Consulting djbware Publications

s/qmail

s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.

s/qmail preserves the Qmail ecosystem (my mirror) and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).

Phoenix

Scope and History

While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.

The new start: s/qmail 3.x

After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).

The s/qmail 'universe' can be depict from here:

Figure: The s/qmail 'Big Picture' (available as PDF)

A new foundation: s/qmail 4.x & fehQlibs

Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.

Communication and security features

Note: DKIM is still under investigation.

Protocol extension: QMTPS

The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.

s/qmail provides additionally the TLS-secured protocol QMTPS to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for QMTPS.

s/qmail's implementation of QMTPS supports together with sslserver X.509 client certificates enables qmail-qmtpd to relay email based on valid certificates used by qmail-remote.

Distributed Queueing

Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).

Figure: The s/qmail 'channels' and distributed queueing

Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.

Included packages

The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):

Supported Qmail packages

s/qmail provides full support for the following vanilla Qmail add-ons unaltered:

Note 1: For those packages TLS encryption and IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.

My s/qmail extensions will work natively with Qmail:

Dependencies and installation of s/qmail

The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:

 

https://xkcd.com/1654/

Dependencies

For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux).

In particular, the following packages are recommended:

Quick installation of s/qmail

s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:

Note: The package/install step respects your current Qmail settings.

Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)

s/qmail will preserve your current qmail installation entirely under the following circumstances:

Configuration

The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):

*) These files are coupled and need to be adjusted as one entity!

 

https://xkcd.com/1770/

The basic s/qmail configuration is done by means of conf-XX

Step-by-step installation

For an individual step-by-step installation the following commands can be executed:

  1. package/dir -- sets up the directories
  2. package/ids -- sets up the s/qmail users
  3. package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
  4. package/compile -- compiles the sources
  5. package/upgrade -- potentially does the upgrade
  6. package/legacy -- installs the binaries in the qmail directory
  7. package/man -- installes the man pages
  8. package/control -- populates the mininmal required control files for running
  9. package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
  10. package/service -- sets up the run script for daemontools' /service and additionally the logging
  11. package/scripts setup optional, undocumented and unmaintained scripts
  12. package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module

Documentation

 

https://xkcd.com/1513/

A concise documentation for s/qmail is close to be final:

s/qmail current release and download

Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.

Download

The current release(s) of s/qmail can be downloaded here:

Version & Download Description fehQlibs Verification
sqmail-4.1.12 The fifth 4.1 release providing Greylisting capabilities by means of qmail-postgrey.
qmail-remote is enhanced to support TLSA/DANE lookups and automatic X.509 cert validation and (finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs.
Added module qmail-qmaint to check the queue sanity and to remove mails from here.
fehQlibs-18+ MD5: 8aa9cc5b3aa42091a3033e8a34217742
Build: 20211021213937
sqmail-4.0.10 The eighth 4.0 release now requriering fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle. fehQlibs-15 MD5: d020c26eaae7f6a65db7135a4bbf8b32
Build: 20200920203533
sqmail-3.3.25 The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd. None. MD5: 1182e3860f49a09595e61117ab3a8250
Build: 20200729153744
sqmail-3.2.19 The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99). None. MD5: 8a4fd942c1a1271619b0696d934c401a
Build: 220170408184513
sqmail-3.1.9 This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers. None. MD5: cb4da2ca52a05fda6668850c1d41359f
Build: 20160724111506
sqmail-3.0.2 The third fully integrated release; don't use it/just for reference. None. MD5: 4045d0a85fe4857fcf9c118fcfa13d1f

The code of the current release can be viewed in a doxygen archive.

Addendum

Additional packages

I also recommend to use

Release Management & Defects

Naming conventions:

Open defects:

ReferenceType DescriptionState
[20170630#1] Rfc Add flexible uid configuration. Confirmed, pending
[20200509#1] Rfc Add qmail-ldapam for authentication. Confirmed; included in s/qmail-4.2 (work in progress)
[20200715#1] Rfc VERP address should be automatically accepted by qmail-smtpd's recipient extension Rejected; better to include those with an additional entry here.
 

https://xkcd.com/1700/

Mitre CVEs:

  1. [CVE-2020-15955] StartTLS command injection (closed in 4.0.08)
  2. [CVE-2005-1513] Integer overflow on 64 bit platforms (closed in 4.0.08)

Closed defects:

Note: The given release number following the defect number tells, in which version of s/qmail this change was applied.

Release plan

s/qmail will be maintained and my release plan includes the following topics:

Tickets, Change Requests, communication

An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

To inscribe use: s/qmail mailing list

I can't guarantee a certain response level; but reasonable issues will be answered.