We have moved from qmail to Exim recently on our company mail server. It is a big relief. The mail server can handle the high amount of incoming junk mail now, it is reasonably manageable and provides readable logs.
It was late transfer. It is not easy to move a mail server to a completely different software and it happened only after more significant qmail problems than just a weird licensing conditions arose. But the important question is: What are the lessons?
Many years ago I was enthusiastic about qmail myself. In comparison to its common alternatives of the time, Sendmail and Smail, qmail was innovative and elegant. I only became a bit reserved about it when Debian Free Software Guidelines explicitly excluded qmail from Debian (there is a special item in the document inspired directly by qmail licensing problems) and djb (the qmail author) became well known for his poor communication style. The time has proved these issues were important and I stopped using qmail on my machines. Now, many years later when qmail is semi-dead and we can look backwards, I can identify three major lessons from the qmail rise and fall.
The first lesson: Beware of non-free software of any kind. Although qmail original license didn’t prevent modifications and their distribution, it was restrictive enough to prevent unlimited spread of the software and it put obstacles to contributors and users. In the final result qmail was unable to adapt to new conditions appropriately, namely it is incapable to handle junk mail. Although djb put qmail to public domain recently, it was too late, as with many other pieces of dying non-free software (but it may be still better than to let the software die completely).
The second lesson: Software can’t be completely separated from its author. If he is blinded by his pride, numerous problems can appear. For instance the semi-restrictive qmail licensing conditions served no good, they were designed just to satisfy author’s ego. Completely ignoring compatibility with other similar software makes adoption of new ideas more difficult. Telling other people they are idiots (either explicitly or implicitly) discourages contributors, doesn’t educate the users and builds a wall around the author preventing him from considering other opinions and correcting his wrong decisions. In the final result the software can’t utilize its full possibilities and it degrades.
The third lesson: Security is a more complex concept than just avoiding privilege escalation and buffer overflows. Empty security advisory track may look nice but what is it good for when the mail server gets permanently irresponsive under junk mail floods, distributes junk mail itself through bounces and one has to apply third party patches not covered by the security warranty? In such a case the security statement is mostly just a blurb without connection to reality.
Why did I select Exim as the new MTA on our company server? Two mainstream good MTAs today are Exim and Postfix, they are mostly comparable and both the Exim and Postfix communities talk with respect about each other. So as a matter of personal preference I selected Exim which was already known to me.