Port 628: QMQP — The mail protocol that runs 100 times faster than SMTP

Port 628 carries QMQP (Quick Mail Queueing Protocol), a mail injection protocol that decided SMTP was doing too much and took the opposite approach: radical simplicity.

When Dan Bernstein created qmail in 1995, he didn't just build a more secure mail server—he built an entirely different mail architecture. QMQP is part of that vision: a protocol so streamlined that servers don't even read the messages they handle.

What QMQP Does

QMQP is for mail injection—the moment when an application hands an email to a mail server and says "send this." It's not for server-to-server transfer (that's QMTP on port 209) or for end users sending mail (that's SMTP on port 25). It's specifically for trusted applications pumping messages into the queue.¹

The protocol is almost absurdly simple:

• Client connects to port 628
• Client sends the complete message and envelope in one shot
• Server queues it and responds with success or failure
• Connection closes

That's it. No negotiation. No capabilities exchange. No back-and-forth. The server doesn't parse headers, doesn't validate recipients, doesn't care about the content. It just accepts the message and queues it for delivery.²

Why It's 100 Times Faster

QMQP can send a 1000-recipient message through a 28.8 kbps dial-up modem in about 10 seconds. SMTP would take over 16 minutes for the same operation.³

The speed comes from what QMQP doesn't do:

• No multiple round trips — SMTP sends "MAIL FROM", waits for response, sends "RCPT TO" for each recipient, waits for response, sends "DATA", waits for response. QMQP sends everything once.
• No parsing during injection — SMTP servers validate and process as they receive. QMQP servers just queue blindly.
• No authentication overhead — QMQP assumes you're already trusted. If you're not, you shouldn't be connecting.

For single-threaded applications where network latency is the bottleneck, QMQP can increase injection speed dramatically. Every saved round trip is time and money saved.⁴

The Trust Model

QMQP is not a public service. It has no authentication. No relay control. No access restrictions beyond what your firewall provides.

This is intentional. QMQP is designed for trusted internal networks where an application server needs to inject mail into a qmail queue. If you expose port 628 to the Internet, you've built an open relay that will be discovered and abused within hours.⁵

The protocol's documentation is blunt about this: "QMQP is not a public service."²

The qmail Philosophy

QMQP exists because Dan Bernstein had strong opinions about email security. In 1997, he offered a $500 reward for anyone who could find a security hole in qmail. The reward was never claimed.⁶

Part of qmail's security model is radical simplification. A QMQP server doesn't need to parse messages, so it can't be exploited through malformed headers. It doesn't authenticate, so there's no authentication code to compromise. It does one thing: queue bytes.

This is security through minimalism. The less code, the fewer bugs. The fewer features, the smaller attack surface.

Current Usage

QMQP never became mainstream. Most mail transfer agents stuck with SMTP because it's universal, standardized, and handles authentication and relay control.

But QMQP lives on in environments where:

• Mail volume is extremely high
• Applications need to inject thousands of messages quickly
• The network is trusted (internal systems, VPNs)
• qmail or Postfix (which also implements QMQP) is the mail server⁴

You'll find it in bulk mailing systems, application servers generating transactional email, and anywhere performance matters more than compatibility.

The Broader Context

QMQP is part of a larger pattern in protocol design: specialized tools for specialized jobs.

SMTP is the universal mail protocol—it handles everything, talks to everyone, works everywhere. But that universality comes with overhead. For specific use cases, you can do better with purpose-built protocols.

QMQP is that purpose-built tool. It's not better than SMTP at everything. It's dramatically better at one thing: fast mail injection in trusted environments.

Security Considerations

Do not expose port 628 to the Internet. QMQP has no authentication, no relay control, no safeguards against abuse.

If you run a QMQP server:

• Bind it to localhost or internal network interfaces only
• Use firewall rules to restrict access to specific application servers
• Monitor for unexpected connections—they indicate either misconfiguration or compromise
• Remember that anyone who can reach port 628 can inject mail as anyone, to anyone

To check what's listening on port 628:

# Linux/macOS
sudo lsof -i :628
sudo netstat -tulpn | grep :628

# Windows
netstat -ano | findstr :628

Related Ports

• Port 209 — QMTP (Quick Mail Transfer Protocol), for server-to-server mail transfer
• Port 25 — SMTP, the universal mail transfer protocol
• Port 587 — SMTP with authentication (message submission)