[qmail] / INSTALL.mbox

The qmail package includes a local delivery agent, qmail-local, which
provides user-controlled mailing lists, cross-host alias loop detection,
and many other important qmail features.

There's one part of qmail-local that you need to know about right now:
qmail-local doesn't support an insecure central mail spool. It delivers
mail by default into ~user/Mailbox (in mbox format).

This file explains what you should do to deal with this change. It also
points out some reasons that you might want to make an even bigger
change, switching from mbox format to a new format, maildir.

If you desperately don't want to change anything, see INSTALL.qsmhook.


Contents:
1. Throw away /usr/spool/mail!
2. The trouble with mbox
3. Sun's Network F_\bail_\bu_\bre System


1. Throw away /usr/spool/mail!

/usr/spool/mail, often called /var/spool/mail or /var/mail, is a
security disaster. A user's mailbox belongs in his home directory, not a
shared directory. Even if you don't install qmail, you should destroy
/usr/spool/mail. This takes four steps:

   A. Convince your local mailer to deliver to ~user/Mailbox. If you're
   using something like procmail, this is easy---just change SYSTEM_MBOX
   in config.h. If you're installing qmail, you don't have to do
   anything. Otherwise, take a look at hlfsd from
   ftp.cs.columbia.edu/pub/amd.

   B. Move each /usr/spool/mail/user to ~user/Mailbox. For safety, do
   this in single-user mode---you don't want to risk corrupting
   mailboxes. (qmail makes it easy to turn off deliveries temporarily:
   just kill the qmail-send daemon. But you aren't running qmail yet.)
   When you're done, remove /usr/spool/mail.

   C. Put ``setenv MAIL $HOME/Mailbox'' in your system-wide .cshrc,
   ``MAIL=$HOME/Mailbox; export MAIL'' in your system-wide .profile,
   ``inbox-path=Mailbox'' in your system-wide pine.conf. If you're using
   qpopper 2.2, you'll have to recompile with -DHOMEDIRMAIL in CFLAGS
   and with /.mail changed to /Mailbox in pop_dropcopy.c. If you're
   using elm on a multiuser system, you'll have to recompile elm with
   "mailbox" changed to "Mailbox" around line 388 of newmbox.c.

   D. Announce the change.

Some vendors, in a misguided attempt to solve the security problems of
/usr/spool/mail, have made all MUAs (e.g., /usr/ucb/Mail) setgid mail.
After you get rid of /usr/spool/mail, you can also disable those
setgid-mail bits.


2. The trouble with mbox

The mbox format---the format of ~user/Mailbox, understood by BSD Mail
and lots of other MUAs---is inherently unreliable.

Think about it: what happens if the system crashes while a program is
appending a new message to ~user/Mailbox? The message will be truncated.
Even worse, if it was truncated in the middle of a line, it will end up
being merged with the next message! Sure, the mailer understands that it
wasn't successful, so it'll try delivering the message again later, but
it can't fix your corrupted mbox.

Other formats, such as mh folders, are just as unreliable.

qmail supports maildir, a crashproof format for incoming mail messages.
maildir is fast and easy for MUAs to use. Even better, maildir works
wonders over NFS---see below.

I don't want to cram maildir down people's throats, so it's not the
default. Nevertheless, I encourage you to start asking for maildir
versions of your favorite MUAs, and to switch over to maildir as soon as
you can.

WARNING: qmail uses flock() to lock ~user/Mailbox. This agrees with the
modern mail.local locking choice. If your MUA doesn't use flock(), your
best bet is to switch to maildir, and to set up synchronous maildir2mbox
execution, as described below.


3. Sun's Network F_\bail_\bu_\bre System

Anyone who tells you that mail can be safely delivered in mbox format
over NFS is pulling your leg---as explained above, mbox format is
inherently unreliable even on a single machine.

Anyway, NFS is the most unreliable computing environment ever invented,
and qmail doesn't even pretend to support mbox over NFS.

You should switch to maildir, which works fine over NFS without any
locking. You can safely read your mail over NFS if it's in maildir
format. Any number of machines can deliver mail to you at the same time.
(On the other hand, for efficiency, it's better to get NFS out of the
picture---your mail should be delivered on the server that contains your
home directory.)

Here's how to set up qmail to use maildir for your incoming mail:

   % maildirmake $HOME/Maildir
   % echo ./Maildir/ > ~/.qmail

Make sure you include the trailing slash on Maildir/.

Until your MUA supports maildir, you'll probably want to convert maildir
format to (gaaack) mbox format. I've supplied a maildir2mbox utility
that does the trick, along with some tiny qail and elq and pinq wrappers
that call maildir2mbox before calling Mail or elm or pine.
Commit	Line	Data
2117e02e MW	1	The qmail package includes a local delivery agent, qmail-local, which
	2	provides user-controlled mailing lists, cross-host alias loop detection,
	3	and many other important qmail features.
	4
	5	There's one part of qmail-local that you need to know about right now:
	6	qmail-local doesn't support an insecure central mail spool. It delivers
	7	mail by default into ~user/Mailbox (in mbox format).
	8
	9	This file explains what you should do to deal with this change. It also
	10	points out some reasons that you might want to make an even bigger
	11	change, switching from mbox format to a new format, maildir.
	12
	13	If you desperately don't want to change anything, see INSTALL.qsmhook.
	14
	15
	16	Contents:
	17	1. Throw away /usr/spool/mail!
	18	2. The trouble with mbox
	19	3. Sun's Network F_\bail_\bu_\bre System
	20
	21
	22	1. Throw away /usr/spool/mail!
	23
	24	/usr/spool/mail, often called /var/spool/mail or /var/mail, is a
	25	security disaster. A user's mailbox belongs in his home directory, not a
	26	shared directory. Even if you don't install qmail, you should destroy
	27	/usr/spool/mail. This takes four steps:
	28
	29	A. Convince your local mailer to deliver to ~user/Mailbox. If you're
	30	using something like procmail, this is easy---just change SYSTEM_MBOX
	31	in config.h. If you're installing qmail, you don't have to do
	32	anything. Otherwise, take a look at hlfsd from
	33	ftp.cs.columbia.edu/pub/amd.
	34
	35	B. Move each /usr/spool/mail/user to ~user/Mailbox. For safety, do
	36	this in single-user mode---you don't want to risk corrupting
	37	mailboxes. (qmail makes it easy to turn off deliveries temporarily:
	38	just kill the qmail-send daemon. But you aren't running qmail yet.)
	39	When you're done, remove /usr/spool/mail.
	40
	41	C. Put ``setenv MAIL $HOME/Mailbox'' in your system-wide .cshrc,
	42	``MAIL=$HOME/Mailbox; export MAIL'' in your system-wide .profile,
	43	``inbox-path=Mailbox'' in your system-wide pine.conf. If you're using
	44	qpopper 2.2, you'll have to recompile with -DHOMEDIRMAIL in CFLAGS
	45	and with /.mail changed to /Mailbox in pop_dropcopy.c. If you're
	46	using elm on a multiuser system, you'll have to recompile elm with
	47	"mailbox" changed to "Mailbox" around line 388 of newmbox.c.
	48
	49	D. Announce the change.
	50
	51	Some vendors, in a misguided attempt to solve the security problems of
	52	/usr/spool/mail, have made all MUAs (e.g., /usr/ucb/Mail) setgid mail.
	53	After you get rid of /usr/spool/mail, you can also disable those
	54	setgid-mail bits.
	55
	56
	57	2. The trouble with mbox
	58
	59	The mbox format---the format of ~user/Mailbox, understood by BSD Mail
	60	and lots of other MUAs---is inherently unreliable.
	61
	62	Think about it: what happens if the system crashes while a program is
	63	appending a new message to ~user/Mailbox? The message will be truncated.
	64	Even worse, if it was truncated in the middle of a line, it will end up
65	being merged with the next message! Sure, the mailer understands that it
66	wasn't successful, so it'll try delivering the message again later, but
67	it can't fix your corrupted mbox.
68
69	Other formats, such as mh folders, are just as unreliable.
70
71	qmail supports maildir, a crashproof format for incoming mail messages.
72	maildir is fast and easy for MUAs to use. Even better, maildir works
73	wonders over NFS---see below.
74
75	I don't want to cram maildir down people's throats, so it's not the
76	default. Nevertheless, I encourage you to start asking for maildir
77	versions of your favorite MUAs, and to switch over to maildir as soon as
78	you can.
79
80	WARNING: qmail uses flock() to lock ~user/Mailbox. This agrees with the
81	modern mail.local locking choice. If your MUA doesn't use flock(), your
82	best bet is to switch to maildir, and to set up synchronous maildir2mbox
83	execution, as described below.
84
85
86	3. Sun's Network F_\bail_\bu_\bre System
87
88	Anyone who tells you that mail can be safely delivered in mbox format
89	over NFS is pulling your leg---as explained above, mbox format is
90	inherently unreliable even on a single machine.
91
92	Anyway, NFS is the most unreliable computing environment ever invented,
93	and qmail doesn't even pretend to support mbox over NFS.
94
95	You should switch to maildir, which works fine over NFS without any
96	locking. You can safely read your mail over NFS if it's in maildir
97	format. Any number of machines can deliver mail to you at the same time.
98	(On the other hand, for efficiency, it's better to get NFS out of the
99	picture---your mail should be delivered on the server that contains your
100	home directory.)
101
102	Here's how to set up qmail to use maildir for your incoming mail:
103
104	% maildirmake $HOME/Maildir
105	% echo ./Maildir/ > ~/.qmail
106
107	Make sure you include the trailing slash on Maildir/.
108
109	Until your MUA supports maildir, you'll probably want to convert maildir
110	format to (gaaack) mbox format. I've supplied a maildir2mbox utility
111	that does the trick, along with some tiny qail and elq and pinq wrappers
112	that call maildir2mbox before calling Mail or elm or pine.