:

Daemontools is installed and /service is working.

is working. ucspi-ssl is installed in default location.

ucspi-tcp6 is installed.

Untar the s/qmail tar file under ' /package '

tar file under ' ' Move to /package/mail/sqmail/sqmail-V.R.F and

and do an initial: package/install.

Note : The package/install step respects your current Qmail settings.

s/qmail will preserve your current qmail installation entirely under the following circumstances:

Install ucspi-ssl-XX and ucspi-tcp6-XX under /package .

and under . Untar s/qmail under /package and change to the install directory.

under and change to the install directory. Check and adjust the following conf-XX files (see below) to your existing qmail installation:

conf-break , conf-cc , conf-ld , conf-home , and conf-split (the rest may stay unaltered).

files (see below) to your existing installation: , , , , and (the rest may stay unaltered). Execute:

package/ucspissl package/compile package/legacy packag/sqmail/man

Verify your setting:

./compile/ qmail-showctl

./compile/ipmeprint (you see the additional IPv6 addresses)

You need to take care about the new IPv6 addresses and your SSL environment+settings, change your run scripts and adjust control files.

The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):

conf-break -- the character for VERP addresses [-]

-- the character for VERP addresses [-] conf-cc -- compiler (no change required)

-- compiler (no change required) conf-delivery -- qmail-start default-delivery

-- qmail-start default-delivery conf-groups *) -- s/qmail groups

*) -- s/qmail groups conf-home -- home dir of s/qmail [/var/qmail]

-- home dir of s/qmail [/var/qmail] conf-idn2 -- customization path for IDN2 libraries

-- customization path for IDN2 libraries conf-ids *) -- Unix ids for s/qmail

*) -- Unix ids for s/qmail conf-instances -- QMQ instances to be raised

-- QMQ instances to be raised conf-ld -- loader options to be adjusted (for i386; AMD64 default)

-- loader options to be adjusted (for i386; AMD64 default) conf-log -- target dir of s/qmail logs [/var/log]

-- target dir of s/qmail logs [/var/log] conf-man -- target dir of man pages, usually automatically recognized

-- target dir of man pages, usually automatically recognized conf-patrn -- s/qmail paternalism [002]

-- s/qmail paternalism [002] conf-qmq -- QMQ environment settings

-- QMQ environment settings conf-spawn -- silent concurrency limit [120]

-- silent concurrency limit [120] conf-split -- depth of s/qmail dirs [23]

-- depth of s/qmail dirs [23] conf-svcdir -- supervise's directory [/service]

-- supervise's directory [/service] conf-ucspissl -- path to UCSPI-SSL dirs

-- path to UCSPI-SSL dirs conf-users *) -- user names

*) These files are coupled and need to be adjusted as one entity!

The basic s/qmail configuration is done by means of conf-XX

For an individual step-by-step installation the following commands can be executed:

package/dir -- sets up the directories package/ids -- sets up the s/qmail users package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl package/compile -- compiles the sources package/upgrade -- potentially does the upgrade package/legacy -- installs the binaries in the qmail directory packag/sqmail/man -- installes the man pages package/control -- populates the mininmal required control files for running package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl) package/service -- sets up the run script for daemontools' /service and additionally the logging package/scripts setup optional, undocumented and unmaintained scripts package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module

A concise documentation for s/qmail is close to be final:

A 's/qmail Big Picture' is available providing the default settings ( run scripts) for most services.

Big Picture' is available providing the default settings ( scripts) for most services. You may want to check the README and brief INSTALL documentation first.

The 'official' s/qmail documentation is (however) still in progress.

documentation is (however) still in progress. The set of man-pages coming along with s/qmail have been converted into HTML and are accessible here.

have been converted into HTML and are accessible here. The standard LWQ documentation for Qmail is mostly still valid; except for the installation procedure of s/qmail (and it's extensions of course).

Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.

The current release(s) of s/qmail can be downloaded here:

Version & Download Description Verification sqmail-4.0.09 The seventh 4.0 release based on fehQlibs supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release is expected to be the last one in the 4.0 cycle. MD5: b3f60388022cd048f8f823b85b0e5379

Build: 20200827115233 sqmail-3.3.25 The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd. MD5: 1182e3860f49a09595e61117ab3a8250

Build: 20200729153744 sqmail-3.2.19 The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99). MD5: 8a4fd942c1a1271619b0696d934c401a

Build: 220170408184513 sqmail-3.1.9 This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers. MD5: cb4da2ca52a05fda6668850c1d41359f

Build: 20160724111506 sqmail-3.0.2 The third fully integrated release; don't use it/just for reference. MD5: 4045d0a85fe4857fcf9c118fcfa13d1f

The code of the current release can be viewed in a doxygen archive.

A bug in version 4.7.2 of the gcc C-compiler is apparent and making qmail-smtpd abend. To circumvent this issue, modify conf-cc and replace -O2 with -O0 . Reinstall s/qmail going to compile and call ./install . Otherwise, remove the compile dir and call package/install .

of the C-compiler is apparent and making abend. To circumvent this issue, modify and replace with . Reinstall going to and call . Otherwise, remove the dir and call . Hotfix: Please apply the fix [20170626#1/3.3.6] to versions prior of 3.3.

I also recommend to use

Naming conventions:

Error : Implementation does not conform to reqs, e.g. something is missing.

: Implementation does not conform to reqs, e.g. something is missing. Bug : Coding mistake in source file(s).

: Coding mistake in source file(s). Flaw : Wrong/missing description in man-file or any attached documentation.

: Wrong/missing description in man-file or any attached documentation. RfC : Request for Change: Feature request.

Open defects:

Reference Type Description State [20170630#1] Rfc Add flexible uid configuration. Confirmed, pending [20200509#1] Rfc Add qmail-ldapam for authentication. Confirmed, pending [20200715#1] Rfc VERP address should be automatically accepted by qmail-smtpd's recipient extension Rejected; better to include those with an additional entry here.

Closed defects:

[20200724#1/4.0.08] Fixes for qmail-smtpd to cope with CVE-2011-0411 (ESMTP pipelining command injection).

[20200713#1/4.0.08] Fixes for qmail-vmailuser not respecting vpopmail 's home directory.

's home directory. [20200509#1/4.0.08] Fixes for qmail-smtpd to cope with CVE 2005-1513 (Guninski alloc bug report) and solved via fehQlibs-15.

[20200514#1/4.0.07] Fixes for qmail-smtpd considering other DNS TXT as none-existing SPF records (and potentially rejecting connections).

[20200423#1/4.0.06] qmail-smtpd may segfault while evalutating SPF records from Google.

[20200410#1/4.0.05] qmail-remote and qmail-smtpam is not SMTP-UTF8 enabled by default (and now without compiler flag).

[20200408#1/4.0.05] qmail-remote has wrong mangling of RCPT TO: addresses in case of a CNAME.

[20200303#1/4.0.04] qmail-smtpd may segfault for mails with more than one RCPT TO:.

[20200227#1/4.0.02] Added SRS capabilities with the modules srsforward and srsreverse.

[20190116#1/4.0.00] qmail-remote fails to authenticate to some servers fixed.

[20191216#1/3.3.25] qmail-smtpd segfaults in case SPF is set and no HELO/EHLO greeting is received. Workaround for previous version: Set HELOCHECK="!".

is set and no HELO/EHLO greeting is received. Workaround for previous version: Set HELOCHECK="!". [20190801#1/3.3.24] Cipher setting for qmail-remote reworked.

[20180617#1/3.3.23] Integration bug in SPF evaluation for qmail-smtpd fixed.

[20180928#1/3.3.22] Error in qmail-smtpd not requiring strict TLS during SMTP Auth, even if requested.

[20180829#1/3.3.22] Crash of qmail-remote if domain in control/domaincerts is included as '*' (tx. Oleg).

is included as '*' (tx. Oleg). [20180618#1/3.3.21] Error in qmail-smtpam not reading control/tlsdestinations (tx. U.H.).

(tx. U.H.). [20180618#1/3.3.20] Bug in qmail-remote not handling '...|domain' correctly, if given in control/tlsdestinations (tx. J.W.).

correctly, if given in (tx. J.W.). [20180305#1/3.3.19] Fix for qmail-remote in case control/domaincerts is not correctly populated (tx. J.C.B.).

is not correctly populated (tx. J.C.B.). [20171103#1/3.3.17] WONTFIX -- broken gcc 4.7.2 compiler needs to have '-O0' in conf-cc.

[20171029#1/3.3.15] Fix for wrong evaluation of qmail-remote 'tlsdestinations'.

[20171027#1/3.3.14] Fix for Arch Linux OpenSSL 1.1.0f.

[20170817#1/3.3.13] Two small bugs (fixed) related to SMTPTUF8 in qmail-remote and a tiny one in qmail-smtpd, where the first may impact sending SMTPUTF8 mails.

[20170813#1/3.3.12] Bug: qmail-remote does not evaluate control/tlsdestinations correctly for a given FQDN.

correctly for a given FQDN. [20170812#1/3.3.11] Error: qmail-smtpd rejects bounces, Out-of-office Replies, and Caller Verification with 'Mail From: <>' in case MFDNSCHECK is enabled (introduced in version s/qmail 3.2.19).

is enabled (introduced in version s/qmail 3.2.19). [20170714#1/3.3.10] Error: Wrong call of qmail-authuser for Dovecot Auth.

[20170630#1/3.3.6] Bug: Wrong parsing and display of (some) compactified IPv6 addresses.

[20170626#1/3.3.6] Bug: qmail-remote TLS bug and potential abend if tlsdestinations or domaincerts includes a line like -: or *: .

Fix : Download and install tls_remote.c as replacement for all versions s/qmail < 3.3.

if or includes a line like or . : Download and install tls_remote.c as replacement for all versions s/qmail < 3.3. [20170405#1/3.3.6] Rfc: Using Dovecot-auth as backend for qmail-smtpd authentication.

[20170625#1/3.3.5] Bug: Wrong IP addresss display in qmail-remote log if lowest MX is IPv6 and connection is IPv4.

[20170307#1/3.2.19] Bug: Wrong behavior of qmail-smtpd's badmailfrom due to wrong nesting.

due to wrong nesting. [20170224#1/3.2.18] (Error) Badmailfrom check in qmail-smtpd fails for 'extended' addresses.

[20170109#1/any] OpenSSL 1.1 compatibility added with ucspi-ssl-0.99.

[20161004#1/3.2.16] Recipient PAMs for vpopmail and vmailmgr included.

and included. [20161001#1/3.2.15] ( OpenBSD ) qmail-remote TLS abend resolved.

) qmail-remote TLS abend resolved. [20161001#1/3.2.13] ( OpenBSD ) Segfault in fastforward solved.

) Segfault in solved. [20160712#1/3.1.9] Bug in qmail-send not releasing FDs for bounces, in case bouncemaxbytes is undefined/0.

not releasing FDs for bounces, in case is undefined/0. [20160615#1/3.1.8] Bug in qmail-smtpd not to return exceeding 'databyte' limits.

Client (eg. qmail-remote ) might hang; thus never ending SMTP transaction.

not to return exceeding 'databyte' limits. Client (eg. ) might hang; thus never ending SMTP transaction. [20160527#1/3.1.7] RfC to cope with OpenBSD's missing 'pw' within package/ids.

[20160514#2/3.1.7] Bug in qmail-smtpd 's badmailfrom '?' evaluation (wrong RC).

's badmailfrom '?' evaluation (wrong RC). [20160514#1/3.1.7] Bug in qmail-smtpd 's address parser; abending if 'Mail From: ' (in particular double bounces).

's address parser; abending if 'Mail From: [20160414#1/3.1.6] RfC hook for File Descriptor > 1024.

[20160428#1/3.0.4] Strict Auth error in qmail-smtpd .

. [20160131#1/3.0.1] Error in qmail-smtpd 's RSET behaviour (RFC 5321).

's behaviour (RFC 5321). [20160110#1/3.0.0] Bug in some package/XX scripts due to missing 'eval' statement (i.e. sslenv ).

scripts due to missing 'eval' statement (i.e. ). [20160108#1/3.0.0] Error in qmail-remote not recognizing 'fast' 5xy rejection issued upon SMTP greeting.

not recognizing 'fast' rejection issued upon SMTP greeting. [20160106#1/3.0.0] Bug in skeleton script run_qmqpd . Wrong binary referenced.

. Wrong binary referenced. [Since last public beta/2.6.06] Bug in qmail-tcpto displaying wrong information.

Bug in qmail-mrtg -2 shows only one output value (while MRTG expects two).

Note : The given release number following the defect number tells, in which version of s/qmail this change was applied.

s/qmail will be maintained and my release plan includes the following topics:

Version 3.0 is the first complete release ( done ).

( ). Version 3.1 will be used for additional enhancements ( done ).

). Version 3.2 includes SPF capabilities and LibreSSL as well OpenSSL 1.1 hooks have been added within ucspi-ssl 0.99 ( done ).

). Version 3.3 is scheduled for performance enhancements (EXTTODO; done ).

). Version 3.4 is forseen for integrating DJBDNSCurve6 fehQlibs and adding SRS capabilities ( done as 4.0 ).

fehQlibs and adding SRS capabilities ( ). Version 3.5 ... let's see: DANE support? ... and probably DKIM as well.

Version 4.0 uses fehQlibs and thus its DNS stub resolver routines ( done ).

). Version 4.1 shall provide a DKIM API and perhaps DANE support.

Version 4.2 could try to use SMTP pipeling in qmail-remote (desperately missing).

Version 5.0 UUID identifier for files in the queue?

An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

Defects (bug reports) and

(bug reports) and Change Requests (enhancements).

To inscribe use: s/qmail mailing list

I can't guarantee a certain response level; but reasonable issues will be answered.