Why you shouldn’t really be using qmail anymore (or how I found a license I hate more than the GPL)

I’ve long been a fan of djb’s method of writing software. Over the years, three of his tools have served me very well: djbdns, daemontools, and qmail.

But djb has a dark side. He has some strange views on filesystem layout (I’m no booster of the linux standard layout, but his views on layout are just plain strange) that I can get over if not work around. More importantly, though, are his views on licensing. The GPL makes me cringe (another blog post for another time), but djb goes a whole other direction: You can’t modify his code and redistribute it. You can distribute patches, you can distribute his pristine copy, but you can not and must not distribute an altered version wholesale, in source or in binary.

Which would be fine, if it ever got updated. But it’s been years now, and the world of internet mail (and spam) has changed drastically since then. Namely, backscatter. To a lot of people familiar with email tech, this is nothing at all new. But to qmail, it’s like it’s still 1999.

For the uninitiated, backscatter is when spam sends to known-bad addresses with a reply-to that goes to their real target, a known-good (or plausibly-good) address. The known-bad bounces back to the known-good, giving someone spam from a sender who didn’t actually mean to do anything bad. This results in a very bad reputation for the previously innocent mail server.

Think of it like sending a letter with no stamp and the address of the person you’re sending it to to get around paying for postage (note: I have no idea how this works and am not endorsing any form of mail fraud).

The right thing to do, nowadays, is for a mail server to immediately reject an undeliverable email with an error (like a 404 code from a web server). Because of a quirk in how qmail is designed, it can’t do that, though. It will accept all mail for all domains it knows about and then reject it later if it can’t deliver through a bounce. Which makes it a prime target for backscatter.

The process for solving this with qmail involves a fairly tedious and possibly risky set of steps. You have to patch your copy of qmail to add scriptable hooking to the e-mail accept phase. You then have to add a script to this system, written in probably bash or perl script, that will go through and do all the processing qmail intends to do later on to figure out if it’s deliverable. If it’s not, it’ll return an error code. If it is, it’ll let it go through the normal qmail process.

This completely breaks the rather beautiful design of qmail. At this point, you may as well be using postfix, which is less beautiful but actually designed for plugins and has more modern notions about what to do about backscatter anyways.

So from being a djb booster, there’s now only one product of his I recommend: djbdns. Still the simplest, cleanest little dns server you can run. Daemontools has fallen out of favour to runit, which has similar modernizations and a less restrictive license.

So postfix seems to be where it’s at for email servers these days. I always felt I had a better understanding of how qmail worked, though. Maybe someday someone will ground-up rewrite it like they did with daemontools/runit.

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks

This entry was posted on Tuesday, June 30th, 2009 at 2:48 am and is filed under Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Why you shouldn’t really be using qmail anymore (or how I found a license I hate more than the GPL)”

  1. Mihai Secasiu Says:
    June 30th, 2009 at 6:01 am

    Qmail is in public domain since 2007, so you can modify it and do whatever you want with it without asking for permission from djb.
    The problem with accepting all messages can be solved by using a patch or ( my favorite ) qmail-spp

  2. Nancy Says:
    June 30th, 2009 at 10:38 am

    They should either update it or let other people update it, especially when your server could potentially be targeted as a spam-sending fall guy.

    Wait, this doesn’t mean you’re going to start a ground-up rewrite yourself, does it? ;P

  3. Graham Batty Says:
    June 30th, 2009 at 11:29 am

    Mihai: Thanks, you are indeed correct that qmail has been released in the public domain. I fear it’s too little too late, though, because I’m not aware of a proper distribution and continuation of effort in the form of a real and authoritative fork. That’s what qmail needs.

    Qmail-spp is indeed the plugin architecture I was referring to. The backscatter scripts out there in the public are pretty poor, though, unfortunately, and I had to write my own (though oddly, there’s a perl package that does most of the work, so mine is like 5 lines while most of the public ones are a couple hundred). It is so utterly irresponsible to run a mail server that backscatters in 2009 that it’s pretty much unacceptable that you have to go to extra effort to prevent it in qmail.

    Nancy: Heh, no, this one’s not a project for me. ;P

Leave a Reply