You've come to this page as a result of a question similar to the following:
What are the known problems with Dan Bernstein's qmail?
This is the Frequently Given Answer to that question.
As of version 1.03, there are various problems with qmail:
None of these problems are security problems. You won't be able to claim a reward by reporting them. qmail may be doing the wrong things, but it isn't exposing a security vulnerability as a result.
Stock qmail fails to build (with an error at the link stage
complaining about an undefined reference to the symbol errno)
when using modern versions of GNU's C library. This is because it
contains a programming error that was
pointed out and described in detail back in July 2001. It assumes
something that has never been true for Standard C, even at its inception
in 1989. Heretofore, qmail has only built successfully
because Unix and Linux C implementations accidentally happen to work the
way that it needs them to. But now, they do not.
This programming error is prevalent throughout all of Dan Bernstein's softwares. The same bug occurs in djbdns and in daemontools, for example.
Mate Weirdl has published patches that correct this error for many of Dan Bernstein's softwares, including qmail, on his FTP site.
shantanu has completed the job, and published a set of patches for correcting this error in all of Dan Bernstein's softwares, on his web site.
Some of these patches are incorporated into netqmail 1.04.
The sendmail shim that comes as part of qmail does not correctly implement the -f option.
According to the manual page for the sendmail command that is part of the Sendmail package itself, the -f option to that command sets both the envelope sender mailbox and the default content for the From: header (for if none is explicitly supplied).
However, with the sendmail shim that comes as part of qmail, the -f option only sets the envelope sender mailbox. It does not affect the default for the From: header. Using -f causes the shim to invoke qmail-inject with its own (semantically different) -f option, but does not cause the MAILHOST and MAILUSER environment variables to be set as well.
The result is that if one's MUA
David Phillips' patch fixes this problem.
This patch is incorporated into netqmail 1.04.
If a .qmail file contains just the right pattern of whitespace, specifically having its first line be composed entirely of TAB characters, the qmail-local process that is parsing it will end up corrupting its own memory, with arbitrary consequences. This is because of a coding error in a while loop that fails to detect an array bounds violation.
Erik Sjölund's patch fixes this problem.
This patch is incorporated into netqmail 1.04.
qmail-remote and qmail-smtpd do not recognize 0.0.0.0 as a local IP address.
In the case of qmail-smtpd, this means that envelope sender and recipient mailboxes of the form local@[0.0.0.0] are not transformed using control/localiphost.
In the case of qmail-remote, this means that if the following criteria are satisfied:
some (possibly malicious) third party is publishing (in the DNS database) 0.0.0.0 as the IP address of one or more SMTP Relay servers for its domain;
the preferences, and service availability, are such that qmail-remote tries to connect to one of those SMTP Relay servers;
qmail's SMTP Relay service is listening on the machine's first network interface; and
the operating system is not OpenBSD
Scott Gifford's patch fixes this problem, by forcing 0.0.0.0 to always be recognized as local.
This patch is incorporated into netqmail 1.04.
Alternatively, you can use his other patch instead, which forces 0.0.0.0 to always be be recognized as local and also adds extra machinery to support explicitly specifying with files in control/ what IP addresses are local to the machine.