John Summerfield wrote:
Hmm, I note that while Qmailrocks points to the source of qmail, the qmail pages recommends lifewithqmail but does not mention qmailrocks.
That would be correct, it doesn't for reasons discussed on the ever-controversial (but not on the subject of qmail knowledge) qmail list.
You may never have perceived a problem, but that's not the same as not having a problem.
In fact, mail problems are somewhat tricky to perceive. Starting with the fact that logging mail properly is non-trivial, and following the instructions that do exist precisely can be semi-arduous.
I've found mail problems on servers that have been running mail for over 8 years, and nobody ever noticed it. It's the whole one-to-many and many-to-one thing. It gets overwhelming to verify each and every one, and most people figure it if seems to work, f--- it.
I note that qmail is not free software as defined by the FSF. I cannot even ungzip the tarball and bzip2 it without Dan (the author's approval) so as to save space when I distribute it. See http://cr.yp.to/qmail/dist.html
True though that may be, it's an endearing quirk along with a few other endearing quirks DJB has that make qmail all the more interesting. :D And these days, with the price of storage and bandwidth availability, who really needs to change out that .tar.gz for a .tar.bz2, anyway?
If you don't want to build from source you should be using a different package.
Seriously, qmail is a mandatory, unpack, patch, and build from source. I happen to use an rpm, but pretty much just unpacks, patches, and builds from source in a nicely repeatable fashion for any Linux I care to drop it on. I decide I want other patches, I just edit the .spec file and put them where they need to be. Build it, take the new src.rpm, and put that where it needs to go so I can push it wherever I need to.
I have heard Bad Thing in the past about qmail, so googled for "the problem with qmail." Some hits, not a lot. This is rather old, and the author's fond of postfix (as am I) (but he was expert in qmail): It speaks of licence, the author's attitude, problemss working with other software such as smartlist. http://lists.debian.org/debian-devel/1999/06/msg02053.html
Hey, I've heard postfix is a decent MTA, I just wouldn't know from personal experience. I do have friends that run it though. :D
This is more recent:
The problem with qmail is that you need either a big patchset or a once patched setup and reuse that. Plus qmail really has some not-so-nice bugs.
http://www.mail-archive.com/swinog@lists.swinog.ch/msg01601.html
Not so nice bugs? Ahh, it's not so bad. 'patch -p0 blah blah blah'
Oh, shhh sugar! This was written for RHL 6.x. I says, "PROCESS
- download qmail 1.03 (or latest - but it hasn't changed in a *long*
time):" http://jason.mindsocket.com.au/articles/qmail/setup-README
He's right. 1.03 is the latest listed at http://cr.yp.to/qmail/dist.html and http://cr.yp.to/qmail.html Version 1.0, the first general release, was announced on February, 20, 1997. The current version, 1.03, was released on June, 15, 1998. http://www.lifewithqmail.com/lwq.html#history
Funny thing is that, there hasn't been a reason to change qmail's source code.
Also, if you really want a prepatched version that takes care of a lot of the major issues, netqmail-1.05 goes a long ways towards that. Adding a couple of mild feature enhancements by way of patching pretty much makes building qmail a 4-minute process. RTFM'ing the first time takes about 2 hours, if you read slow. The documentation is pretty terse and to the point.
It looks to me that qmail is high-maintenance; www.qmail.org is one site that attempts to make it usable, but if DJB ever releases a newer version then what to do with all those patches?
Honestly? For the trivial complexity of the initial setup, qmail is one of the most low maintenance applications I have ever run on any platform. Basically, if you don't screw anything up, it just works. People have not touched a qmail configuration for 8 years, and never had a reason to. Spending a few minutes to know what you're doing on the front side pays dividends for years, even if for some reason, you end up choosing to use another MTA. I learned about the protocols from reading qmail documentation or referenced documentation.
It's like mixing and matching kernel patches.
What is? Patching qmail is nothing like patching a kernel. It's not nearly as complicated, the scope is far narrower, and the net effect of a success/fail is far easier to react to. I'd recommend anybody play with patching/building qmail, whereas, I can't even get a vanilla CentOS 4.4 kernel to build when I run 'make menuconfig' and then 'make'. I'm sure when I'm ready to find out why, I will though. :P
I don't see any patches to fix security problems, but I am not prepared to believe there are no security problems. There are patches to fix standards non-compliance (eg RFC 1870 and RFC 2821) and nobody can distribute source with them preapplied. Instead, they must distribute patch alone or source-plus-patch.
Well, ya know it's kinda funny. The author has had a cash prize for anybody to find a security hole in qmail for the better part of a decade, and as much as a lot of people have gotten really intimate with the qmail source code (as evidenced by the sheer number of patches), nobody has EVER been able to find one and claim the prize. I think that's as close to being able to believe there aren't any issues as any software I've ever seen. Certainly Bill Gates would be substantially poorer had he ever made that claim, and backed it with cash over the same time period.
</rant> :D
Peter