[linux-elitists] My Anti-Qmail Page

Rob McGee list+Elite@nodns4.us
Sat Nov 5 11:50:41 PST 2005

On Saturday 2005-November-05 08:41, Shlomi Fish wrote:
> I set up an anti-qmail page:
> http://www.shlomifish.org/open-source/anti/qmail/

I started one myself about a year ago, which was more a comparison of 
qmail and Postfix in anti-spam capabilities. But I quit working on it 
before it got to a point of being published.

My boss was (is?) a qmail zealot. I had learned a few tricks in Postfix 
for curbing spam. I found that those tricks would not be easily done in 
qmail, if at all. On that basis I recommended deploying Postfix. I was 
overruled on a religious basis: "Dan said it, I believe it, we're 
staying with qmail!"

I was given the job to find qmail patches to do the things I was doing 
in Postfix. I declined. He tried to do it himself. 3 days later I was 
asked to install Postfix.

> Comments, suggestions, corrections and flames are welcome.

I could nitpick a few things, but it's probably better to point out 
qmail's biggest crime: backscatter spam. By deliberate design it will 
accept all mail for its domains, doing no recipient validation in the 
SMTP dialogue. Then if a user does not exist, a bounce is generated, 
almost always spamming the mailbox of an innocent victim (forged 
envelope sender.)

The backscatter problem is addressed by a few patches and drop-in 
replacements for qmail-smtpd, but TTBOMK the most popular HOWTOs 
available do not apply these patches.

You might want to elaborate on the free vs. proprietary software issue. 
I think qmail is a vivid illustration of the superiority of free 
licenses. Without Bernstein's restrictive license, someone else might 
have picked up the abandoned project and added the missing features. It 
possibly could have become a complete MTA.

My own pet peeve about qmail and other DJBware is the radical departure 
from Unix norms. Putting everything in /var/qmail, ugh! A secure system 
might have /var mounted noexec. And the logging for qmail is a poor 
excuse; timestamps down to the nanosecond (yeah, right) and the 
information you need isn't there. Syslog isn't perfect, but it's the 
best we have.
    Rob - /dev/rob0

More information about the linux-elitists mailing list