I should throw up a fanboy alert right here. You have been warned. =)
I was reading a heated discussion about security (no link, MARC is read only right now) on the PHP internals list this past week. In the middle of it, Zeev Suraski writes: “No remotely accessible software has a perfect track record, perhaps other than qmail.” For those that don’t know, qmail is the second most used MTA (Mail Transfer Agent) on the internet. It was written by Dan J. Bernstein (DJB). DJB, as I like to refer to him around the office, is a professor at University of Illinois at Chicago. You can read all about him at his web site.
The basis for Zeev’s comments is DJB’s qmail security guarantee. As Dan writes, he was fed up with security holes in sendmail. So, he decided to do something about them. He just avoided the whole app and wrote his own. Besides being rock solid, the application takes a very intuitive (to me) approach to internet mail. DJB believes in separating jobs into separate daemons that run with separate users and permissions. One daemon accepts incoming mail and puts it in a queue. Another reads that queue and then decides if it is an internal or external delivery. I then hands that to an local or remote daemon responsible for those jobs. Everything has its job. Nice and neat.
DJB did not stop there. He also wrote (IMO) the best darn DNS server ever in djbdns. Like qmail, it has a security guarantee. It uses the same logical design as qmail. Honestly, DNS propagation is a bit of mystery to me. Bind zone files confused the hell out of me. But, djbdns is easy as pie to use.
I have been lucky enough to use qmail for my entire career. The first host I ever signed up with used qmail and it was all I ever wanted to use. When our current systems administrator, a life long sendmail and bind user, came to work for us, I showed him qmail and djbdns. It took a little while, but now he will never go back. Even with the occasional annoyance, its better than the alternative to him.
You do have to adjust to the DJB style. His applications don’t have the normal configure, make, make install setup. He is a FreeBSD user. At times there are errors on non FreeBSD systems that are in his opinion flaws of those systems and not qmail. He is usually right. At the least, you can’t say he is wrong. djbdns for example does propagate data between hosts “automatically” like bind does. You have to rsync the data somehow yourself. That is a turn off at first for some. Then they realize how much more control that will give them.
He is very diligent when it comes to sticking strictly to whatever RFC exist for each daemon he writes. One guy I know complains that qmail is the only MTA that requires the \r\n at the end of emails. qmail will reject them straight away. As you soon discover, there is a huge community of “patches” to make qmail do all sorts of things. There is a patch for that “feature” as well.
For more on djbdns, see DJB’s page about it.