Consulting djbware Publications

s/qmail

s/qmail (pronounced skew-mail) is a Mail Transfer Agent (MTA) based on Qmail suited for high-speed and confidential email transport over IPv4 and IPv6 networks.

s/qmail preserves the Qmail ecosystem (my mirror) and ought to be a drop-in replacement for most sites.
s/qmail's mascot is the phoenix (SQRP).

Phoenix

Scope and History

While Qmail provides the framework for a distributed MTA, my own developments for Qmail (e.g. SMTP Authentication, Spamcontrol) are considered necessary protocol extensions. s/qmail is a complete refactoring of the source code according to current demands for 64-bit systems and including IPv6 capabilities.

The new start: s/qmail 3.x

After now more then 20 years of Qmail's superior and uncompromised email delivery (since Qmail 1.01 launch in April 1997), s/qmail posses most of the 'future' Qmail features Dan Bernstein was heading for (see also: Qmail TODO).

The s/qmail 'universe' is illustrated here:

Figure: The s/qmail 'Big Picture' (available as PDF)

A new foundation: s/qmail 4.x & fehQlibs

Now, s/qmail 4.x is available based on my fehQlibs providing a common foundation for all my djbware. Apart from a complete refactoring of the s/qmail modules, DNS BIND'ish remnants have been removed and replaced by the modern fehQlibs DNS stub resolver which was on DJB's todo list.

Communication and security features

Protocol extension: QMTPS

The Quick Mail Transport Protocol QMTP is an invention of Dan Bernstein and is a simple but fast host-to-host transparent email transport protocol, with very little protocol overhead. It has been adopted by Postfix as well. Also a Net-QMTP Perl module is available.

s/qmail provides additionally the TLS-secured protocol QMTPS to couple several s/qmail instances and distributed queues among different nodes.
IANA has now assigned port 6209 for QMTPS.

s/qmail's implementation of QMTPS supports together with sslserver X.509 client certificates enables qmail-qmtpd to relay email based on valid certificates used by qmail-remote.

Distributed Queueing

Based on SMTP but rather preferably QMTP(S) or QMQP, s/qmail can be instructed to work in a distributed queue environment, typically given in case of a Cloud service. Authentication among the nodes and encryption on the links can be guaranteed using QMTPS. This feature is called enhanced 'Qmail Multiple Queues' (QMQ).

Figure: The s/qmail 'channels' and distributed queueing

Its light-weight design allows to deploy s/qmail nodes rapidly in a Cloud based service domain.

Included packages

The basic s/qmail installation includes the following packages (adapted mostly from Dan Bernstein):

Supported Qmail packages

s/qmail provides full support for the following vanilla Qmail add-ons unaltered:

Note 1: For those packages TLS encryption and IPv6 capabilities for any data-in-flight is possible with s/qmail.
Note 2: s/qmail Recipients extension is capable to understand ezmlm's VERP addresses.
Note 3: Authentication and recipient verification for virtual users is provided out-of-the-box for vpopmail and VMailMgr as well.
Note 4: Dovecot can be used as Identity Provider proxy even for qmail-smtpd by means of the enhanced qmail-authuser calling doveadm to test a specific socket connection.

My s/qmail extensions will work natively with Qmail:

Dependencies and installation of s/qmail

The installation of s/qmail tries to conform to existing Qmail systems as well as to provide a pre-configured and working MTA together with an easy update scheme:

 

https://xkcd.com/1654/

Dependencies

For installation, s/qmail requires a development environment and additionally the OpenSSL development libraries (in particular on Linux) starting with version 1.1.1 or a compatile LibreSSL implementation.

In particular, the following packages are recommended:

Quick installation of s/qmail

s/qmail uses D.J.B's slashpackage convention for installing while trying to keep the standard Qmail installation essentially unaltered:

Note: The package/install step respects your current Qmail settings.

Upgrade to s/qmail from qmail (+ perhaps Spamcontrol)

s/qmail will preserve your current qmail installation entirely under the following circumstances:

Configuration

The basic s/qmail configuration is done by means of conf-XX files (in alphabetic order):

*) These files are coupled and need to be adjusted as one entity!

 

https://xkcd.com/1770/

The basic s/qmail configuration is done by means of conf-XX

Step-by-step installation

For an individual step-by-step installation the following commands can be executed:

  1. package/dir -- sets up the directories
  2. package/ids -- sets up the s/qmail users
  3. package/ucspissl -- hooks up the required sources and libs with package ucspi-ssl
  4. package/compile -- compiles the sources
  5. package/upgrade -- potentially does the upgrade
  6. package/legacy -- installs the binaries in the qmail directory
  7. package/man -- installes the man pages
  8. package/control -- populates the mininmal required control files for running
  9. package/sslenv -- sets up the SSL/TLS environments together with X.509 certs and key files (from ucspi-ssl)
  10. package/service -- sets up the run script for daemontools' /service and additionally the logging
  11. package/scripts setup optional, undocumented and unmaintained scripts
  12. package/run -- touches qmail/alias/ files, sets default-delivery, and enables s/qmail's sendmail module

Documentation

 

https://xkcd.com/1513/

A concise documentation for s/qmail is close to be final:

s/qmail current release and download

Once you've checked the s/qmail requirements and complied to those, you are ready to go for download and installation.

Download

The current release(s) of s/qmail can be downloaded here:

Version & Download Description fehQlibs Verification
sqmail-4.2.29a The tenth 4.2 release allows now the usage of DKIM RSA and Ed25519 keys in parallel for signing and verification. While it uses refactored ALT-NT's libdkim C++ modules, it is deeply incorporated into s/qmail and provides multi-tenant signing. Ed25519 signatures are supported given the recent OpenSSL as well LibreSSL versions.
Its RECIPIENTS mechanism is enhanced to semi-automatically consider qmail-newu's cdb, which is now available as assign.cdb.
Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included.
Includes fix for the potential qmail-smtpd AUTH misbehavior and upddates the mkdkimkey.sh script. Includes small fix for misspelled prototype in smtpdlog.h. Additional fix included for control/domainips which erroneously adds a '\0' to the helohost greeting.
Backported improved TLSA (TA) evaluation for qmail-remote from s/qmail 4.3. Improved robustness of DKIM signing considering erroneous keys and an unclean DKIM stage area.
Included backported fixes for EHLO X-* announcements, assign.cdb evaluation by the Recipients extension, and a correct treatment of file ids in case of wrong DKIM keys.
fehQlibs-22/23 (a must for SPF!) MD5: dcef0e6d9b1faadb3e913f0ed75b7188
Build: 20240226150615
sqmail-4.1.18e The eleventh 4.1 release providing Greylisting capabilities by means of qmail-postgrey. This version is a backport from s/qmail-4.2. Additional trimming for qmail-remote's cafile and ciphers handling.
qmail-remote is enhanced to support TLSA lookups and (PKIX-EE) automatic X.509 cert validation and (now with an additional CNAME lookup and finally) supporting RFC 1870 SIZE announcements for the remote MTA while correctly provide the parameters in the MAIL FROM command. qmail-remote is now enhanced to comply with RFC 8314 for 'implicit TLS' MTAs.
Added module qmail-qmaint to check the queue sanity and to remove mails from here.
TLSA evaluation is now complete and working seamlessly after further adjustments coping with various DNS server settings. Malfunctioning OpenSSL X509_pubkey_digest() calculation replaced.
Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included.
fehQlibs-20/ fehQlibs-21 MD5 c6a802a93d7854e2e8b305912e0f8063
Build: 20230924113858
sqmail-4.0.10a The eighth 4.0 release now demanding fehQlibs while supporting natively SPF together now with SRS (srsforward and srsreverse). SMTPUTF8 can now be enabled for qmail-smtpd by means of the environment variable 'UTF8'. Based on fehQlibs-15 even some outstanding old CVE's are now fixed completely. This release *is* the last one in the 4.0 cycle. fehQlibs-15 MD5: a266b85355b48b58a2656273cf4af67d
Build: 20230311180733
sqmail-3.3.25 The fourteenth 3.3 (and backported from 3.4) release including A. Oppermann's EXTTODO extension together with (optional) SMTPUTF8/EAI/IDN2 support while featuring the new qmail-vmailuser and the enhanced qmail-authuser PAM; providing better compatibility with current versions of OpenSSL 1.1 and finally fixing problems with qmail-remote and some eventual SPF-related problems in qmail-smtpd. None. MD5: 1182e3860f49a09595e61117ab3a8250
Build: 20200729153744
sqmail-3.2.19 The sixth (official) 'SPF' release; covering OpenBSD (6.0) and Debian 9 (Stretch) while providing additional Recipient PAMs for VMailMgr and vpopmail (together with ucspi-ssl-0.99). None. MD5: 8a4fd942c1a1271619b0696d934c401a
Build: 220170408184513
sqmail-3.1.9 This is the fourth update. This 'π5+' release enhances the qmail-authuser capabilities for virtual domain handlers. None. MD5: cb4da2ca52a05fda6668850c1d41359f
Build: 20160724111506
sqmail-3.0.2 The third fully integrated release; don't use it/just for reference. None. MD5: 4045d0a85fe4857fcf9c118fcfa13d1f

The code of the current release can be viewed in a doxygen archive.

Addendum

Two patches are currently available for s/qmail 4.1 and 4.2 which are incorporated into the last builds, but also can be applied to previous builds:

  1. mkdkimkey.sh version 0.46 script. You need to redfine the HOME variable.
  2. Fix for EXIST clause evaluating SPF records: spfdnsip.c.patch - prevents wrong SPF results for this case (only).
  3. Fix for BADMIMETYPE evaluation: qmail-smtpd.c.patch - for convenience ony; otherwise simply use BADMIMETYPE=" " instead.

Additional packages

I also recommend to use

Release Management & Defects

Naming conventions:

Open defects:

ReferenceType DescriptionState
[20170630#1] Rfc Add flexible uid configuration. Confirmed, pending
[20200509#1] Rfc Add qmail-ldapam for authentication. Confirmed; an external package is required swallowing the code from s/qmail-4.3 (work in progress)
[20200715#1] Rfc VERP address should be automatically accepted by qmail-smtpd's recipient extension Rejected; better to include those with an additional entry here.
[20220324#1] Rfc The RECIPIENTS mechanism does not support qmail-users's cdb Done; starting with version 4.2 the cdb generated by qmail-newu will be consulted for valid recipients semi-automatically; however, the resulting cdb is renamed assign.cdb.
[20240118#1] Error qmail-remote may falsely recognize a MTA's ESMTP EHELO message with X-* extension. Fix has beed posted to the list; complete solution will be given in s/qmail 4.3. Very rare condition.
 

https://xkcd.com/1700/

Mitre CVEs:

  1. [CVE-2020-15955] StartTLS command injection (closed in 4.0.08)
  2. [CVE-2005-1513] Integer overflow on 64 bit platforms (closed in 4.0.08)

Closed defects (version 4 only):

Note: The given release number following the defect number tells, in which version of s/qmail this change was applied. The given date, when the defect was reported.

Release plan

s/qmail will be maintained and my release plan includes the following topics:

Tickets, Change Requests, communication

An EZMLM mailing list working together with s/qmail keeps you updated with current developments, bug fixes, and features discussed. This list also can be used to file

To inscribe use: s/qmail mailing list

I can't guarantee a certain response level; but reasonable issues will be answered.