When first published, qmail was the first security-aware mail transport agent; since then, other security-aware MTAs have been published. The most popular predecessor to qmail, Sendmail, was not designed with security as a goal, and as a result has been a perennial target for attackers. In contrast to sendmail, qmail has a modular architecture composed of mutually untrusting components; for instance, the SMTP listener component of qmail runs with different credentials from the queue manager or the SMTP sender. qmail was also implemented with a security-aware replacement to the C standard library, and as a result has not been vulnerable to stack and heap overflows, format string attacks, or temporary filerace conditions.
Performance
When it was released, qmail was significantly faster than Sendmail, particularly for bulk mail tasks such as mailing list servers. qmail was originally designed as a way for managing large mailing lists.
Simplicity
At the time of qmail's introduction, Sendmail configuration was notoriously complex, while qmail was simple to configure and deploy.
qmail is nearly a completely modular system in which each major function is separated from the other major functions. It is easy to replace any part of the qmail system with a different module as long as the new module retains the same interface as the original.
Controversy
Security reward and Georgi Guninski's vulnerability
Bernstein offered in 1997 a US$500 reward for the first person to publish a verifiable security hole in the latest version of the software. In 2005, security researcher Georgi Guninski found an integer overflow in qmail. On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution. Bernstein disputes that this is a practical attack, arguing that no real-world deployment of qmail would be susceptible. Configuration of resource limits for qmail components mitigates the vulnerability. On November 1, 2007, Bernstein raised the reward to US$1000. At a slide presentation the following day, Bernstein stated that there were 4 "known bugs" in the ten-year-old qmail-1.03, none of which were "security holes." He characterized the bug found by Guninski as a "potential overflow of an unchecked counter." "Fortunately, counter growth was limited by memory and thus by configuration, but this was pure luck." On May 19 2020, a working exploit for Guninski's vulnerability was published by Qualys but exploit authors' state they were denied the reward because it contains additional environmental restrictions.
Frequency of updates
The core qmail package has not been updated for many years. New features were initially provided by third party patches, from which the most important at the time were brought together in a single meta-patch called netqmail.
Standards compliance
qmail was not designed to replace Sendmail, and does not behave exactly as Sendmail did in all situations. In some cases, these differences in behavior have become grounds for criticism. For instance, qmail's approach to bounce messages differs from the standard format of delivery status notifications specified by the IETF in RFC 1894, meanwhile advanced to draft standard as RFC 3464, and recommended in the SMTP specification. Furthermore, some qmail features have been criticized for introducing mail forwarding complications; for instance, qmail's "wildcard" delivery mechanism and security design prevents it from rejecting messages from forged or nonexistent senders during SMTP transactions. In the past, these differences may have made qmail behave differently when abused as a spam relay, though modern spam delivery techniques are less influenced by bounce behavior.
Copyright status
qmail was released to the public domain in November 2007. Until November 2007, qmail was license-free software, with permission granted for distribution in source form or in pre-compiled form only if certain restrictions were met. This unusual licensing arrangement made qmail non-free according to some guidelines, and was a cause of controversy. qmail is the only broadly deployed public domain softwaremessage transfer agent.
