For security reasons, V8 sendmail performs a number of checks on
qf file before trusting its contents. If any
fails to be trustworthy, sendmail converts the leading
q in its name
to an uppercase
Q. We discuss each possible problem in the sections
Note that when sendmail renames a
qf file into
Qf file, it usually (but not always) logs that it did so.
In the following,
qffile is the full filename of the
qf file, before
it was renamed:
qffile: reason here
Also note that, although sendmail checks the
qf file for a number of
plausibilities, its checking is by no means exhaustive. The checks that
we describe here are no substitute for a well managed system.
V8.6 sendmail always checks the form of the
qf filename for correctness. V8.7 and above sendmail also check the
qf filename but do so only if PICKY_QF_NAME_CHECK
is defined when building (see Section 18.8.35, PICKY...).
qf file name is incorrectly
formed (see Section 23.2.1, "The Queue Identifier"),
sendmail presumes that some other program placed the file in the
queue and rejects it:
orderq: bogus qf name bogus name here
Beginning with V8.7, sendmail requires PICKY_QF_NAME_CHECK to be defined because some sites allow legitimate programs (other than sendmail) to write into sendmail's queue.
To fix this problem, either undefine PICKY_QF_NAME_CHECK when you build sendmail
(if your site allows other programs to write into the queue directory) or
trace down the process that is placing badly formed
qf names in
your queue and fix it.
qf file must be owned by the effective user ID under which
sendmail runs (usually root). A
qf file must not
be group or world writable. If a
qf file fails either test, it
is considered bogus and is renamed to a
Qf file. Then sendmail logs
id: bogus queue file, uid=
qffile: bogus file uid in mqueue
id is the identifier portion of the
qf file name,
owner is the uid of the user that owns the
perms are the file permissions of the
qf file, printed
This problem may point to bad queue directory permissions that allow anyone (or some group) to place files there. Or it may indicate that some processes other than sendmail is writing to your queue.
One form of attack against sendmail is to append additional control
lines to the end of an existing
qf file. V8.7 sendmail specifically
checks for additional text and rejects the
qf file if any is found:
SECURITY ALERT: extra data in qf: first bogus line printed here Losing
qffile: bogus queue line
V8.7 sendmail terminates its legitimate list of
qf control lines
by placing a dot on a line by itself. Any text following that line, including
comments and blank lines, is considered an error.
This may represent a serious attack against your machine or site. If you get this message,
investigate at once.
Each line in a
qf file must begin with a known control letter or
character (see Section 23.9).
If a line begins with any other character, it is considered bad, and the
whole file is rejected:
num: bad line "bogus line here" Losing
qffile: unrecognized line
Note that this error is to be anticipated if you go backwards, from a later release to an earlier release of sendmail.
F line begins with the five characters "
V8.7 and above sendmail will reject the file and log a possible attack:
SECURITY ALERT: bogus qf line bogus line here Losing
qffile: bogus queue line
This represents a serious attack against your machine or site. If you get this message, investigate at once.
savemail: cannot save rejected e-mail anywhere Losing
qffile: savemail panic
The sendmail program tries everything possible to avoid this
state (including bouncing the message, sending it to the postmaster,
and saving it to a dead.letter file). Only if all else fails will
it preserve the
qf file as a
In general this points to an alias problem with the user named postmaster or the owner of a mailing list. Such users are special. They must be able to receive email messages no matter what. They should be the names of real people, not the names of further mailing lists.