Sendmail (http://www.sendmail.org/), likely the Internets most used mail transport agent (MTA), is often the standard MTA of UNIX distributions. Sendmail has proven itself as an MTA in the largest of sites including acting as large central hubs of Internet service providers. Sendmail, however, has two often heard weaknesses: complicated configuration, and security issues. Both the complicated configuration and the security issues stem from the size and power of Sendmail. There is no other MTA that supports so many email-related RFCs, delivery methods, and customization. Sendmail can route and readdress email for other transport agents or local delivery.
Most organizations require very little readdressing for various mail systems due mostly to the popularity and maturity of SMTP and the almost universal choice of SMTP as the preferred email protocol. Most readressing comprises simple aliases for various spellings of users names and multiple domain addresses where users have email addresses in several domains, such as email@example.com and firstname.lastname@example.org. While many organizations still have a centralized hub design for delivery of email that Sendmail lends itself to, the simple readressing, relaying, local delivery, and mailing lists do not require customized treatment and Sendmail can seem to be overkill.
While most distributions of Sendmail contain a canned configuration that will serve most organizations needs, many administrators wish to have a good understanding of their MTA, but do not have the time to learn Sendmail. This months column covers an alternative to Sendmail: qmail.
In addition to meeting most organizations needs, qmail is also a small streamlined MTA. The qmail distribution weighs in at a little over one megabyte. In addition to being small, qmail is also known for being secure. At one time a $1000 reward was offered to anyone finding a security bug in the software the reward went unclaimed. (If anyone has seen a security advisory on qmail, please drop me an email with advisory or the URL.) qmail, like many of the new or recent Internet applications, does not have the time-proven record of older software; but unlike older software, it also does not have bloated or old code retained for legacy reasons leaving fewer lines of code that could be security weaknesses. qmails age should not be considered a major drawback. It has proven itself as a reliable MTA under the heaviest of loads including Microsofts own free email service, HotMail (http://www.hotmail.com/). HotMail has had some security issues; however, they were unrelated to qmail.
qmail, currently in version 1.03 can be downloaded from:
qmail will run on most versions of UNIX. For a complete list of verified, systems see:
The installation instructions covered here are for RedHat 6.1, but are generally the same for every flavor of UNIX. If you are going to be replacing another MTA on a production system, you should practice the install process on a non-production environment to ensure you have an understanding of the procedure. Domain name system mail exchange records (MX) are beyond the scope of this article, but a backup MX record should be configured to ensure mail is queued during the transition to qmail. (Backup MX records should always be in place for short-term outages.)
If Sendmail is just going to be temporarily disabled to test qmail, use the following command to shut it down:
killall -9 sendmail
As user root, place the qmail distribution in the directory where you keep your source files. I typically use /usr/local/src/, and these steps assume this directory.
Start the installation by uncompressing and untaring the archive:
tar xvf qmail-1.03.tar
Review the README file in the /usr/local/src/qmail-1.03/ directory to check for any last minute changes to the source package. Also review the INSTALL file. Next, you can create the qmail home directory. In this example, I will use the standard, although somewhat non-conformant, directory /var/qmail. This directory will be the home directory of the seven qmail processes that qmail uses to delivery and process email: alias, qmaild, qmaill, qmailp, qmailq, qmailr, and qmails. These users are documented in the INSTALL.ids file. (Check the INSTALL.ids file for tips on other versions of UNIX.)
to create the directory. Next, create the nofiles and qmail groups that these standard qmail processes belong to:
And then add the users to the system:
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails
make setup check
The make setup check command will also install the qmail system in /var/qmail/.
qmail can now be configured. If the DNS resolver (client) is running properly on the server, where qmail is running and IP addresses to fully qualified domain names (reverse lookup) exist for all IP addresses on the server, then a simple:
will run the configuration script. Should DNS not be completely functioning, then use:
where hostname.domainname.tld is the fully qualified domain name made up of the host name, the domain name, and the top-level domain, such as .com or .net. If DNS is not functioning correctly and the ./config-fast is not used, then qmail will not be able to accept mail properly to do its built-in anti-relaying (spam control).
qmail requires three aliases to be defined in order to notify the proper administrators of delivery or other problems: qmail-mailer-daemon, qmail-postmaster, and qmail-root. qmail uses individual files to define aliases and stores them in the alias subdirectory (/var/qmail/alias/ is our case). These aliases cannot point to root. For this example, I will assume one administrator receives all the email. Create the alias files:
echo mccartyr >/var/qmail/ \
echo mccartyr >/var/qmail/ \
echo mccartyr >/var/qmail/ \
Its always a good idea to also use the postmaster alias since users and automated processes send email to the address:
echo mccarty >/var/qmail/ \
We need to copy the standard rc startup script into qmails home diretory:
cp /var/qmail/boot/home \
To receive email via SMTP over TCP, we also need to let inetd know about the service running on TCP port 25. Make the following entry in /etc/inetd.conf:
smtp stream tcp nowait \
qmaild /var/qmail/bin/tcp-env \
and restart the inetd daemon:
killall -HUP inetd
Finally, we can start all the qmail processes:
Make sure the qmail-send, splogger qmail, qmail-lspawn, qmail-rspawn, and qmail-clean processes are running with:
ps aux | grep qmail
You will not see the qmail-smtpd running, because inetd will only start it when a client connects to port 25. To ensure it is listening on port 25, use:
telnet localhost 25
The system should respond with:
220 hostname.domain.tld ESMTP
to exit from the SMTP port. (To change what is printed in the 220 message, create /var/qmail/control/smtpgreeting with the text that should be printed in the 220 message.)
From a remote machine, send an email message to an account on the qmail server. (Remember, MX records and DNS in general must be functioning and set up correctly or the remote host will not be able to deliver email remotely.)
To test email delivery, use the qmail-inject program. (Using local mailers on a system that has Sendmail installed will work properly, because they will call Sendmail for delivery, but this does not ensure that qmail is making delivery. The INSTALL file contains instructions on linking Sendmail to qmails Sendmail program, which is actually the qmail-inject program.) To test qmail-delivery, use:
echo to: email@example.com | \
If email is not delivered properly, check network connectivity and name server resolution from the host where qmail is installed. To see whether email is being delivered, use the /var/qmail/bin/qmail-stat command to view qmails queue. This program will show how many messages are queued and how many are waiting to be queued.
After completion of the above steps, qmail will be up and running and ready for testing. Although qmail has its own peculiarities for implementation, as shown here, it is much easier than a complete Sendmail install. Additionally, its easier configuration, tight security, and full administrative control may make it the right MTA for you. To fully utilize its advanced features, check the qmail Web site for tips on using Sendmails .forward capability, Sendmail aliases (fastforward), as well as user-owned distribution (mailing) lists.
About the Author
Ronald McCarty received his bachelors degree in Computer and Information Systems at the University of Marylands international campus at Schwaebisch Gmuend, Germany. After completing his degree, Ronald McCarty started his network career as network administrator at the Schwaebisch Gmuend campus. Ronald McCarty works for Lucent Technologies as a senior systems engineer on a customer team responsible for a major telecommunications carrier. He spends his free time with his two best friends in the world: his daughter, Janice, and his wife, Claudia. Ron can be reached at: firstname.lastname@example.org.