Before delving too deeply into further configuration and tailoring of qmail, it is important to understand the basic structure of qmail. Qmail is often referred to as merely a mail server software package. While this may be accurate in one sense, it is more accurate to think of qmail as a mail delivery architecture whose architect has thoughtfully provided a basic implementation of all the components of that architecture.
Qmail is very modular—it consists of a series of simple programs communicating via specific and limited interfaces. Each simple program has a specific and limited task to perform. This architecture allows each component program to be easily replaced or new programs to be inserted between the basic components.
Additionally, this architecture limits the security impact of any one of the components. Each program is further separated from the others, whenever possible, by giving each program a different UNIX user and specific permissions so that it can't affect anything it is not supposed to. Because the communication interfaces are limited, it is significantly more difficult to attack the software and achieve much—attacking a component that does not have enough privileges to do anything other than what it is supposed to do is much less useful for an attacker.
The simplest example is receiving email from the network. The trail of programs in basic qmail is as follows: tcpserver to qmail-smtpd to qmail-queue. The tcpserver program has two tasks: open up a port to listen to the network, and run qmail-smtpd as the appropriate user for every connection. Because listening to low ports (such as the SMTP port, 25) requires root permissions, tcpserver generally runs as root. However, because tcpserver doesn't attempt to understand the communication, it is very difficult to attack. The qmail-smtpd program has only two tasks as well: speaking the SMTP protocol sufficiently to receive email messages, and sending these email messages to qmail-queue. As such, qmail-smtpd need not do anything with the on-disk queue or the network. This allows qmail-smtpd to be run as a user with very limited permissions, and also allows qmail-smtpd to be a much simpler, and easier to verify and debug, program than it would be otherwise, even though it has to interact directly with user (or attacker) input. The qmail-queue program has only one task—to write messages to the on-disk queue prepended with a Received header. It need not talk to the network, or understand the contents of the messages it writes to disk, making the program simple and easy to verify and thus hard for an attacker to break.
Note that this architecture can be easily extended. The tcpserver program can execute any program, which can in turn execute qmail-smtpd as necessary. This might be useful, for example, to make decisions about whether to permit a connection to reach qmail-smtpd or to set and unset environment variables before qmail-smtpd is executed. It could even be used to sanitize data before it gets to qmail-smtpd. Similarly, while qmail-smtpd normally executes qmail-queue, it may invoke any program. This program can then execute qmail-queue as necessary, which might be useful, for example, to filter out email messages that contain viruses.
As another example, the qmail-start program executes several programs: qmail-send, qmail-lspawn, qmail-rspawn, and qmail-clean. Each of these programs has a specific task. qmail-send must monitor the on-disk queue of mail and route mail appropriately by commanding either qmail-lspawn or qmail-rspawn to deliver the message depending on whether the message should be delivered to a local user or a remote user, respectively. Once messages have been delivered, it commands qmail-clean to remove the message from the queue. Both qmail-lspawn and qmail-rspawn receive delivery commands and spawn the necessary number of instances of qmail-local and qmail-remote to do the actual delivery. The qmail-remote program is a simple program that reads an email from standard input, and delivers it to the hosts and recipients specified to it by arguments. It does not have sufficient permissions to read out of the queue itself, and so must be handed the message to deliver. It can even be used alone as follows:
echo message | qmail-remote \
smtp.example.com [email protected] [email protected]
The qmail-local program is also simple; its task is to read an email from standard input and deliver it to the specified local user, using the procedures detailed in that user's .qmail files. Like qmail-remote, it does not have sufficient permissions to read or modify the on-disk queue.
Each of these programs is independent of the others, and relies only on the interface provided to it. By restricting the permissions that each component has, both attacking the system as well as achieving much with a single compromised component is made significantly more difficult. This is the fundamental concept behind the privilege-separation security technique employed by qmail.
The following diagram depicts this description graphically:
In this diagram, each on-disk element is a hexagon, each process is a rectangle, and each separate user-protected domain is a tinted rounded-rectangle (root domains are darker). The arrows indicate the direction email travels through the system. As you can see, the central feature of the qmail architecture is the on-disk queue. Despite its centrality, very few components of qmail need to read or modify the queue.