Opinion: Qmail is dying.

Today is a sad day, and it is sadder still that I feel I should write this article.

Many years ago, when we were all much younger, the skys were cleaner and bluer, kids went outside to play in the street instead of staring at a flickering 14" tv and playstation, you could leave your door unlatched and we all used Sendmail as our MTAs. Life was good.

Then Bad Stuff[tm] started happening, we started getting spams, and sendmail was found wanting in the security dept many times.  There were alternatives popping up, but when you are hooked into also providing UUCP feeds, your options are extremely limited.

Then in 1997 I discovered Qmail, with the promise of security, modularisation and simpler administration. So I launched headlong into replacing our sendmail install with Qmail.  I ended up with a functional hybrid of installing Sendmail for UUCP and overlaying Qmail to do the SMTP/POP3. All in all this worked well for many years while we weaned everyone off UUCP.

So, why am I saying Qmail is dying, and who am I to make such an assertion?  Perhaps a few credentials are in order.  I was a reasonably early adopter of Qmail back in 1997 and when I started there were no documents or howtos on setting it up in an ISP type environment. All you had was DJB’s INSTALL file, which was a pretty basic set-up for system account users.  The man pages were pretty poor and involved a spot of trial and error to work out many things.   To this end, I wrote the first  published document on setting up Qmail, called the Qmail Single UID Howto which has been used by thousands (if emails are anything to go by) of sysadmins around the world.

Up until a couple of weeks ago, I continued in my die-hard attitude of Qmail can do anything, but increasingly of late, I have found it harder and harder to do what I need it to do.  Yes, we can all hook in spamassassin and antivirus scanners, but other more fringe issues just aren’t there yet.  Specifically a test install of greylisting using greylisting-spp and qmail-spp (which incidentally looks like a great system that needs greater buy in from the Qmail community) refused to let qmail processes exit and sucked cpu – solidly killing my colo server.  I had to drop the qmail-spp and greylisting idea.

Next up is SpamCop.  Now I’m no great fan of SpamCop’s arbitrary "we say it is bad so you must obey" style, but Qmail’s architecture falls fowl of one of SpamCop’s rules that says you should not accept email for a user that doesn’t exist.  With the deluge of spam (with forged smtp envelope sender addresses) the net result is Qmail will say ‘Sure send me the email’ but reject it at the local delivery stage causing a bounce to be sent back to the envelope sender address.  SpamCop deems this as "spamming" the poor unfortunate schmuck who’s email address was Joe-Jobbed to send you the spam.  Worse, Spamcop has several "traps" set up that will cause your mail server to be automatically placed onto their blacklist if a trap receives any such bounces.  Qmail simply doesn’t do recipient verification in qmail-smtpd (which is why qmail never supported VRFY, ever).

Added to this, again in my opinion, Qmail’s author Daniel J Bernstein has effectively signed Qmail’s own death warrant by (1) Not supporting qmail in the past several years, and (2) Refusing to donate the code out to the community under say a GPL or Apache style license.   I am not disputing his right to do so. Dan is perfectly within his rights to retain his code.  I am simply stating that the current position means anyone with plans on using Qmail will find themselves less and less supported to the point that maintaining Qmail systems (evolving with the times, e.g. adding IMAP, or the next big thing) becomes an untenable proposition.  That said, I have a lot of respect for Dan and his achievements and the quality of his work.

I also do not want to use this article to promote any alternatives to Qmail.  Not out of fear of being called a fan-boy (I believe, if anything I have proven I was big proponent of Qmail), I am simply mourning the passing of, what was, a great MTA. Suffice to say, there are now much better supported systems out there.

Qmail, R.I.P.  I shall miss you.

Edit:  If you came here from the qmail at eight criticism of this article, please read my response.

Bypassing “registration required” news sites.

Ever been passed a url link to a news media site only to find it requires you to register or login to read it?   Usually I just switch off and deign it to not be worth the hassle and move on with life. 

Now I know there are sites such as BugMeNot.com and they create generic logins to share for the community and on the whole works very well.  I’ve used it in the past, and I’m not intending to promote this idea as a replacement or better than it.

However, tonight it occurred to me – if I pretend to be google, perhaps it’ll not ask. Now some 6 or so months ago, I switched to using the Firefox web browser from Internet Explorer (tired of popup and security hell) and I was undergoing some training that required the use of IE to login to the training site, and separately to interact with the product I was training on. Using IE for both at the same time was awkward, so I downloaded the User Agent Switcher Extension and used it to fool the training site into believing Firefox was really IE. It worked flawlessly.

Now back to the present day, so I add an entry in User Agent Switcher by clicking:
Tools -> User Agent Switcher -> Options -> Options, click User Agents and click Add.
Then for Description enter "GoogleBot" and under User Agent enter "Googlebot/2.1 (+http://www.google.com/bot.html)" all without the double-quotes.

Clicking back to the link I was given: http://www.kansascity.com/mld/kansascity/news/nation/11084410.htm and yeehaw! no login.

Also interestingly, Google doesnt serve up any AdWords if you tell it you are Googlebot.

Stupid memes ?

Tonight I found out what a "meme" was.   I was prompted to look it up by reading Mark’s post over on his site.

Now with all the stuff in the news about Identity theft and how easy it is to assume someone else’s identity, is it really wise to be giving out information about the contents of your wallet?