As a reluctant server administrator, I make it a goal to do as little custom configuration work as possible. No building from source, no third-party package repositories, and restricting myself to use a core, stable subset of system features when building software. Performing a package or OS upgrade only to find that some bleeding edge feature you were using has changed is frustrating at best, a lurking security hole at worst.
As a result, my preference for Qmail as a MTA may seem odd, given that Qmail is perceived as challenging to configure. However, when it comes to secure, set-and-forget software (another penchant of the reluctant server administrator), Qmail is just about as good as it gets. It’s the Fort Knox of MTAs: highly efficient and designed to be secure. While it may appear a bit difficult to get started, once you understand the way Qmail approaches mail delivery, you’ll never go back to any of the other buggy MTAs.
But for those of us that use Ubuntu, there’s a problem. The Ubuntu package for Qmail, though stable, is somewhat outdated. It lacks several important patches, making the reluctant server administrator’s life that much more difficult. For example, the CNAME patch simply makes DNS lookups more efficient. Why is this important? Because if you don’t apply this patch, sites with large DNS records will trigger temporary failures (“CNAME lookup failed temporarily”) until Qmail finally gives up and bounces the outgoing message. There are workarounds (editing the smtproutes configuration, in this case), but they’re tedious and require ongoing oversight.
The list of useful Qmail patches is fortunately rather short, but would require a custom build of Qmail, which in my case is unworkable. I use Puppet to configure all of my servers, so handling custom package builds becomes a more serious challenge, not to mention requiring the entire suite of build tools on the server.
With a just-in-time custom build ruled out, the best remaining option in the Ubuntu ecosystem is to create a Personal Package Archive on Launchpad, Canonical Ltd’s third-party package repository. With a PPA, I can upload my patched Qmail source package, at which point Launchpad will build and host packages that are easily imported into the Ubuntu package manager.
In the interest of simplicity, instead of modifying the original Qmail source, I followed the package manager’s convention and applied the changes as a series of patches. Some applied cleanly, without any additional modification. Others (particularly the Qmail Authentication patch) required extensive rework to accommodate changes from the other patches.
In the end, I added 6 additional patches to Qmail:
- 0004 – Remove the CNAME lookup (per DJB himself: “It’s safe to simply skip the CNAME lookup: i.e., have dns_cname simply return 0”)
- 0005 – Handle large DNS responses (would also have solved the above problem – I applied both since the CNAME lookup is no longer useful and is extra work)
- 0006 – Return “Unrecognized” instead of “Unimplemented” for non-existent SMTP commands
- 0007 – Screen for and reject email addresses with relay characters
- 0008 – A host of inbound and outbound SMTP AUTH authentication patches
- 0009 – Support for external recipient validation via the RCPTCHECK environmental variable
The source is on Github and the packages are built and available via Launchpad; instructions for incorporating them into your Ubuntu install are there as well. I’ve been running the new build in production on a handful of servers and haven’t experienced any problems yet. If you find one though, send a pull request on Github and send me an email. I’ll incorporate it, rebuild, and republish the package.
I really can’t endorse Qmail enough… configuration is straightforward (despite the learning curve), mail handling is predictable, and most of all, this updated Qmail installation requires exactly 0 maintenance. Perfect for reluctant server administrators like me!