s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.
s/qmail preserves the Qmail ecosystem (my mirror)
and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).
Scope and History
While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.
The new start: s/qmail 3.x
After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).
- s/qmail is available in Dan Bernstein's /package format, usually invoked by Daemontools.
- s/qmail provides TLS support based on the ucspi-ssl package.
- SMTP Authentication, Anti-Spam, and Anti-Virus features are supported out-of-the-box.
- Recipient and MAV capabilities in addition with powerful filters for SMTP envelope addresses.
- Scalable and reliable mail delivery is guaranteed by means of QMQ.
- Native IPv6 support for all communication modules.
The s/qmail 'universe' can be depict from here:
A new foundation: s/qmail 4.x & fehQlibs
Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.
Communication and security features
- s/qmail uses D. J. Bernstein's 'C' coding principles entirely.
- Full IPv6 compliance: Allow specific IPv6 bindings to any IPv6 address (even LLU) for all servers and clients (qmail-smtpd, qmail-qmqtpd; qmail-remote, qmail-smtpam, qmail-qmqpc).
- Unlike the original version, qmail-remote works multi-tenant, thus supporting different domains and senders with particular sending attributes (e.g. IP addresses, authentication, certificates) as well as providing particular bounce delivery, together with QMTP and QMTPS client capabilities.
- Distributed queueing: n:1, 1:n n:m with qualified authentication and authorization (enhanced 'QMQ').
- TLS enabling of most servers and particular clients for SMTP and QMTP as well as POP3.
- Together with ucspi-ssl (0.12.x) s/qmail is TLS 1.3 [RFC 8446] capable, provided OpenSSL/LibreSSL is installed and the respective ucspissl.a lib is build on top of it.
- LibreSSL(3.1) and OpenSSL (1.1/3.0) are already considered within ucspi-ssl.
- s/qmail allows 'opportunistic' as well as mandatory TLS encryption together with easy X.509 certificate pinning.
- qmail-remote is TLSA/DANE and finally RFC 1850 enabled.
- Compliance with John Levin's RFC 7505.
- SPF capabilities have been added for qmail-smtpd using Jana Saout's development (used by permission); of course with full IPv6 support.
- Reversely, SRS is natively supported with the modules srsforward and srsreverse used in a dot-qmail file.
- SMPTUTF8 [RFC 6532] together with International Domain Names (aka E-mail Address Internationalisation - EAI ) is now supported by s/qmail provided the libidn2 is available.
- Conformance with the recent RFC 8314 ('Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access') even if former RFCs violated those principles.
- RFC 8314 'Implicit TLS' configurable for qmail-remote and qmail-smtpam.
- qmail-smtpd is now immune against ESMTP pipelining command injection and finally against Guninski's large alloc bug (report).
- Greylisting can be achieved using qmail-postgrey.
Note: DKIM is still under investigation.
Protocol extension: QMTPS
The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.
s/qmail provides additionally the TLS-secured protocol QMTPS
to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for QMTPS.
Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).
Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.
The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):
- A versatile, CRAM enabled checkpassword compatible authentication PAM called qmail-authuser.
- The fastforward package is part of s/qmail.
- Including the qmailanalog package suited for s/qmail together with tai64nfrac.
- Additional qmail-mrtg frontend evaluating TAI64N timestamps in s/qmail's logs
(and replacing my previous version of qmail-mrtg)
for Tobias Oetiker's MRTG.
A working sample can be found for this site.
- If you miss something like qmail-queuefix or qmHandle here it is: qmail-qmaint.
Supported Qmail packages
s/qmail provides full support for the following vanilla Qmail add-ons unaltered:
- Inter7's vpopmail
- Bruce Guenter's VMailMgr
- Dan Bernstein's ezmlm
- Fred Lindbergs' and Bruce Guenter's's ezmlm-idx
- Andreas Aardal Hanssen's IMAP server BINC (Note: An up-to-date version is under development)
- Timo Sirainen's Dovecot (LDA)
Note 1: For those packages TLS encryption and
IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.
My s/qmail extensions will work natively with Qmail:
- Newanalyse 2.x ist tailored for s/qmail
- QMVC -- is working but the latetest release (in particular recognizing IPv6 addresses) is under way.
Dependencies and installation of s/qmail
The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:
- Easy installation and maintenance by means of slashpackage.
- Compliance with 64-bit architecture and current 'C' standards.
- Drop-in replacement for Qmail (same interface; same API), same user accounts; same module names.
- Ready-to-use integration into daemontools.
- systemd support is provided as well.
For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux).
In particular, the following packages are recommended:
- Mandatory: fehQlibs: The common foundation.
- Mandatory: ucspi-ssl: Additional TLS libraries.
- Optional: ucspi-tcp6: cdb generation, module rblsmtpd.
- Optional: daemontools: providing supervise and TAI64N timestamps by multilog.
- Attention: In order to include EIA/UTF8 support, you need to install the libidn2 together with the header file <idn2.h>.
Quick installation of s/qmail
s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:
- Daemontools is installed and /service is working.
- ucspi-ssl is installed in default location.
- ucspi-tcp6 is installed.
- Untar the s/qmail tar file under '/package'
- Move to /package/mail/sqmail/sqmail-V.R.F and
- do an initial: package/install.
Note: The package/install step respects your current Qmail settings.
Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)
s/qmail will preserve your current qmail installation entirely under the following circumstances:
- Install ucspi-ssl-XX and ucspi-tcp6-XX under /package.
- Untar s/qmail under /package and change to the install directory.
- Check and adjust the following conf-XX files (see below) to your
existing qmail installation:
conf-break, conf-cc, conf-ld, conf-home, and conf-split (the rest may stay unaltered).
- ./compile/ipmeprint (you see the additional IPv6 addresses)
The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):
- conf-break -- the character for VERP addresses [-]
- conf-cc -- compiler (no change required)
- conf-delivery -- qmail-start default-delivery
- conf-groups*) -- s/qmail groups
- conf-home -- home dir of s/qmail [/var/qmail]
- conf-idn2 -- customization path for IDN2 libraries
- conf-ids*) -- Unix ids for s/qmail
- conf-instances -- QMQ instances to be raised
- conf-ld -- loader options to be adjusted (for i386; AMD64 default)
- conf-log -- target dir of s/qmail logs [/var/log]
- conf-man -- target dir of man pages, usually automatically recognized
- conf-patrn -- s/qmail paternalism 
- conf-qmq -- QMQ environment settings
- conf-spawn -- silent concurrency limit 
- conf-split -- depth of s/qmail dirs 
- conf-svcdir -- supervise's directory [/service]
- conf-ucspissl -- path to UCSPI-SSL dirs
- conf-users*) -- user names
*) These files are coupled and need to be adjusted as one entity!
The basic s/qmail configuration is done by means of conf-XX
For an individual step-by-step installation the following commands can be executed:
- package/dir -- sets up the directories
- package/ids -- sets up the s/qmail users
- package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
- package/compile -- compiles the sources
- package/upgrade -- potentially does the upgrade
- package/legacy -- installs the binaries in the qmail directory
- package/man -- installes the man pages
- package/control -- populates the mininmal required control files for running
- package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
- package/service -- sets up the run script for daemontools' /service and additionally the logging
- package/scripts setup optional, undocumented and unmaintained scripts
- package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module
A concise documentation for s/qmail is close to be final:
- A 's/qmail Big Picture' is available providing the default settings (run scripts) for most services.
- You may want to check the README and brief INSTALL documentation first.
- The 'official' s/qmail documentation is (however) still in progress.
- The set of man-pages coming along with s/qmail have been converted into HTML and are accessible here.
- The standard LWQ documentation for Qmail is mostly still valid; except for the installation procedure of s/qmail (and its extensions of course).
s/qmail current release and download
Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.
The current release(s) of s/qmail can be downloaded here:
|Version & Download||Description||fehQlibs||Verification|
|sqmail-4.1.12|| The fifth 4.1 release providing
Greylisting capabilities by means of qmail-postgrey.
qmail-remote is enhanced to support TLSA/DANE lookups and automatic X.509 cert validation and (finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs.
Added module qmail-qmaint to check the queue sanity and to remove mails from here.
|sqmail-4.0.10||The eighth 4.0 release now requriering fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle.||fehQlibs-15|| MD5: d020c26eaae7f6a65db7135a4bbf8b32
|sqmail-3.3.25||The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd.||None.|| MD5: 1182e3860f49a09595e61117ab3a8250
|sqmail-3.2.19||The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99).||None.||MD5: 8a4fd942c1a1271619b0696d934c401a
|sqmail-3.1.9||This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers.||None.|| MD5: cb4da2ca52a05fda6668850c1d41359f
|sqmail-3.0.2||The third fully integrated release; don't use it/just for reference.||None.||MD5: 4045d0a85fe4857fcf9c118fcfa13d1f|
The code of the current release can be viewed in a doxygen archive.
- A bug in version 4.7.2 of the gcc C-compiler is apparent and making qmail-smtpd abend. To circumvent this issue, modify conf-cc and replace -O2 with -O0. Reinstall s/qmail going to compile and call ./install. Otherwise, remove the compile dir and call package/install.
- Hotfix: Please apply the fix [20170626#1/3.3.6] to versions prior of 3.3.
I also recommend to use
- Newanalyse 2.x which allows long-haul logging and easy finding of delivered mails from the logs.
- Tobias Oetiker's MRTG to visualize s/qmail's logs together with qmail-mrtg.
Release Management & Defects
- Error: Implementation does not conform to reqs, e.g. something is missing.
- Bug: Coding mistake in source file(s).
- Flaw: Wrong/missing description in man-file or any attached documentation.
- RfC: Request for Change: Feature request.
|[20170630#1]||Rfc||Add flexible uid configuration.||Confirmed, pending|
|[20200509#1]||Rfc||Add qmail-ldapam for authentication.||Confirmed; included in s/qmail-4.2 (work in progress)|
|[20200715#1]||Rfc||VERP address should be automatically accepted by qmail-smtpd's recipient extension||Rejected; better to include those with an additional entry here.|
- [CVE-2020-15955] StartTLS command injection (closed in 4.0.08)
- [CVE-2005-1513] Integer overflow on 64 bit platforms (closed in 4.0.08)
- [20211021#1/4.1.12] qmail-remote TLSA checking working again correctly.
- [20210824#1/4.1.11] Fixed qmail-smtpam segfaults on call.
- [20210818#1/4.1.11] qmail-vmailuser is unable to validate vpopmail's Mailboxes.
- [20210801#1/4.1.10] Fixed wrong SIZE evaluation for QMTP sending within qmail-remote.
- [20210622#1/4.1.09] Fixed wrong SIZE and UTF8 announcement for qmail-remote together with an incomplete TLSA record checking.
- [Flaw:20210212#1/4.1.08] Removed hardcoded domain name 'spf.pobox.com' in SPF default expansion.
- [20120312#1/4.1.08] Using both qmail-smtpd's badmailfrom and badrcptto may interfere and reject mails erroneously.
- [Flaw:20201112#1/4.1.08] qmail-remote's smtproutes allows now binding to specific local IP address.
- [Flaw:20210213#1/4.1.08] qmail-remote's smtproutes are not authenticating.
- [20201123#1/4.1.08] Binding problem to IPv4 addresses for qmail-remote resolved.
- [20200724#1/4.0.10] Compatibility with GCC 10 is finally provided now.
- [20200724#1/4.0.08] Fixes for qmail-smtpd to cope with CVE-2011-0411 (ESMTP pipelining command injection).
- [20200713#1/4.0.08] Fixes for qmail-vmailuser not respecting vpopmail's home directory.
- [20200509#1/4.0.08] Fixes for qmail-smtpd to cope with CVE 2005-1513 (Guninski alloc bug report) and solved via fehQlibs-15.
- [20200514#1/4.0.07] Fixes for qmail-smtpd considering other DNS TXT as none-existing SPF records (and potentially rejecting connections).
- [20200423#1/4.0.06] qmail-smtpd may segfault while evalutating SPF records from Google.
- [20200410#1/4.0.05] qmail-remote and qmail-smtpam is not SMTP-UTF8 enabled by default (and now without compiler flag).
- [20200408#1/4.0.05] qmail-remote has wrong mangling of RCPT TO: addresses in case of a CNAME.
- [20200303#1/4.0.04] qmail-smtpd may segfault for mails with more than one RCPT TO:.
- [20200227#1/4.0.02] Added SRS capabilities with the modules srsforward and srsreverse.
- [20190116#1/4.0.00] qmail-remote fails to authenticate to some servers fixed.
- [20191216#1/3.3.25] qmail-smtpd segfaults in case SPF is set and no HELO/EHLO greeting is received. Workaround for previous version: Set HELOCHECK="!".
- [20190801#1/3.3.24] Cipher setting for qmail-remote reworked.
- [20180617#1/3.3.23] Integration bug in SPF evaluation for qmail-smtpd fixed.
- [20180928#1/3.3.22] Error in qmail-smtpd not requiring strict TLS during SMTP Auth, even if requested.
- [20180829#1/3.3.22] Crash of qmail-remote if domain in control/domaincerts is included as '*' (tx. Oleg).
- [20180618#1/3.3.21] Error in qmail-smtpam not reading control/tlsdestinations (tx. U.H.).
- [20180618#1/3.3.20] Bug in qmail-remote not handling '...|domain' correctly, if given in control/tlsdestinations (tx. J.W.).
- [20180305#1/3.3.19] Fix for qmail-remote in case control/domaincerts is not correctly populated (tx. J.C.B.).
- [20171103#1/3.3.17] WONTFIX -- broken gcc 4.7.2 compiler needs to have '-O0' in conf-cc.
- [20171029#1/3.3.15] Fix for wrong evaluation of qmail-remote 'tlsdestinations'.
- [20171027#1/3.3.14] Fix for Arch Linux OpenSSL 1.1.0f.
- [20170817#1/3.3.13] Two small bugs (fixed) related to SMTPTUF8 in qmail-remote and a tiny one in qmail-smtpd, where the first may impact sending SMTPUTF8 mails.
- [20170813#1/3.3.12] Bug: qmail-remote does not evaluate control/tlsdestinations correctly for a given FQDN.
- [20170812#1/3.3.11] Error: qmail-smtpd rejects bounces, Out-of-office Replies, and Caller Verification with 'Mail From:
- ' in case MFDNSCHECK is enabled (introduced in version s/qmail 3.2.19).
- [20170714#1/3.3.10] Error: Wrong call of qmail-authuser for Dovecot Auth.
- [20170630#1/3.3.6] Bug: Wrong parsing and display of (some) compactified IPv6 addresses.
- [20170626#1/3.3.6] Bug: qmail-remote TLS bug
and potential abend if tlsdestinations or domaincerts
includes a line like -: or *:.
Fix: Download and install tls_remote.c as replacement for all versions s/qmai < 3.3.
- [20170405#1/3.3.6] Rfc: Using Dovecot-auth as backend for qmail-smtpd authentication.
- [20170625#1/3.3.5] Bug: Wrong IP addresss display in qmail-remote log if lowest MX is IPv6 and connection is IPv4.
- [20170307#1/3.2.19] Bug: Wrong behavior of qmail-smtpd's badmailfrom due to wrong nesting.
- [20170224#1/3.2.18] (Error) Badmailfrom check in qmail-smtpd fails for 'extended' addresses.
- [20170109#1/any] OpenSSL 1.1 compatibility added with ucspi-ssl-0.99.
- [20161004#1/3.2.16] Recipient PAMs for vpopmail and vmailmgr included.
- [20161001#1/3.2.15] (OpenBSD) qmail-remote TLS abend resolved.
- [20161001#1/3.2.13] (OpenBSD) Segfault in fastforward solved.
- [20160712#1/3.1.9] Bug in qmail-send not releasing FDs for bounces, in case bouncemaxbytes is undefined/0.
- [20160615#1/3.1.8] Bug in qmail-smtpd not to return exceeding 'databyte' limits.
Client (eg. qmail-remote) might hang; thus never ending SMTP transaction.
- [20160527#1/3.1.7] RfC to cope with OpenBSD's missing 'pw' within package/ids.
- [20160514#2/3.1.7] Bug in qmail-smtpd's badmailfrom '?' evaluation (wrong RC).
- [20160514#1/3.1.7] Bug in qmail-smtpd's address parser; abending if 'Mail From: <.. @[...]>' (in particular double bounces).
- [20160414#1/3.1.6] RfC hook for File Descriptor > 1024.
- [20160428#1/3.0.4] Strict Auth error in qmail-smtpd.
- [20160131#1/3.0.1] Error in qmail-smtpd's RSET behaviour (RFC 5321).
- [20160110#1/3.0.0] Bug in some package/XX scripts due to missing 'eval' statement (i.e. sslenv).
- [20160108#1/3.0.0] Error in qmail-remote not recognizing 'fast' 5xy rejection issued upon SMTP greeting.
- [20160106#1/3.0.0] Bug in skeleton script run_qmqpd. Wrong binary referenced.
- [Since last public beta/2.6.06] Bug in qmail-tcpto displaying wrong information.
Bug in qmail-mrtg -2 shows only one output value (while MRTG expects two).
Note: The given release number following the defect number tells, in which version of s/qmail this change was applied.
s/qmail will be maintained and my release plan includes the following topics:
Version 3.0 is the first complete release(done).
- Version 3.1 will be used for additional enhancements (done).
- Version 3.2 includes SPF capabilities and LibreSSL as well OpenSSL 1.1 hooks have been added within ucspi-ssl 0.99 (done).
- Version 3.3 is scheduled for performance enhancements (EXTTODO; done).
- Version 3.4 is forseen for integrating
DJBDNSCurve6fehQlibs and adding SRS capabilities (done as 4.0).
Version 3.5 ... let's see: DANE support? ... and probably DKIM as well.
- Version 4.0 uses fehQlibs and thus its DNS stub resolver routines (done).
- Version 4.1 shall provide
a DKIM API(posponed to furthcoming version) and perhaps DANE support (done).
- Version 4.2 is forseen to support DKIM (both sending and receiving) together with qmail-ldapam.
- Version 4.3 could try to use SMTP pipeling in qmail-remote (desperately missing).
- Version 5.0 UUID identifier for files in the queue?
Tickets, Change Requests, communication
An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file
- Defects (bug reports) and
- Change Requests (enhancements).
To inscribe use: s/qmail mailing list
I can't guarantee a certain response level; but reasonable issues will be answered.