Here's a statement that's going to get me disliked: qmail is no longer suitable as an Internet mail transport agent, especially not as an inbound MTA (something that receives email from the outside world). There are two reasons for this, the direct problem and then the deeper problem.

The direct problem is that a default, unpatched qmail setup handles unknown local addresses by accepting them at SMTP time and then bouncing them. This was okay when qmail was new a decade ago but it is no longer acceptable today; doing this makes qmail completely unsuitable as an inbound MTA unless you enjoy getting blacklisted and spamming innocent bystanders.

The deeper problem is why qmail continues to use 'accept then bounce', namely that qmail is effectively not maintained and on the Internet, unmaintained software rots. The reasons for this are complex (and political), but the simple summary is that for a long time qmail's license didn't permit distributing modified versions (just patches), and Dan Bernstein didn't seem to have any interest in modifying qmail.

While qmail has recently been released into the public domain and a version of it has started to be updated, I don't think that it solves either problem. It doesn't solve the accept then bounce problem because, well, the updated version still does accept-then-bounce, and it doesn't solve the lack of maintenance because by now, the people who would maintain qmail are those that have been self-selected to feel that it doesn't need much maintenance; the people who feel otherwise have long since been driven away by the lack of updates.