Maintaining qmail in 2019

#### <a href="https://twitter.com/hashtag/nycbug">#nycbug</a>

[schmonz.com/talk<br />/2019-nyc-march](https://schmonz.com/talk/2019-nyc-march/)
]

---

.left-column[
<a href="https://www.nycbug.org/index?action=view&id=10665"><img src="../../nycbugsquare.png" width="150" height="150" alt="NYCBUG" class="img" /></a>
]

### <a href="https://twitter.com/schmonz">@schmonz</a>

#### <a href="https://twitter.com/hashtag/nycbug">#nycbug</a>

[schmonz.com/talk<br />/2019-nyc-march](https://schmonz.com/talk/2019-nyc-march/)
]

---

# Maintaining qmail in 2019

## Amitai Schleier

---

## 1. Wanna try it?

## 2. Why do I do this?

## 3. What's new since 1998?

## 4. <strike>But seriously</strike> Okay, what's next?
]

---

## Is there one for this meetup?

## Remind ourselves how we want to behave

## Like infra-as-code or TDD, declaring our intentions helps us live up to them
]

---

```txt
$ git clone https://github.com/NetBSD/pkgsrc.git

$ cd pkgsrc/bootstrap

$ sudo ./bootstrap --prefix=/opt/pkg

$ PATH=/opt/pkg/sbin:/opt/pkg/bin:$PATH

$ cd ../mail/qmail-run

$ make install
```

#### Tested <a href="../../../../../software/pkgsrc-qmail-run/">recently</a>

-  CentOS, Debian, Devuan, FreeBSD, NetBSD, OpenBSD, OS X, Tribblix
]

---

### - My first job _vs._ my job today
### - Ease and elegance _vs._ annoying sharp edges
### - Lack of upstream _vs._ evolving needs (_vs._ laziness)
### - Further investment _vs._ [Postfix](http://www.postfix.org)
### - [Legacy code](https://www.legacycode.rocks) (and avoiding it) is now a [professional specialty](https://latentagility.com)
]

---

### - Authentication
### - Encryption
### - Spam

#### What's not?

### - `qmail-1.03.tar.gz`
]

---

### - [Big, careful commit to pkgsrc/mail/qmail](http://mail-index.netbsd.org/pkgsrc-changes/2004/07/21/0034.html)
### - `/var/qmail` works like qmail old-timers expect
### - `${PREFIX}` works like pkgsrc users expect
### - Pretty nice rc.d scripts
### - "Life with qmail" and packages: harmonious??!
]

---

### - Patches for AUTH and [TLS](http://inoa.net/qmail-tls/) freshly updated
### - Patches for SMTP recipient-checking, but mutually exclusive ([badrcptto](http://patch.be/qmail/), [realrcptto](http://code.dogmap.org/qmail/#realrcptto), [qregex](http://www.arda.homeunix.net/downloads-qmail/))
### - Binary package useful only on build host
### - Constraints: `djb-nonlicense` and [DJB's rules for distributors](http://cr.yp.to/qmail/dist.html)
### - 1.03nb13
]

---

### - `public-domain`!!!1
### - Covered: [daemontools](https://cr.yp.to/daemontools.html), [ucspi-tcp](https://cr.yp.to/ucspi-tcp.html), [qmail](http://cr.yp.to/qmail.html)
### - Not covered yet: [checkpassword](http://cr.yp.to/checkpwd.html)
### - Constraints: my academic courseload and job
]

---

### - December 2008: Mac mini's drive crashed during final exams, no money or attention to spare
### - `@schmonz.com` forwarding to Gmail
### - October 2014: Up and running, this time on a VPS
]

---

### - Commit what I claim to be "DESTDIR support"
]

---

### - `USE_DESTDIR` rapture: all packages are binary
### - Cool, no problem, I totally already took care of that
]

---

### - Port forward a pre-1998 `getpwnam()` patch
### - Commit under `mail/qmail/patches/`
### - Not trying to be a patch publisher
]

---

### - `DESTDIR` binary packages had never init'd the queue
### - Hadn't noticed (my VPS had once built source packages)
### - Quick: add dependency on `mail/queue-fix`
]

---

### - `user-destdir`: defer users/groups till `pkg_add`
### - No hardcoded or pre-allocated numeric IDs
### - Working binary packages!
### - (Enable more options by default)
### - (Add option for [Sender Rewriting Scheme](http://www.mco2.com.br/opensource/qmail/srs/))
]

---

### - Configurable user/group _names_ in `mk.conf`
### - Binary packages in 2017Q1 pkgsrc release!
### - (checkpassword still `djb-nonlicense`)
### - 1.03nb24
]

---

### - Publish my first patch: <a href="../../../../../software/remote/">QMAILREMOTE</a>
### - (And a package option for it)
]

---

### - Publish <a href="../../../../../software/destdir/">destdir</a> (removing lots of packaging cruft)
### - Publish <a href="../../../../../software/rejectutils/">rejectutils</a> (multiple recipient checks)
### - (Always-on a bunch of options)
### - (Enable new options, including `SMTPUTF8`)
### - (Annotate packages with applied `QMAILPATCHES`)
]

---

### - Some remotes wouldn't accept our `SMTPUTF8` mail
### - Analyze, fix in pkgsrc with `sed` at patch time (?!?!)
### - Publish <a href="../../../../../software/qbiffutmpx/">qbiff-utmpx</a> (fixing FreeBSD build)
### - (Enable more new options)
]

---

### - Extract `mail/qmail-rejectutils`
### - 1.03nb33
]

---

### - Add dependency on public-domain checkpassword
### - Add `inet6` and `pam` options
### - 1.03nb36
]

---

### - Couldn't yet update to latest TLS patch
### - Could at least bump key sizes to match
### - This did not fix busted Gmail interop
]

---

### - My redesigned SMTP AUTH implementation
### - Avoid patch conflicts
### - Extend qmail's existing design to post-1998 use cases
### - Add new user-controlled features
]

---

### - `reup` runs a program repeatedly until it succeeds
### - `authup` offers SMTP AUTH
### - `checknotroot` refuses to run as UID 0
### - `fixsmtpio` filters I/O and exit status
]

---

### - `AUTH` without patching existing code
### - `checkpassword` without `chmod +s`
### - Arguably better security properties
### - New features in old programs
### - Let's look at <a href="../../../../../software/acceptutils/">the pictures</a>
]

---

### - Update trivially to latest TLS patch
### - Interop with Gmail!
### - Opportunistic encryption on my mail server
### - Add `STARTTLS` to `authup` (message submission)
### - No more `stunnel`, only `sslserver`
]

---

### - Add `STARTTLS` to `fixsmtpio` (incoming SMTP)
### - (RFC says session state must be cleared)
### - (Easy: stop `qmail-smtpd` kid, start fresh one)
### - Publish <a href="../../../../../software/tlsonlyremote/">TLS-onlyremote</a>
### - Add `qmail-qfilter-addtlsheader`
]

---

### - Migrate RCPTCHECK to qmail-spp plugin system
### - Add SPP plugin for greylisting, commented out
### - Deinstall completely cleanly
]

---

### - Updated <a href="../../../../../software/destdir/">destdir</a> (fixing OpenBSD build)
### - Add SPP plugin for SPF policy checking
### - Fix rc.d scripts on FreeBSD
### - Enable IPv6 for incoming connections
### - rc.d-boot: integrate `rc.conf` into various OS boot sequences
]

---

I've shipped
<a href="../../../../01/07/2018q4-qmail-updates-in-pkgsrc/">quite a few improvements</a>
for qmail users in our 2018Q4 release. In three sentences:

1. <a href="../../../../../software/pkgsrc-qmail-run/">qmail-run</a> gains TLS, SPF, IPv6, SMTP recipient checks, and many other sensible defaults.
2. Most qmail-related packages -- including the new ones used by qmail-run -- are available on most pkgsrc platforms.
3. [rc.d-boot](http://pkgsrc.se/pkgtools/rc.d-boot) starts `rc.conf`-enabled pkgsrc services at boot time on many platforms.

In one:

> It's probably easy for you to run qmail now.
]

---

### - Many sensible defaults,
### - Including starting at boot time,
### - On most pkgsrc platforms

### Probably easy for you to run qmail now!
]

---

### - Notice what's annoying
### - If it's easy to fix, automate it
### - Else figure out how to make it easy

#### And

### - Invest in simplicity
### - Spend dividends on new features
]

---

### - Add `meta-pkgs/qmail-server`
### - Handle leap seconds for TAI system clocks
### - Configure TLS cipher list in `rc.conf`
]

---

### - blacklistd(8) support ([Christos' NYCBUG talk](https://www.nycbug.org/index?action=view&id=10358))
### - Refactor qmail-remote: `remoteip` and `remoteio`
### - IPv6 and OpenSSL-1.1 compatible TLS for outbound
### - <a href="../../../../../software/rfilter/">qmail-rfilter</a> for filtering outbound
### - rfilters for SRS and DKIM
### - DMARC
]

---

### - SMF support (Solaris-derived service management)
### - More rc.d-boot platforms
### - Automate switching from system MTA to pkgsrc qmail
### - Migrate `realrcptto` to `qmail-verify`
### - Add ext-todo, big-todo, big-concurrency patches
### - Test with vmailmgr, vpopmail
]

---

- <a href="../../../../01/25/devopsdays-nyc-run-your-own-email-server/">DevOpsDays NYC: Run Your @wn Email Server!</a>
- <a href="../../../../01/07/2018q4-qmail-updates-in-pkgsrc/">2018Q4 qmail updates in pkgsrc</a>
- <a href="../../../../../2005/05/08/pkgsrccon-2005-packaging-complex-software/">Packaging Complex Software (2005)</a> (schmonz.com)
- <a href="../../../../../2007/04/29/pkgsrccon-2007-packaging-djbware/">Packaging djbware (2007)</a> (schmonz.com)
- <a href="../../../../../2017/03/27/automation-for-mail-hosting/">Automation for mail hosting</a> (schmonz.com)
- <a href="../../../../../software/remote/">QMAILREMOTE</a> (schmonz.com)
- <a href="../../../../../software/destdir/">destdir</a> (schmonz.com)
- <a href="../../../../../software/rejectutils/">rejectutils</a> (schmonz.com)
- <a href="../../../../../software/qbiffutmpx/">qbiff-utmpx</a> (schmonz.com)
- <a href="../../../../../software/acceptutils/">acceptutils</a> (schmonz.com)
- <a href="../../../../../software/rfilter/">qmail-rfilter</a> (schmonz.com)
- <a href="../../../../../software/">qmail</a> (schmonz.com)
- [s/qmail](https://www.fehcom.de/sqmail/) (fehcom.de)
]

---

## <a href="https://agilein3minut.es/">agilein3minut.es</a>

> "Before Agile in 3 Minutes, I couldn't get my team to have a
> conversation about important topics. Now I have to timebox it."

- <a href="https://agilein3minut.es/5">5: Wrong</a>
- <a href="https://agilein3minut.es/29">29: Refactor</a>
]

---

## [leanpub.com/agilein3minutes<br />/c/nycbug19](https://leanpub.com/agilein3minutes/c/nycbug19)

The simplest _essays_ that could possibly work.
Lowest allowable price on Leanpub, today!
]

---

# Maintaining qmail in 2019

## [Amitai Schleier](https://latentagility.com)