qmail is vulnerable… switch to postfix [HOWTO]

It just got to my ears that qmail contains a known vulnerability that might lead to massive abuse of the mail system and your server. What happens now is that usually mail transfer agents (MTA’s) require that you write a complete e-mail address when sending an e-mail, something like “george@wirelessisfun.com” but qmail may accept mails addressed to simple usernames like “administrator” or “george“. When trying to send those e-mails, of course it will realize that the  address is incorect, and it will send a non delivery report back to the originating user.

Now, do the math, and count the reports sent back for a spam frenzy of a few thousand SPAM mails sent by a malicious user. That will put quite a strain on your server, and possibly on other servers.

I only had qmail on a Parallels Plesk powered server, so below you can read how to switch from qmail to postfix, the other Plesk supported MTA.

Use an ssh client to connect to your server, make sure you have root privileges, and run the following command:

/usr/local/psa/admin/bin/mailmng –features | grep -i smtp_server

if the output of that command is:

$features[‘SMTP_Server’] = “Postfix”;
$features[‘SMTP_Server_package’] = “postfix”;

you are safe, and good to go, but if the output of the above command is:

$features[‘SMTP_Server’] = “QMail”;
$features[‘SMTP_Server_package’] = “psa-qmail”;

you should change to postfix. It’s quite simple, you just need to run the following command:

/usr/local/psa/admin/sbin/autoinstaller –select-release-current –install-component postfix

That should be it. The Parallels Plesk knowledge base has an MTA change article aswell, here: http://kb.parallels.com/5801

3 thoughts on “qmail is vulnerable… switch to postfix [HOWTO]

  1. You could have thousands of good reasons to recommend postfix. Among them there is not the one you mention here. Concerning qmail, what happens to incoming messages, if they have to be bounced or not etc, is up to the postmaster. You can decide to erase those spam messages if you like. This article proves that you are not familiar with qmail at all. Please write about things you have tested and know very very well, and tell the same thing to who “spoke to your ears”.

    • The main point of the article was to show how to switch within plesk from qmail to postfix (and viceversa) because in my experience, more and more people nowadays go from shared hosting where everything is provided by the hoster to VPS’s or dedi’s and don’t get full management with them due to extra costs.

  2. There’s also a patch for qmail that would make it reject messages to non existent users right at SMTP time. I like to use the smtp plugins because I can easily integrate that with whatever backend system I use for qmail users.

Comments are closed.