qmail is vulnerable… switch to postfix [HOWTO]

It just got to my ears that qmail contains a known vulnerability that might lead to massive abuse of the mail system and your server. What happens now is that usually mail transfer agents (MTA’s) require that you write a complete e-mail address when sending an e-mail, something like “george@wirelessisfun.com” but qmail may accept mails addressed to simple usernames like “administrator” or “george“. When trying to send those e-mails, of course it will realize that the  address is incorect, and it will send a non delivery report back to the originating user.

Now, do the math, and count the reports sent back for a spam frenzy of a few thousand SPAM mails sent by a malicious user. That will put quite a strain on your server, and possibly on other servers.

I only had qmail on a Parallels Plesk powered server, so below you can read how to switch from qmail to postfix, the other Plesk supported MTA.

Use an ssh client to connect to your server, make sure you have root privileges, and run the following command:

/usr/local/psa/admin/bin/mailmng –features | grep -i smtp_server

if the output of that command is:

$features[‘SMTP_Server’] = “Postfix”;
$features[‘SMTP_Server_package’] = “postfix”;

you are safe, and good to go, but if the output of the above command is:

$features[‘SMTP_Server’] = “QMail”;
$features[‘SMTP_Server_package’] = “psa-qmail”;

you should change to postfix. It’s quite simple, you just need to run the following command:

/usr/local/psa/admin/sbin/autoinstaller –select-release-current –install-component postfix

That should be it. The Parallels Plesk knowledge base has an MTA change article aswell, here: http://kb.parallels.com/5801