6 May 2024

What's notqmail?

It's software for running an email server. For more information, see About, Install, and Help.

What's not new?

As usual, this release is intended as a safe, easy update path from a previous notqmail, netqmail, or qmail. Your local patches should mostly continue to apply.

To the best of our knowledge, qmail, netqmail, and therefore notqmail have never been vulnerable to "SMTP Smuggling" (#251). Your instance of notqmail may nonetheless be vulnerable if you've applied any patches or chained any programs (such as fixcrio) that cause line endings to be changed in transit. Other forks of qmail may be vulnerable if they have have modified its handling of line endings in qmail-smtpd and/or qmail-remote.

What's new?

Regressions fixed

  • qmail-inject: fix header parse regression introduced in 1.08. (#229, closing #147)

Patch adjustments

See also patches.

  • big-todo: conflict in qmail-qstat.sh, skip that section; conflict in hier.c, add the two lines inside hier_queue()
  • dns-oversize: merged, no longer needed (#201)
  • qmail-queue-custom-error: merged, no longer needed (#195)
  • smtp-auth: conflicts in Makefile and TARGETS, remove references to now.o and alloc.a
  • smtp-tls: does not apply, please wait for a new upstream patch
  • smtpd-spp: conflict in Makefile, remove references to now.o and alloc.a

All other changes, organized by project goal:

Preserve qmail's hard-earned security properties

  • qmail-local: close race window when creating file in tmp/. (#119)

Add interfaces to make extensions possible

  • qmail-queue: extend interface so a custom rejection message can be communicated to the caller. Based on Flavio Curti's qmail-queue-custom-error-v2.netqmail-1.05.patch. (#195)

Provide sensible defaults

  • qmail-remote: stop rewriting RCPT TO: domains when they are a CNAME (RFC 5321 5.1). (#121)
  • qmail-remote: handle DNS packets up to max EDNS response size. Based on Christopher K. Davis's qmail-103.patch. (#201)
  • qmail-remote: honor all group memberships of the qmailr user. This lets admins more precisely define read permissions on TLS or DKIM key material. (#153)
  • qmail-smtpd: allow [] to appear in Received: lines. (#170)
  • docs: append .md suffix. (#36)

Reduce marginal cost of development

  • Define CODEOWNERS with our default reviewers. (#192)
  • Remove maildirwatch. (#93)
  • Remove qsmhook. (#87)
  • Remove elq, pinq, and qail. (#99)
  • Ensure local headers are self-contained by including them before system headers. (#183)
  • Say NULL instead of casting 0 to a pointer type. (#152, #161)
  • auto-str: make most output human-readable. (#144)
  • Add ids.a, a library containing auto_user*.o and auto_group*.o. (#182)
  • Makefile: remove stale references to auto-uid. (#219)
  • TARGETS: remove unneeded auto_uid*.o and auto_gid*.o entries. (#154)
  • Makefile: call head (but not tail, for portability) in the POSIX style. (#105, #205)
  • Use ssize_t in substdio to match return types of read() and write(). (#84)
  • Replace error_* variables with #defines to their errno equivalents. (#171)
  • qmail-qstat: remove unneeded dependencies, simplify logic, add compatibility with big-todo queues. (#234)
  • qmail-qmtpd, qmail-qmqpd: validate that netstring length is a number. (#241)
  • qmail-remote: avoid sending CRCRLF if input contains CRLF. (#18)
  • Make now() an inline function. (#158, #169)
  • qmail-remote: fix warnings about get() being used with wrong pointer signedness. (#162)
  • clean up hier.h and spawn functions. (#155)
  • Improve platform checks for select(). (#163)
  • qmail-send: use utimes() instead of utime(). (#164)
  • predate: use better version of calling time(). (#150)
  • Add missing system headers for close(), chdir(), getpid(), other undeclared functions. (#237, #146)
  • Add prototypes for scan.h, fmt.h. (#129, #126)
  • Use default strdup() instead of open coding it. (#130)
  • Remove functions that only reimplement standard C functions. (#103)
  • Remove the custom allocator. (#124)
  • Fix several classes of compiler warning. (#184, #185, #186, #187, #188, #200, #271, #273)
  • Fix CodeQL cpp/integer-multiplication-cast-to-long. (#193)
  • Add tests for qmail-send:job_*() and prioq_*() functions. (#224, #179, #254)
  • Remove register storage class declaration. (#202)
  • Add noreturn attribute to a couple of functions. (#211)
  • Return int from all main() functions. (#145)
  • Add back accidentally removed typecast in gen_allocdefs.h. (#137)
  • Clean up substdio interface declarations. (#271)
  • TravisCI: remove. (#207, #216)
  • CirrusCI: remove. (#253)
  • GitHub: extend build matrix (gcc with and without utmpx(5)) with clang, with and without -DDEPRECATED_FUNCTIONS_REMOVED, with and without nroff/mandoc, with and without compiler warnings turned up. (#181)
  • GitHub: enable CodeQL analysis. (#176, #253)
  • FreeBSD: update. (#125, #216, #235, #253, #274)
  • macOS: add, update. (#181, #253)
  • OpenBSD: add, update. (#242), #253, #274)
  • Solaris: add, fix, update. (#206, #231, #242, #253)
  • Ubuntu: update. (#231, #240, #253)
  • NetBSD: add, update. (#253, (#274)
  • Alpine: add, including many hardware architectures. (#253)
  • Fedora: add. (#269)

Make packaging easier

  • Add optional queue-only argument to instpackage, instchown, and instcheck. (#61, #248)
  • instchown: operate on file descriptors to run more efficiently (also resolving spurious CodeQL "TOCTOU" warnings). (#266, #263)
  • De-symlink .gitignore to mollify Git 2.32.0. (#217, #218)
  • Symlink autobuild configs into autobuilds/. (#148)
  • Add .gitattributes to keep unneeded files out of release tarballs. (#180)

What's going away?

Compiler warnings

Removing causes of compiler warnings advances the notqmail project goals of preserving qmail's hard-earned security properties and gradually reducing the marginal cost of developing notqmail. In this release, the list of changes addressing sources of warnings includes #162, #184, #185, #186, #187, #188, #193, #200, #271, and #273.

Meanwhile, compilers are gradually promoting more warnings to errors. We're doing our best to stay ahead of this, constrained by the project non-goal of breaking your patches more than necessary. You may occasionally find it necessary to add -Wno-error=something-or-other to conf-cc. If you do, please let us know.

Functions

We've marked the following functions deprecated, and intend to remove them in an upcoming release. To find out whether you're depending on any of these, add -DDEPRECATED_FUNCTIONS_REMOVED to conf-cc and see whether your build breaks. If it does, please let us know.

  • alloc_re(): call realloc() directly instead. (#151, #159)
  • log2(): call qslog2() instead. (#187)
  • substdio_bget(): call substdio_get() instead. (#140, #199)

Programs

We believe the following programs are no longer worth the maintenance cost, and intend to remove them in an upcoming release. If you're depending on any of these, please let us know.