The most popular predecessor to qmail, Sendmail, was not designed with security as a goal and, as a result, has been a perennial target for attackers.
qmail was also implemented with a security-aware replacement to the C standard library and, as a result, has not been vulnerable to stack and heap overflows, format string attacks or temporary file race conditions.
In 1997, Bernstein offered a US$500 reward for the first person to publish a verifiable security hole in the latest software version.
On 64-bit platforms, in default configurations with sufficient virtual memory, the delivery of huge amounts of data to certain qmail components may allow remote code execution.
[11] New features were initially provided by third-party patches, from which the most important at the time were brought together in a single meta-patch called netqmail.
qmail is the only broadly deployed public domain software message transfer agent (MTA).