Patching qmail


The complete changelog is inside the patch file.

  • 2016-12-19
    -Several new patches and improvements added (thanks to Luca Franceschini)
    More info here
    -qregex patch
    -brtlimit patch
    -validrcptto patch
    -rbl patch (updates qmail-dnsbl patch)
    -reject-relay-test patch
    -added DISABLETLS environment variable, useful if you want to disable TLS on a desired port
    -added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical
    -fixed little bug in 'mail from' address handling (patch by Andre Opperman at
    -added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins
    -qlog patch
    -reject null senders patch
    -qmail-taps-extended (updates qmail-tap)
  • 2016-12-02
    -fixed BUG in qmail-remote.c: in case of remote servers not allowing EHLO the response for an alternative HELO was checked twice, making the connection to die. (Thanks to Luca Franceschini)
    Patch applied:
  • 2016-09-18
    -qmail-tls patch updated to v. 20160918
      * bug: qmail-remote accepting any dNSName, without checking that is matched (E. Surovegin)
      * bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)
  • 2016-05-15
    -force-tls patch improved (a big thanks to Marcel Telka). Now qmail-smtpd avoids to write the auth verb if the STARTTLS command was not sent by the client
  • 2016-03-09
    -dkim patch updated to v. 1.19
    * verification will not fail when a dkim signature does not include the subject provided that the  UNSIGNED_SUBJECT environment variable is declared. More info here.
  • 2015-12-26
    -qmail-tls updated to v. 20151215
    * typo in #if OPENSSL_VERSION_NUMBER for 2015-12-08 patch release (V. Smith)
    * add ECDH to qmail-smtpd
    * increase size of RSA and DH pregenerated keys to 2048 bits
    * qmail-smtpd sets RELAYCLIENT if relaying allowed by cert
    more info here

I have created a combined patch including the latest versions of several commonly-used qmail patches:

[Follow the patch details here]

Other patches:

You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.

NB: first of all, you must have a valid MX record for your /var/qmail/control/me domain, otherwise you'll get errors when trying to send to ~alias/qmail-log (more info here).

Installing libdomainkeys

This library is a prerequisite of the DKIM patch by Manvendra Bhangui, which is part of my package. You must compile this, otherwise the compilation will break.

cd /usr/local/src
tar xzf libdomainkeys-0.69.tar.gz
ln -s libdomainkeys-0.69 libdomainkeys
cd libdomainkeys
chown -R root.root .
patch < ../libdomainkeys-0.69.diff
cp libdomainkeys.a /usr/lib

Installing libsrs2

This library is a prerequisite of the SRS patch, which is part of my package. You must install this, otherwise the compilation will break.

tar xzf libsrs2-1.0.18.tar.gz
cd libsrs2-1.0.18
make install
cd ../

Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS:

> ldconfig -p|grep libsrs2 (libc6,x86-64) => /usr/local/lib/ (libc6,x86-64) => /usr/local/lib/

In case you decided to install the libsrs2 library by means of a package provided by your Linux distribution, you should check the path where the library was installed. Check if the file /usr/local/include/srs2.h actually exists; if not you may have to modify the srs.c in the netqmail source dir as follows:

#include </usr/local/include/srs2.h>
#include </usr/include/srs2.h>

Apply the patch

cd netqmail-1.06
gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch

Configuring chkuser

The combined patch you downloaded has chkuser enabled. It’s configured to perform recipient verification and MAV (Mail From: Address Verification). 

You can customize your configuration by editing the chkuser_settings.h file (in /usr/local/src/netqmail-1.06) before compiling qmail. In order to enable chkuser, the following line must be commented out:


Uncomment to enable the check of user and domain format for sender address. This will reject fake senders without any domain declared (like <foo>).


Uncomment to enable checking of domain MX for rcpt addresses


Uncomment to enable checking of domain MX for sender address


This enables usage of "#" and "+" characters within sender address. It is used by SRS (Sender Rewriting Scheme) products.

As far as my MTA Is concerned, this solved an "invalid sender address format" reject message prompted by an email address of a mailman mailing list..


force-tls variables

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the auth.

qmail-auth variables

By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.

Recompiling qmail

The BIG-TODO patch included in my combined patch may requires that your queue has to be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.

To discover if your qmail has messages in the queue:

> qmailctl stat

/service/qmail-send: up (pid 18127) 6 seconds
/service/qmail-send/log: up (pid 18134) 6 seconds
/service/qmail-smtpd: up (pid 18126) 6 seconds
/service/qmail-smtpd/log: up (pid 18135) 6 seconds
/service/qmail-submission: up (pid 18131) 6 seconds
/service/qmail-submission/log: up (pid 18132) 6 seconds
/service/vpopmaild: up (pid 18129) 6 seconds
/service/vpopmaild/log: up (pid 18128) 6 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

If this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to take these steps:

qmailctl stop
rm -r /var/qmail/queue

Now compile qmail:


If qmail is running stop the services before installing:

qmailctl stop

Finally install and start  qmail:

make setup check
qmailctl start

Creating an SSL key file

If you don’t want to enable SMTP relay (using SMTP/TLS access), you can skip this section.

To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd, in our case vpopmail.

> make cert

Generating a 1024 bit RSA private key
writing new private key to '/var/qmail/control/servercert.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []
Email Address []

> make tmprsadh
> chown vpopmail.vchkpw /var/qmail/control/*.pem

It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.

Now let’s create a cronjob to update the certificate every day:

> crontab -e

03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Combined patch details


It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.

Added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical.

Added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins (see


  • Author: Frederik Vermeulen
  • Info:
  • Version 20160918
  • added DISABLETLS environment variable, useful if you want to disable TLS on a desired port

It implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.
The POODLE vulnerability has been fixed.

You may be interested to take a look to the page concerning smtp-auth and TLS testing here.


optionally gets qmail to require TLS before authentication to improve security.
You have to declare FORCETLS=0 if you want to allow the auth without TLS


performs recipient verification and Mail From: Address Verification (MAV).

You may be interested to take a look to this page concerning chkuser testing.


Enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.


  • Author: Christophe Saout. Patch modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant.
  • Info:
  • Version rc5

It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.


implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.

Oversize DNS

This patch enables qmail to handle large DNS packets.

Reread concurrency patch

rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.

Big Concurrency patch

It sets the spawn limit above 255.

Big Concurrency fix

Fixes a compiler error if you set concurrency higher than 509 in /usr/local/src/netqmail-1.06/conf-spawn.

maildir++ patch

adds maildirquota support to qmail-pop3d and qmail-local.

Better qmail-smtpd Logging patch

Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.

Greeting delay patch

  • Author: John Simpson (?)
  • Download here
  • More info here

adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.

DKIM and SURBL patch

adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level and SURBL filtering support to qmail.  
The file hier.c modified to chown /var/qmail/control/cache and subdirs to vpopmail.

EXT-TODO patch

addresses a problem known as the silly qmail (queue)  problem.

BIG-TODO patch

Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.

qmail-inject-null-sender patch

Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.

doublebounce-trim patch

Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto

esmtp-size patch

Enables qmail-smtpd to reject messages if they’re larger than the maximum number of bytes allowed (you can set this value in the /var/qmail/control/databytes control file).


Provides the ability to archive each email that flows through the system. Archiving only messages from or to certain email addresses is possible as well.

qmail-remote CRLF patch

Enables qmail-remote to handle CR (\r) properly, always sending the line breaks as CRLF (\r\n) and avoiding to double the CR (like qmail-remote normally does). This often caused me a broken header when forwarding messages by means of a sieve rule.

outgoingip patch

  • Author: Andy Repton (adjusted by Sergio Gelato)
  • Original patch:
  • Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch

By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.

qmail-smtpd pid, qp log patch

makes qmail-smtpd log a line similar to the following:

@4000000039b89c95026a89b4 mail recv: pid 8155 from <name@domain.xy> qp 8157

The pid allows you to match the message up with a given tcpserver process and the qp lets you find a particular delivery.


avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response  buffer.

qmail-rfc2821 patch

makes qmail rfc2821 compliant

smtpd-502-to-500 patch

  • Author: Jonathan de Boyne Pollard
  • Original patch: local copy
  • More info here

makes qmail rfc2821 compliant

qmail-dnsbl patch

allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.

qmail-moreipme patch

prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.


  • Author: Alex Nee
  • Download here

It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.

qmail-date-localtime patch

  • Author: John Saunders
  • Download here

causes the various qmail programs to generate date stamps in the local timezone.

qmail-liberal-lf patch

allows qmail-smtpd to accept messages that are terminated with a single \n instead of the required \r\n  sequence.


allows you to set a limit on how many recipients are specified for any one email message by setting control/maxrcpt. RFC 2821 section says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response.


I modified extra.h to record the Message-ID in the qmail-send log as explained here towards the bottom of the page. An alias ~alias/.qmail-log had to be added as well to store the awk command with the regex which retrieves the Message-ID.
Thanks to Simone for the hint.

Be aware that you must have a valid MX record for your FQDN (look at /var/qmail/control/me).

The qmail-send log now appears as follows:

2014-11-05 12:00:47.930384500 status: local 1/10 remote 1/20
2014-11-05 12:00:47.952694500 delivery 11: success: Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17359_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(;_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_(qmail_17349_invoked_by_uid_89);_5_Nov_2014_12:00:47_+0100/Received:_from_unknown_(;_5_Nov_2014_12:00:46_+0100/<>;_Wed,_05_Nov_2014_03:00:48_-0800_(PST)/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/X-Received:_by_10.180.23.98_with_SMTP_id_l2mr4797959wif.51.1415185247978;_Wed,/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Received:_by_10.27.203.139_with_HTTP;_Wed,_5_Nov_2014_03:00:47_-0800_(PST)/Date:_Wed,_5_Nov_2014_12:00:47_+0100/Message-ID:_<>/Message-ID:_<>/Subject:_dasda/From:_xxx_<>/From:_xxx_<>/
2014-11-05 12:00:47.952726500 status: local 0/10 remote 1/20
2014-11-05 12:00:48.326103500 delivery 12: success:

qmail-eMPF patch

eMPF follows a set of administrator-defined rules describing who can message whom.  With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services.

It's useful in case of spammed servers, to temporarily stop outgoing messages. It adds a line like this in your qmail-smtp log:

2015-03-30 18:05:54.442596500 policy_check: remote someone@somewhere.xy -> local user@yourdomain.xy (UNAUTHENTICATED SENDER)
2015-03-30 18:05:54.442612500 policy_check: policy allows transmission


adds the ability to match address evelopes via Regular Expressions (REs) in the qmail-smtpd process.

Added new control file 'badhelonorelay', control/badmailto renamed control/badrcptto (Tx Luca Franceschini).


adds control/brtlimit and BRTLIMIT variable to limit max invalid recipient errors before closing the connection.


It works in conjunction with chkuser with both cdb and mysql accounts. Look here for details


It gets qmail to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.

bug fixed in smtpd.c addrparse function

Fixed a little bug in 'mail from' address handling (see the patch by Andre Opperman at

qlog patch

  • Author: Luca Franceschini

smtpd logging with fixed format (note: 'size' field is evaluated only when control/databytes or DATABYTES are set. An entry 'qlogenvelope' is generated after accepting or rejecting every recipients in the envelope phase, example:

​qlogenvelope: result=rejected code=553 reason=rblreject relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip= localport=25 remoteip= remoteport=57502 remotehost= qp= id=39156
​qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=test relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip= localport=25 remoteip= remoteport=57742 remotehost= qp= pid=37357

an entry 'qlogreceived' is generated after DATA (message accepted o rejected by qmail-queue)

qlogreceived: result=accepted code=250 reason=queueaccept detail= relay=yes rcpthosts= size=, authtype=login encrypted=tls sslverified=no localip= localport=25 remoteip= remoteport=52602 remotehost= qp=30982 pid=30980

reject null senders patch

  • by Luca Franceschini

useful in special cases if you temporarily need to reject the null sender (although breaks RFC compatibility). You just need to put 1 (actually any number different from 0) in your control/rejectnullsenders to reject the null sender with 421 error message.


Is this version netqmail, with your patch supports IPv6?
I mean SPF, setting RELAYCIENT and other variables.

I found a patch for IPv6 netqmail-1.06:

But when I tried to put it on the source of your patch, came out a lot of mistakes, which can not cope.

On my server a few weeks, turn on the full support of IPv6, I also found a patch to patch the IPv6 tcpserwer:
It remains to Spamdyke, but that's my problem;)


No, my combined patch doesn't support IPv6. Unfortunately I don't have any IPv6 network to test the patches that are around.

cheers :)


I improved a little patch Forcetls to Qmail did not propose an authorization when it is not possible, due to lack of TLS encryption:

Still I would like to improve the correct fragment responsible for:

538 auth not available without TLS (# 5.3.3)
Connection closed by foreign host.

To properly closed the connection, such as MUSTAUTH, or SPFFAIL

<- 221
=== Connection closed with remote host.

But I have no idea how to do it .

Cheers ;)

If my understanding of you code is correct, you want to allow the auth with CRAM_MD5 when STARTTLS is not provided. So it's not clear to me why you want to close the door once you decided that it's a user's responsibity to secure the connection with TLS

538 auth not available without TLS (# 5.3.3)
Connection closed by foreign host.

In my opinion it would be a responsibility of the postmaster to forcetls. If not, you may want to rename the "forcetls" label of this patch with something like "skiptls" :)

HI "If my understanding of you code is correct, you want to allow the auth with CRAM_MD5 when the user does not provide STARTTLS

No, :it's not at all with CRAM-MD5:

swaks -f -t -s --p 587 -au -ap password
=== Trying
=== Connected to
<- 220 ESMTP
-> EHLO localhost.localdomain
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 X Authorization requires an encrypted SSL or TLS connection
*** Host did not advertise authentication
<- 221
=== Connection closed with remote host.

My goal was that the server did not provide authentication, authorization when it is not possible due to lack of TLS encryption:

While the offer, when encryption is enabled:
Like this:

swaks -f -t -s --p 587 -au -ap q --tls
=== Trying
=== Connected to
<- 220 ESMTP
-> EHLO localhost.localdomain
<- 250-8BITMIME
<- 250-SIZE 67108864
<- 250 X Authorization requires an encrypted SSL or TLS connection
<- 220 ready for tls
=== TLS started w/ cipher DHE-RSA-AES256-SHA
=== TLS peer subject DN="/C=IT/ST=PL/L=TestO=Test/OU=IMAP server/"
~> EHLO localhost.localdomain
<~ 250-8BITMIME
<~ 250-SIZE 67108864
<~ 334 PDMyNjAwLjEzMzIyNDI3NjhAMD4=
~> dXNlckBleGFtcGxlLmNvbSAwMzFlYjgwNTE4OTcyODgwZWRlOWU5M2U1ZThhZDJjYw==
<~ 235 ok, go ahead (#2.0.0)
<~ 250 ok
~> RCPT TO:<>
<~ 250 ok
<~ 354 go ahead
~> Date: Tue, 20 Mar 2012 12:26:08 +0100
~> To:
~> From:
~> Subject: test Tue, 20 Mar 2012 12:26:08 +0100
~> X-Mailer: swaks v20111230.0
~> This is a test mailing
~> .
<~ 250 ok 1332242769 qp 32604
<~ 221
=== Connection closed with remote host.

That was my reservation it immediately, and disconnect the test without TLS authentication constitute circumvention of the problem, but it only partially solved.
Here, not about the CRAM-MD5, but here is that the server did not provide authorization for no reason that can not be held, and that in connection with any mail client that does not try to send the password without encryption.

Made sure that the CRAM-MD5 was exclusive, as before. ;)

I meant it to be solved better than Gmail. :D

Cheers ;)

I'm sorry but I'm not sure I have understood what you say towards the end of your message..

Anyway, are the tests you provide made using my patch or your modified one?

My goal was that the server did not provide authentication, authorization when it is not possible due to lack of TLS encryption:

This is exactly what my forcetls patch does, right?


This is exactly what my forcetls patch does, right?

Exactly the point, I had to just to authorization was not offered when it is unrealistic due to lack of TLS.

This is to avoid situations where someone set the example in Outlook autoryzaję PLAIN, then this Outlok trying to log in, and the error log.

I prefer a system where the server does not offer authorization (AUTH), if it can not be done, just like in Gmail

Cheers ;)

Just wanted to say thank you for pulling this all together in one page. It has been very helpful have a signle source location to get what I needed for qmail, your hard work is appreciated!

Hi, thank you very much for your work. I was wondering if it is possible to have a combined patch including ALL the patches above, EXCEPT for the BIG-TODO one. It is mentioned somewhere, but I couldn't find it.


Thanks again!

it should be quite simple to reverse that patch, but for me it's already very time consuming to follow one single patch, so I can't fullfil all requests for changes. anyway I'm always available as advisor :)

Hi after apply the patch and export auth, CRAM-MD5 is not enabled

250 SIZE 0

Do i need to export CRAM-MD5?



No, take a look to README.auth for details

Many thanks!

Hi Everyone,

Has anyone came across a patch to limit size of any type of bounce?

I had tried qmail-bounce.patch by Frank Denis. But it will only work if databytes is enabled.


Hi , i need some help, after applying his combined patch, i get many emails with this errors:


No mail that happen this error are delivering in my mailbox, make a lot of googleeing and nothing, could you help me?

Hi Fabiano, I think this is due to improper commands entered by the client. You should enable recordio inside your smtpd run file to record the entire smtp conversation and discovered the reason of the reject. Post here the smtp dialog if you like.


I noticed that the spf is not running properly. The IP consist of 4 fs.

Received: from unknown (HELO (::ffff:
  by 0 with SMTP; 28 Jul 2013 14:37:47 -0000
Received-SPF: unknown (0: No IP address in conversation)

Whereas my old box running on shupp toaster 0.9.4

Received: from unknown (HELO (
  by 0 with SMTP; 26 Jul 2013 03:02:52 -0000
Received-SPF: pass (0: SPF record at designates

Am i right to say that the fs infront of the IP is affecting spf?

Is there a fix or workaround?


Hi Nicholas,

I think you are right. The SPF patch is very old (the same embedded in the shupp's combiend patch) and is not compatible with IPv6. As far as I know there are no fix to this (but you can ask the author) or alternative spf patches.If you find something interersting let me know

But i am not on IPv6.




you are not in an IPv6 net but that address ::ffff: is IPv6, and the SPF patch is not able to recognize such an IP

Understand now



Hi Roberto,

Manvendra Bhangui from IndiMail get it fixed.
Is it possible to get it into your combined patches?


Hi NIck, I will try to ask Manvendra Bhangui if he can provide more details. If he can I will certainly update my patch

The link to the download page is the big indimail patch and it's impossibile (for me) to extract the modifications he did.

Thanks for the contribution


Hi Nick, Manvendra Bhangui has already answered to my requests. He is kind as always and provided details to make saout's spf patch work with IPv6-mapped as well. So I modified my big patch accordingly and this is a test version:


It is important that you have the new ucspi-tcp6 installed otherwise the filter on IPv6 clients will not work. I tested it both against the new tcpserver (ucspi-tcp6) and the original djb's ucspi-tcp-0.88 and they are both ok for IPv4 clients. Unfortunately I don't have any IPv6 net.

Test if you like and let me know :)

Hi Roberto,

I also do not have IPv6, Tested the new patch and don't seem to be working

Received: from unknown (HELO (::ffff:


So, if I understand well, you can't see the "Received-SPF: ...." line in the header?

Edit: Can you confirm that you are using ucspi-tcp6 or another tcpserver with IPv6 capabilities?

Hi Roberto,

Received-SPF: unknown (0: No IP address in conversation)

I am using uspi-tcp6-0.98



Can you send me qmail-smtpd.c as an attachment. Just want to check the call to spfcheck() function.

Regards Manvendra

Hi Roberto,

First, thanks for the patch collection. I ran across an issue that I thought I would make you aware of: one of the patches in this collection modifies the function signature of timeoutconn.c/timeoutconn() . I assume it's one of the TLS or AUTH patches, but I haven't tried to figure it out. In any case, the patch adds an additional parameter to the signature which is not present in the original calls to timeoutconn() in qmail-qmqpc.c

None of the patches even touch qmail-qmqpc.c ( probably because very few people make use of it) but I actually use it for SMTP servers. Crypto can put quite a load on older hardware so I "spread the wealth" around with multiple smtp servers using QMQP to send the messages to my queue machine.

In any case, the fix is pretty straightforward and I am going to try and post the patch here in this comment:

diff netqmail-1.06/qmail-qmqpc.c netqmail-1.06.patched/qmail-qmqpc.c
>   /*** 2013-08-24 Robbie Walker <>
>   DESCRIPTION: the great collection of patches from Roberto Puzzanghera [ ]
>   includes changes to timeoutconn.c function signature as listed below. qmail-qmqpc.c also calls
>   timeoutconn and needs to be patched as well 
>   original timeoutconn() signature:
>   int timeoutconn(s,ip,port,timeout)
>   int s;
>   struct ip_address *ip;
>   unsigned int port;
>   int timeout;
>   modifed timeoutconn() signature:
>   int timeoutconn(s,ip,outip,port,timeout)
>   int s;
>   struct ip_address *ip;
>   struct ip_address *outip;
>   unsigned int port;
>   int timeout;
>   */
>   struct ip_address outip;
>   outip.d[0]=outip.d[1]=outip.d[2]=outip.d[3]=(unsigned char) 0;
<   if (timeoutconn(qmqpfd,&ip,PORT_QMQP,10) != 0) {
>   if (timeoutconn(qmqpfd,&ip,&outip,PORT_QMQP,10) != 0) {

Hi Robbie, I'm going to add your fix in the next release that will be released in a few days

Thanks for the contribution :)

Glad to contribute!

imho, chkuser patch is way more problems than it's worth. It's blocking legit emails from namecheap, comodo, godaddy and others. How does one disable chkuser permenantly????? I've tried commenting out of my qmail-submission/run, and restarting qmail, chkuser still running. grrr.

first of all, i think you can try to take a look to the chkuser manual, to see how to fit it to your needs.

If you want to disable it, just comment it in your run file (in case you are following my configuration).

If you want to delete it from my package you have to look at the original patch and see what it modifies. I remember that it modifies only qmail-smtpd.c and the Makefile, apart from new created files. You can easily recognise the modifications because there is a comment more or less like "chkuser patch starts here"

can you please provide log details about the rejections for such providers? thank you

Tried commenting out of my qmail/submission/run file, chkuser still running!

# cat /var/qmail/supervise/qmail-submission/run 

QMAILDUID=`id -u vpopmail`NOFILESGID=`id -g vpopmail`MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`SOFTLIMIT=`cat /var/qmail/control/softlimit`
# You MUST export this, otherwise you'd get a 30 sec timeoutexport

# This enables greetdelay for qmail-smtpd.export

# This enables chkuserexport

# This enables simscan debug#export

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \    /usr/local/bin/tcpserver -v -H -R -l 0 \    -x /home/vpopmail/etc/tcp.submission.cdb -c "$MAXSMTPD" \    -u "$QMAILDUID" -g "$NOFILESGID" 0 587 \    /var/qmail/bin/qmail-smtpd \    /home/vpopmail/bin/vchkpw /bin/true 2>&1

again, this is the submission service, which has nothing to do with incoming emails. In any case you have an error. Correct in this way


but be aware that this should be done on standard smtpd (port 25) service.

It blocks legitimate emails, it just sucks. Shouldn't be included in the net-qmail patch.

chkuser silently dropping mail !  How do I completely disable chkuser??????????????????????

2013-10-11 12:39:48.373851500 tcpserver: status: 1/20

2013-10-11 12:39:48.374029500 tcpserver: pid 28172 from

2013-10-11 12:39:48.374142500 tcpserver: ok 28172 0:::ffff: :

2013-10-11 12:39:48.621588500 CHKUSER accepted sender: from <> remote <> rcpt <> : accepted any sender always

2013-10-11 12:39:48.767883500 tcpserver: end 28172 status 02013-10-11 12:39:48.767910500 tcpserver: status: 0/20

what makes you think that it's a chkuser fault? this is not a rejection, and this is the log of port 587, but you said that you have some incoming legitimate email rejected, which should be received on port 25

Hi roberto

I succesfully create the certificates and it works great, the only problem is that in mozilla-thunderbird, iphone, android show a warning because the certificate is not valid, configuring an exception it works. About it I have two questions.


Is there any chance to have differents certificates for every domain?


If I buy a "valid certificate" can I just copy into the folder and it will work?

Thanks in advance


as far as I know the e.h. auth patch works with a global certificate.

Yes you simply have to copy the certificate into that folder, but when you buy a valid certificate you also get an "intermidiate certificate" to be copied in the same folder, which assures that your cert is valid


I am trying out the latest patch with the SRS2. While compiling i had an error

/usr/bin/ld: cannot find -lsrs2
collect2: ld returned 1 exit status
make: *** [qmail-local] Error 1

In the beginning it cannot find the file srs2.h so i download it from and copied it to /usr/local/include/

I am on CentOS 6 64 bits.

Thanks for helping.


You have to install the libsrs2 libraries, not only the srs.h, see above. Check if they are installed in this way

ldconfig -p|grep libsrs2


Yes i did.

[root@beyond ~]# ldconfig -p|grep libsrs2 (libc6,x86-64) => /usr/lib64/



did you modify srs.c accordingly?

Didnt thought of doing that. What should i edit?



Nic, read above :)

Hi Roberto,

Successfully compiled libsrs2 but libsrs2 is not linked.

# ldconfig -p|grep libsrs2

<ends up with no results>

I'm using CentOS 5.8.  Thanks.

supposing that you remembered to run "ldconfig" after the compilation, where libsrs2 was installed? Check that the directory where it was installed is included in your /etc/ (or similar). If not, you should add it and run "ldconfig" again after that

Firslty, thanks Roberto for ur efforts of creating the patch, But i'm facing a critical problem after i patched qmail 1.6  with ur patch that i have found my server load reached to 250, and when i check the process found that qmail-todo consuming cpu terribly. But i don't know why this happened and what should i do, although i have applied the steps and installed qmail successfully.

Hi Kamal,

I assume that you erased your queue in this way before installing the todo-patched qmail for the first time:

qmailctl stop
rm -rf /var/qmail/queue
make setup check

If yes please post a

ps axfuww | grep qmail 

The best way to investigate what qmail-todo is doing is using strace:

strace -Ff -o /tmp/qmail-strace.log -p <pid_of_qmail-todo>

Hi Roberto,

Yes, I already erased the queue as you mentioned, I want to clear something i'm using the combined patch "roberto-netqmail1.06.patch-latest"  NOT todo-patch. but the problem with qmail-todo process that was consuming cpu.

Kindly find output details below,



it seems to be an infinite loop...

when you stop qmail I would try to kill all those qmail-todo which doesn't belong to qmail-send anymore, and after that erase the existing queue, recompile and restart qmail

I realy did that, but unfortunately still the same, the load reached to 270,and server was going to explode.


I have the same  problem

I followed the howto line by line but nothing

You have to find the solution ?


Hi ruddur, can you describe the problem you have?

Roberto, Rudi,

I took a look at the problem..... so.... qmail-todo is launched by qmail-send. While doing an strace -f on the qmail-send supervise run file, I noticed this:

9011  stat("/usr/lib64", {st_mode=S_IFDIR|0755, st_size=167936, ...}) = 0
9011  writev(2, [{"qmail-send", 10}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"", 12}, {": ", 2}, {"cannot open shared object file", 30}, {": ", 2}, {"No such file or directory", 25}, {"\n", 1}], 10) = -1 EBADF (Bad file descriptor)
9011  exit_group(127)                   = ?

Doing an ldd /var/qmail/bin/qmail-send, I realized that your libsrs2 is already included in your Slack64 but not under /usr/lib64. Instead you have it both under /usr/lib and /usr/local/lib.

I simply symlinked your libsrs2 to /usr/lib64 and everything is now working fine :)

Good troubleshooting exercice right :)


PS: salutations to you Roberto - always nice to hear from you my friend!

Hi my friend, thanks for your hint!

But I expect that qmail-send will find the library provided that /usr/local/lib is in my /etc/, right? So it's not clear to me the need to symlink /usr/lib64

Maybe a lbsrs problem did you successfully installed it? did you ldconfig it?

I think it's not a libsrs issue, as in that case the compilation itself will break


if you use SRS, DKIM filter fails, as it sets original SENDER domain instead of that specified in SRS. Any suggestions how to fix it?

cheers and thanks for your patches!


Can you post how the headers look like when we you use SRS?

I contacted M.Banghui, the author of the DKIM patch, and he told me that he can fix it.

The DKIM is getting _SENDER  - and SRS is providing to qmail an original Sender domain, instead of the one taken from /var/qmail/control/srs_domain

BTW, why don't you move your awesome patchset to github? It would make things much easier :)

I would declare I can work on IPv6 part, as it is the only (but big) missing thing from your patches.



Hi, can you do a cut&paste of the headers?

Actually an help on the IPv6 patch would be appreciated, as I have not much time these days, and I'm not an IPv6 expert. As you probably know M.Banghui has merged an IPv6 patch in his DKIM/SURBL and my plan is to add it to my package soon or later :)

Can you pls let me know how to remove the ForceTls patch from the big patch? I need the auth to work without tls.

Thank you!

read above! :)

Dear Roberto

I completely followed your notes, my email server can send email to another domain but cannot deliver to local account.

I've try to send from huyenha to nxhuy (2 accounts already created and loged in sucsessful) but it said: 

failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/

qmail-send log:

@4000000054832f6635627354 new msg 2754774
@4000000054832f6635627b24 info msg 2754774: bytes 1228 from <> qp 2158 uid 89
@4000000054832f6635627f0c starting delivery 1: msg 2754774 to local
@4000000054832f6635627f0c status: local 1/10 remote 0/20
@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local
@4000000054832f66356282f4 status: local 2/10 remote 0/20
@4000000054832f66358539ac delivery 2: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@4000000054832f6635e71474 status: local 1/10 remote 0/20
@4000000054832f6635f5b2a4 delivery 1: success: Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_(qmail_2158_invoked_by_uid_89);_6_Dec_2014_11:31:24_-0500/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_by_simscan_1.4.0_ppid:_2149,_pid:_2151,_t:_0.0077s/Received:_from_unknown_(;_6_Dec_2014_11:31:24_-0500/Date:_Sat,_06_Dec_2014_23:31:24_+0700/<>/References:_<>/_<>/Message-ID:_<>/Message-ID:_<>/---/did_0+0+2/
@4000000054832f6635f62bbc status: local 0/10 remote 0/20
@4000000054832f670250cbdc bounce msg 2754774 qp 2167
@4000000054832f670250d3ac end msg 2754774

Please help me!

Hi, have you passed the vpopmail login test from the command line?

I've follow your vpopmail auth test at

the result is ok

telnet localhost 89
Trying ::1...
Connected to localhost.
Escape character is '^]'.
login 123456
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/
uid 89
gid 89
name nxhuy
comment nxhuy
quota 524288000S
user_dir /home/vpopmail/domains/
encrypted_password $1$uk0Fi8aE$USOXMa6g9i0Rjgd9vgLx2/
clear_text_password 123456
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
no_maildrop 0
system_admin_privileges 0

and are you sure you are using my patch? I can't see chkuser in action... is it enabled?

Yes, chkuser in action, this is qmail-smtpd log:

@4000000054832fc82cfe8ff4 tcpserver: status: 1/20
@4000000054832fc82cffbcbc tcpserver: pid 2222 from ::1
@4000000054832fc82d009f4c tcpserver: ok 2222 0:::1:25 :::1::40420
@4000000054832fc82d3d331c CHKUSER accepted sender: from <|remoteinfo/auth:|chkuser-identify:> remote <|remotehostname:unknown|remotehostip:::1> rcpt <> : accepted any sender always
@4000000054832fc82d66a47c CHKUSER accepted rcpt: from <|remoteinfo/auth:|chkuser-identify:> remote <|remotehostname:unknown|remotehostip:::1> rcpt <> : found existing recipient
@4000000054832fc8304afbd4 simscan:[2222]
@4000000054832fc83547c734 mail recv: pid 2222 from <> qp 2224
@4000000054832fc83547cb1c qmail-smtpd: message accepted: from ::1 to helo
@4000000054832fc907f41454 tcpserver: end 2222 status 0
@4000000054832fc907f41c24 tcpserver: status: 0/20

can you show your control/defaultdelivery?

 Now it is:
|/var/qmail/bin/preline -f /usr/local/dovecot/libexec/dovecot/deliver -d $EXT@$USER

I also tried "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the result is the same error

It can be a dovecot issue (you should also look for dovecot-lda errors, expecially in the sql driver).

But it's strange that you can't have it working when using vpopmail as deliver. Are there any .qmail overriding the defaultdelivery?

Let's fix vpopmail first of all.

I've change the control/defaultdelivery and ~vpopmail/domains/ to | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox"

But the error is still the same :(

do you have double quotes at the end of that line?

Sorry, It's my mistake, i've remove the double quote and re-test. The error is still there.

Could it be a qmail's error?

can you send me in a private msg an strace of smtp session?

the content of the defaultdelivery is

| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox

without quotes, right?

I realise that in qmail-send log:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local

must be:

@4000000054832f66356282f4 starting delivery 2: msg 2754774 to local

So I delete the domain and re-add, now it can deliver to local account.

But that generate another error that can't deliver to "log alias" for qmail-tap function

@400000005483d6841bf4da4c new msg 2754788
@400000005483d6841bf4de34 info msg 2754788: bytes 628 from <> qp 11658 uid 89
@400000005483d6841bf4e21c starting delivery 1: msg 2754788 to local
@400000005483d6841bf4e604 status: local 1/10 remote 0/20
@400000005483d6841bf4e9ec starting delivery 2: msg 2754788 to local
@400000005483d6841bf4e9ec status: local 2/10 remote 0/20
@400000005483d6841ccb8f24 delivery 1: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@400000005483d6841ccb96f4 status: local 1/10 remote 0/20
@400000005483d6841cced314 delivery 2: success: did_0+0+1/
@400000005483d6841cced6fc status: local 0/10 remote 0/20
@400000005483d6842401182c bounce msg 2754788 qp 11669
@400000005483d6842401c40c end msg 2754788

I think this is because my patch creates an alias /var/qmail/alias/.qmail-log which uses the same address of your tap address ( This alias is needed to improve the log of qmail send. You can solve by changing the tap address

Hi Roberto ,

I have followed your excellent guide and installed my server. The issues is for every mail that is sent or received it is trying to send a copy to some log alias. How can I disable that . Below is the message transcript.

Hi. This is the qmail-send program at I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <> Received: (qmail 11804 invoked by uid 89); 12 Dec 2014 13:46:33 +0530 Received: by simscan 1.4.0 ppid: 11796, pid: 11799, t: 0.0938s scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19764 spam: 3.4.0 Received: from unknown (HELO (::1) by 0 with SMTP; 12 Dec 2014 13:46:33 +0530 Received-SPF: unknown (0: No IP address in conversation) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_354b252cc407d8efce244ea9bc720ecc" Date: Fri, 12 Dec 2014 13:46:20 +0530 From: To: Subject: test mail Message-ID: <> X-Sender: User-Agent: Roundcube Webmail/1.0.3 --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII test --=_354b252cc407d8efce244ea9bc720ecc Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"> <html><body style=3D'font-size: 10pt; font-family: Verdana,Geneva,sans-seri= f'> <p>test</p> <div>&nbsp;</div> </body></html> --=_354b252cc407d8efce244ea9bc720ecc--

Request your help in this regards


you can revert this patch

anyway I think you have deleted the ~alias/.qmail-log alias or you don't have a valid mx for your control/me domain. Actually this is not a real mailbox but an alias created in order to improve the qmail-send log, so you may want to continue to use it

ahhh now I get you , actually this is a newly created server and I have still not pointed the mx to the new servers ip . Let me check by doing point the valid MX to the server .

Thanks a lot for your precious guidance as always you are a real life saver

I think you have a valid mx for for your domain

$ dig mx

; <<>> DiG 9.9.6-P1 <<>> mx                                                                                                                                                  
;; global options: +cmd                                                                                                                                                                       
;; Got answer:                                                                                                                                                                                
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36916                                                                                                                                     
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL:  0                                                                                                                          
;; QUESTION SECTION:                                                                                                                                                                          
;              IN      MX                                                                                                                                                    
;; ANSWER SECTION:                                                                                                                                                                          3600    IN      MX      10

;; Query time: 288 msec
;; WHEN: Fri Dec 12 14:03:12 CET 2014
;; MSG SIZE  rcvd: 65


I made the installation of a new server, I have the same problems as mentioned, for every email that incoming or outgoing a copy this email is sent to the account

I revert the path and all work fine.

Any ideas???


This is normal, as the log@yourdomain.xy account is used to improve the qmail-send log. What do you have in your ~alias/.qmail-log file?

The .qmail-log contains:

| awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]/ { print } /^[rR][eE][cC][eE][iI][vV][eE][dD]:/ { print; } /^[fF][rR][oO][mM]:/ { print } /^[tT][oO]:/ { print } /^[sS][uU][bB][jJ][eE][cC][tT]:/ { print } /^[xX]-[mM][aA][iI][lL][eE][rR]/ { print } /[hH][eE][lL][oO]/{ print } /^[rR][eE][pP][lL][yY]-[tT][oO]/{ print } /^[rR][eE][tT][uU][rR][nN]-[pP][aA][tT][hH]/{ print } /^[cC][cC]:/{ print } /^[dD][eE][lL][iI][vV][eE][rR][eE][dD]-[tT][oO]/{ print } /^[dD][aA][tT][eE]:/{ print } / by /{ print } / id /{ print } /<.*>/{ print }'
| echo "---"

But the error is:

<>: Sorry, no mailbox here by that name. (#5.1.1)

And log:

@4000000054a7d4ad3592ce3c new msg 1322152
@4000000054a7d4ad3592d224 info msg 1322152: bytes 2377 from <> qp 4710 uid 1008
@4000000054a7d4ad359310a4 starting delivery 3: msg 1322152 to local
@4000000054a7d4ad359310a4 status: local 1/10 remote 0/20
@4000000054a7d4ad35933f84 starting delivery 4: msg 1322152 to remote
@4000000054a7d4ad3593436c status: local 1/10 remote 1/20
@4000000054a7d4ad35c68c54 delivery 3: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
@4000000054a7d4ad35c75774 status: local 0/10 remote 1/20


can you confirm that (the domain inside control/me) really exists and has a valid MX record?


The MX is correct and set fine in control/me file.

and you created the domain with vpopmail?

Yes, the domain was created with vpopmail, and i delete and recreate the domain.

The domain is on another files control\files.

what control\files is needed for?

I mean that the domain is automatically added to other files in the folder Control (virtualdomains, rcpthosts, etc).

No ideas at the moment, but  you can be sure that the domain was actually created trying to connect to the postmaster account, for example

telnet 0 89

root@mail:~# telnet 0 89 Trying Connected to 0. Escape character is '^]'. +OK login pass +OK+ vpopmail_dir /home/vpopmail domain_dir /home/vpopmail/domains/ uid 89 gid 89 name postmaster comment Postmaster quota NOQUOTA user_dir /home/vpopmail/domains/ encrypted_password pass_encrypt clear_text_password pass no_password_change 0 no_pop 0 no_webmail 0 no_imap 0 bounce_mail 0 no_relay 0 no_dialup 0 user_flag_0 0 user_flag_1 0 user_flag_2 0 user_flag_3 0 no_smtp 0 domain_admin_privileges 1 override_domain_limits 0 no_spamassassin 0 delete_spam 0 no_maildrop 0 system_admin_privileges 0 .

Good news, I think I've found a possible motive, apparently aliases found in /var/qmail/alias not working, I created a symbolic link to /home/vpopmail/domains/ and this if is working now.

@4000000054a9350306110ffc delivery 19: success: Received:_(qmail_30229_invoked_by_uid_33);_4_Jan_2015_12:41:28_+0000/Received:_(qmail_30229_invoked_by_uid_33);_4_Jan_2015_12:41:28_+0000/To:_Arturo_Blanco_/To:_Arturo_Blanco_/Subject:_Re:_test_03/Date:_Sun,_04_Jan_2015_13:41:28_+0100/

Any idea why I do not work the /var/qmail/alias??

mmh... do you have your aliases stored in mysql db (vpopmail compiled with --enable-valias)?

This configurator with the --disable-valias option (I followed every step of your tutorial)

Hello Roberto,

i have a problem with mails coming from amazon. Every Mail send from amazon is not delivered because it shows the error qmail-smtpd: read failed. This error only happen with mails from the amazon mail servers, i do not have this eror with other mails. I have no clue whats wrong -  do you have an idea? Output from Log File:

tcpserver: pid 18422 from
tcpserver: ok 18422 0:::ffff: :
CHKUSER accepted sender: from <|remoteinfo/auth:|chkuser-identify:> remote <|remotehostname:unknown|remotehostip:> rcpt <> : sender accepted
tcpserver: status: 1/20
qmail-smtpd: read failed: (null) from to helo
tcpserver: end 18422 status 256



I think you should record the smtp conversation enabling recordio in your run file. Let me know if you solve

Hello Roberto,

thanks for the hint with recordio. I figured out that the SPF check was the problem:

@4000000054a81075289ded24 9091 > 451 SPF lookup failure (#4.3.0)
@4000000054a8107529ddac9c 9091 < RSET
@4000000054a8107529de0674 9091 > 250 flushed

When i changed the /var/qmail/control/spfbehavior entry to 1 mail from amazon get thru and i noticed, that it take some time to process the mail.

I tried a manual spfquery for the amazon mail and the check take about 70 sec. So i think that the check takes to long and the qmail-smtp process take this as an timeout and reject the mail because of that. Other spf checks to other domains are working fast. Maybe i should try to change the dns server entry? But it is strange that this happens only to amazon servers.

Thanks for helping.

I would try a test like

dig txt

and see if you get a timeout error or not

dear roberto

I use centos7.0 to install the qmail,if i do not install the qmail patching netqmail-1.06, the qmail stat run properly,, but I can only sent mail to my own server and receive email from other mail server, can not sent mail to other mail server(i think it is the qmail auth problem).

But, when I installed the netqmail patch roberto-netqmail-1.06.patch-latest.gz(for qmail auth?), when i enter the commond qmailctl start , qmail-send can not up,and qmail-send PID are change(after each enter commond qmailctl stat), and if i enter the commond "top" ,i find a lot of qmail-todo process, the server becomes very slow, how can i do? Thank you.

A little summary

1, if i do not install roberto-netqmail-1.06.patch-latest.gz, i can send mail to my mail server and receive mail from other mail server( to,i can not send mail to other mail.

2, after the installation of roberto-netqmail-1.06.patch-latest.gz, qmail-send cannot open normally, have been varied number between 0 second and 1 second, the server CPU is very high.

Can you give me any suggestion on this matter? Thanks very much。

Hi xia0sheng,

as mentioned above, the TODO patch included in my package may require that the queue has to be rebuilt. So, if you are sure that there are no messages in your queue, because it's just a testing server, stop qmail and try to kill all your qmail-todo processes like this

qmailctl kill

if those processes are still alive kill them manually.

Then erase your queue

rm -rf /var/qmail/queue

Now you can recompile qmail and restart

Let me know if this solved your issue

dear  roberto

Thanks very much for your reply. I did as what you say, but the problem is still.

In fact , i remove the /var/qmail/queue of my installtion in my before install path.

I did as you say but when i enter the commond qmailctl stat , the qmail-send still can no up normal. and the log in /var/log/qmail/send/current  has no any error log.  where can i find the error log of qmail-send of the qmailctl stat?

i have another question, if i install the qmail before, but i want to delete it and rebuilt it . Is it ok  just delete the /var/qmail and /usr/local/src/netqmal-1.06 folder? and then make and path /usr/local/src/netqmail-1.06? Is there anything file or folder i should delete if i want rebuilt qmail?   or  should  i reinstall my linux server?

i think maybe it is the problem of my centos7.0 system .

i just learn qmail very little time, a lot of configure i do'not known .

can you give me some advice about what can i do?

wish you have a nice weekend!


dear xia0sheng, I suppose that you recompiled qmail after erasing your queue. This is very strange. If I understand well

  1. you stopped qmail, erased the queue and you have no more qmail-todo processes alive
  2. recompiled qmail
  3. started qmail
  4. you have /var/log/qmail/send/current is empty

is it right?

When you want to recompile just follow this steps. I suppose that you have a folder with a patched qmail

  1. qmailctl stop
  2. erease the queue if it is the first time you install my patch
  3. cd to the source dir
  4. make clean
  5. make setup check (this will overwrite everything and rebuild the queue)
  6. qmailctl start

Dear roberto:

I did as what you say, but the problem is still. So I change use the "roberto-netqmail-1.06_auth_tls_force-tls.patch-latest" and everything is ok.

But i still cannot send mail to other email accounts(i can send email to my server and recevie mail form other email account)

the error is "Please check the email , server reply: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)" If I write to the file /var/qmail/control/tcpthosts, I can sent email to my account.

I known it is maybe the qmail-auth problem? but i do'not konwn how to solve it.

can you give me some addvice?

Thuanks very much!

I can't be of much help if you don't try to provide details of what is happening to your server. You forgot to reply to my previous questions...

Concerning your new problem, your localhost must have the RELAYCLIENT flag in your tcp.smtp and tcp.submission. You should read the "tcprules" page. I suggest you to read carefully everything once again and perform all tests in the "Testing" page; I can assure that it works :)

1. you stopped qmail, erased the queue and you have no more qmail-todo processes alive 

    I stop qmail, erased the queue, but because of i don't known i to kill the many qmail-todo process(before you tell me use             qmailctl kill), i use reboot my server to kill the qmail-todo process. I don't known why every of my reboot , I should first enter commond svscanboot & (it's can not auto startup)and then the qmail can start.(of course i enter svscanboot & after the pathing the qmail ) 
2. recompiled qmail


3. started qmail


4. you have /var/log/qmail/send/current is empty


is it right?(all of right except 1)

When you want to recompile just follow this steps. I suppose that you have a folder with a patched qmail

1. qmailctl stop
2. erease the queue if it is the first time you install my patch
3. cd to the source dir
4. make clean
5 .make setup check (this will overwrite everything and rebuild the queue)
6 .qmailctl start

then i did all of you said above, but it is still have the qmail-send problem(can not up)

after pathing your full pathing"roberto-netqmail-1.06.patch-latest.gz" 

the later i do is :

7. svscanboot &

8. qmailctl start

9.qmailctl stat  

    the status is 

/service/qmail-send: up (pid 11702) 1 seconds
/service/qmail-send/log: up (pid 11592) 8 seconds
/service/qmail-smtpd: up (pid 11584) 8 seconds
/service/qmail-smtpd/log: up (pid 11587) 8 seconds
/service/qmail-submission: up (pid 11586) 8 seconds
/service/qmail-submission/log: up (pid 11591) 8 seconds
/service/vpopmaild: up (pid 11583) 8 seconds
/service/vpopmaild/log: up (pid 11585) 8 seconds

messages in queue: 0

messages in queue but not yet preprocessed: 0

10. qmailctl stat again

/service/qmail-send: up (pid 11742) 1 seconds
/service/qmail-send/log: up (pid 11592) 10 seconds
/service/qmail-smtpd: up (pid 11584) 10 seconds
/service/qmail-smtpd/log: up (pid 11587) 10 seconds
/service/qmail-submission: up (pid 11586) 10 seconds
/service/qmail-submission/log: up (pid 11591) 10 seconds
/service/vpopmaild: up (pid 11583) 10 seconds
/service/vpopmaild/log: up (pid 11585) 10 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

so it can not work.

and i use your "roberto-netqmail-1.06_auth_tls_force-tls.patch-latest"   every is ok except send mail to other mail server.

the /home/vpopmail/etc/tcp.smtp is


the /home/vpopmail/etc/tcp.smtp is


if i send mail to other mail acount, the error is

Please check the email <>, server reply: 553 sorry, that domain isn't in my list of allowed rcpthosts; no valid cert for gatewaying (#5.7.1)

i reread your testing carefully tomorrow to find if solve my problem.

Thanks very much.

and if you will i can give you my mail server test acount, you enter my mail server and see what happen(i have no problem about this, because the mail server is just a test server )

if you want this, i can send you the test acount and password about my mail server.(can you receive mail about your mail and my email acount is

ok, let me know once you have finished to double check everything

dear roberto:

i check everything carefully, but still have some problems.

I can use foxmail  to send and receive mail to or from other  mail acounts.

the setting is:


ssl(not select)

port is 587

and i should select use STARTTLS. If the setting is this, every is ok.

but if I don't select use STASTTLS, if i send mail the error is "538 auth not available without TLS (#5.3.3)"

and in the roundcube webmail the is 


/* Local configuration for Roundcube Webmail */

// ----------------------------------
// ----------------------------------
// Database connection string (DSN) for read+write operations
// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
// Currently supported db_providers: mysql, pgsql, sqlite, mssql or sqlsrv
// For examples see
// NOTE: for SQLite use absolute path: 'sqlite:////full/path/to/sqlite.db?mode=0646'
$config['db_dsnw'] = 'mysql://temp:XXXXXXX@localhost/roundcubemail';

// ----------------------------------
// ----------------------------------
// The mail host chosen to perform the log-in.
// Leave blank to show a textbox at login, give a list of hosts
// to display a pulldown menu or set one host as string.
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// Supported replacement variables:
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %s - domain name after the '@' from e-mail address provided at login screen
// For example %n = mail.domain.tld, %t = domain.tld
// WARNING: After hostname change update of mail_host column in users table is
//          required to match old user data records with the new host.
$config['default_host'] = '';

// ----------------------------------
// ----------------------------------
// SMTP server host (for sending mails).
// To use SSL/TLS connection, enter hostname with prefix ssl:// or tls://
// If left blank, the PHP mail() function is used
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['smtp_server'] = '';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

// provide an URL where a user can get support for this Roundcube installation
$config['support_url'] = '';

// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
$config['des_key'] = 'al=t9fl&8A&Y+0D4rhipphsN';

// Automatically add this domain to user names for login
// Only for IMAP servers that require full e-mail addresses for login
// Specify an array with 'host' => 'domain' values to support multiple hosts
// Supported replacement variables:
// %h - user's IMAP hostname
// %n - hostname ($_SERVER['SERVER_NAME'])
// %t - hostname without the first part
// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
// %z - IMAP domain (IMAP hostname without the first part)
// For example %n = mail.domain.tld, %t = domain.tld
$config['username_domain'] = '';

// Name your service. This is displayed on the login screen and in the window title
$config['product_name'] = 'xxxxxxx邮箱系统';

// ----------------------------------
// ----------------------------------
// List of active plugins (in plugins/ directory)
$config['plugins'] = array('acl', 'additional_message_headers', 'archive', 'attachment_reminder', 'autologon', 'database_attachments', 'debug_logger', 'emoticons', 'enigma', 'example_addressbook', 'filesystem_attachments', 'help', 'hide_blockquote', 'http_authentication', 'identity_select', 'jqueryui', 'legacy_browser', 'managesieve', 'markasjunk', 'new_user_dialog', 'new_user_identity', 'newmail_notifier', 'password', 'redundant_attachments', 'show_additional_headers', 'squirrelmail_usercopy', 'subscriptions_option', 'userinfo', 'vcard_attachments', 'virtuser_file', 'virtuser_query', 'zipdownload');

// the default locale setting (leave empty for auto-detection)
// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
$config['language'] = 'zh_CN';

in the webmail if i send mail to other mail acounts

the error is "SMTP error: [553] sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)"

How can I set the roundcube use STARTTLS as foxmail setting?

thank very much.

I really don't konwn what to do now. 

dear  roberto:

      Thanks very much, now everything is ok.  i can use roundcube to send and receive mail.

      the problem is the configure of  roundcube file

      i  chose "Use the current IMAP username and password for SMTP authentication"  and then i can send mail to other mail account.

     thanks very much for the helps these days.

     Thanks very much....


ldconfig -p|grep libsrs2

the server is centos7.0, if  I patching "roberto-netqmail-1.06.patch-latest.gz"  the qmail-send can not up

the problem is  libsrs2, after install libsrs2

enter the command:

ldconfig -p|grep libsrs2

there is no result

the resove is

1. vim /etc/

2. add  /usr/local/lib

3. save

4. ldconfig

5.  ldconfig -p|grep libsrs2

the result will be correct.

Many thanx, had the same qmail-todo problem

I had built a new toaster on a VPS and also got flooded by qmail-todo which Roberto had mentioned.

"Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS"

I tried xia0sheng method and it did not work, maybe this is a CentOS 6.

So i added a custom file in /etc/

vim /etc/

add the location of the libsrs2 library and mine is in /usr/local/lib


ldconfig -p|grep libsrs2

And the result (libc6,x86-64) => /usr/local/lib/ (libc6,x86-64) => /usr/local/lib/

My floodings stopped.

This might be a better because my library for libev is also in the folder /usr/local/lib

ldconfig -p|grep libev (libc6,x86-64) => /usr/local/lib/ (libc6,x86-64) => /usr/lib64/ (libc6,x86-64) => /usr/local/lib/

Just my $0.02

Dear  Roberto,

I have a box A which was sending spams as one of the email accounts was compromised because of a weak password.

The IP was blacklisted and to prevent more undelivered emails, i had decided to use box B to relay emails.

In box B, I had created an email account with password secret.

In box A, I had created the file smtproutes in /var/qmail/control/ and added an entry like this:- secret

Emails from are now relaying fine. In box A, i have about 60 domains and being lazy i decided to change the extry of smtproutes (box A) from secret to secret

But now i started to get the below error

Sorry, I couldn't find any host named (#5.1.2)

What is wrong with my smtproutes? And is this the best way workaround until i had removed box A's IP from the blacklists?



Nic, the man page says that the correct syntax should be||secret

Thanks Roberto!

It is working good. Is this the best method for my case until i can get the IP delisted?

thanks again


I think is good enough. But in my opinion the most important thing is to recognize why that pwd was stolen.. was a simple multiple trial via imap or submission port? In that case use fail2ban. Or it was an sql exploit by means of a security hole in one of your hosted websites?

The user was using 1234 as the password. Sigh!

Many thanks again, Roberto!

I recently published a pwd patch for qmailadmin, I think it can enforce the pwd complexity even though it is very rudimental. Are you using fail2ban as suggested?

Is the patch in this tutorial? Let me read through again and let me add this into my present build. And yes i am using fail2ban.



I saw the patch. Applying it now.



Thanks Roberto for your hard work and excellent guide on qmail.

I am installing qmail for the first time on Debian and I got to the 'finally install and start qmail' (make setup check, qmailctl start) part on this page, but qmailctl did run as it did not exist.

So I just spent an hour stressing out trying to work out why qmailctl and supervise scripts didn't exist, and got it working on my own from LWQ, then came back here to continue and realised that you provide exact instructions for qmailctl and the supervise stuff to get it running in the next page, the configuration section!! OMG!! I am such an idiot, I know I should have read the whole guide first perhaps but I think maybe you should could indicate something around the finally install & start part to stop idiots from me wasting hours thinking their installation is messed up.

Thanks so much!


George, you had to be very tired, not idiot, and I think that in  a normal situation this should not happen to you.

BTW I think it's not a good idea to add such obvious instructions, someone would be offended.. In addition the "install page" is just in the 4th page of the guide and the readers should consider all the following pages, as you already pointed out.

Ciao Roberto and hi to all the qmail users,

here I'm again with a STRANGE problem occurring. I recently upgrade to the latest patch here, and I think that this is causing a problem:

-modified the QUEUE_EXTRA variable in extra.h to record the Message-ID in the qmail-send's log. Thanks to Simone for the hint.

I have an account on my domain named log@[domain].[net]. Every single mail get copied to this account since the upgrade !

I'm basically running into this configuration (


How do I keep a copy of all incoming and outgoing mail messages?

Answer: Set QUEUE_EXTRA to "Tlog\0" and QUEUE_EXTRALEN to 5 in extra.h. Recompile qmail. Put ./msg-log into ~alias/.qmail-log.

You can also use QUEUE_EXTRA to, e.g., record the Message-ID of every message: run

     | awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]-/ { print }'

from ~alias/.qmail-log.


I tried to remove the /var/qmail/alias/.qmail-log but nothing happens.

Is there a way to disable/reconfigure this feature without recompiling ? If not, how can I remove that extra.h declaration in order to recopile without that feature ?

Thank you !



you have to reverse that patch. simply replace extra.h with the original file and recompile. also remove .qmail-log

Thank you Roberto. I was looking into a solution to keep the feature and disable it run-time; I will try with:

Set QUEUE_EXTRA to "Tlogother\0" and QUEUE_EXTRALEN to 8 in extra.h

to have the logging feature ready into the "logother@domain" alias. Otherwise I will just reverse the patch as you suggest and remove the feature.

Thank you !


It is okay to enter the entire email address.  Just change the length number to the number of characters minus 1.

#ifndef EXTRA_H

#define EXTRA_H

#define QUEUE_EXTRA "\0"



I applied latest patch for netqmail, then #make and receive error missing features.h, how could i solve this?

Also tried with older patch, and got the same error :(

i am using FreeBSD 10.2 64bit

Thank you.

still no luck with many attempts, google didn't return positive result on this matter :(

Someone in the past already mentioned that my patch is not freebsd compliant. Unfortunately I don't have any freebsd machine to do tests. 

i could prepare a server for you to test it.
I will send you an email include account shortly.

Thanks a lot.

Hi bzero, thank you but this is not that kind of thing that I can do for free..

qmail-tls patch is buggy. qmail-remote server cert checking logic if configured through tlshosts/ is broken  - it'll consider *any* valid cert even if none of the alt/common names matches.

Somthing like this should fix this:

diff --git a/qmail-remote.c b/qmail-remote.c

index 40dbd31..f6b13b2 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -494,6 +494,7 @@ int tls_init()
     X509 *peercert;
     int found_gen_dns = 0;
+    int matched = 0;

     int r = SSL_get_verify_result(ssl);
     if (r != X509_V_OK) {
@@ -517,7 +518,10 @@ int tls_init()
         const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
         if (gn->type == GEN_DNS){
           found_gen_dns = 1;
-          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)) break;
+          if (match_partner(gn->d.ia5->data, gn->d.ia5->length)) {
+            matched = 1;
+            break;
+          }
       sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
@@ -540,6 +544,9 @@ int tls_init()
         out("ZTLS unable to verify server "); out(partner_fqdn);
         out(": received certificate for "); outsafe(&peer); TLS_QUIT;
+    } else if (!matched) {
+      out("ZTLS unable to verify server ");
+      tls_quit(partner_fqdn, "certificate contains no matching names");