The complete changelog is inside the patch file.
-qmail-tls patch updated to v. 20160918
* bug: qmail-remote accepting any dNSName, without checking that is matches (E. Surovegin)
* bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)
-force-tls patch improved (a big thanks to Marcel Telka). Now qmail-smtpd avoids to write the auth verb if the
the STARTTLS command was not sent by the client
-dkim patch updated to v. 1.19
* verification will not fail when a dkim signature does not include the subject provided that the UNSIGNED_SUBJECT environment variable is declared. More info here.
-qmail-tls updated to v. 20151215
* typo in #if OPENSSL_VERSION_NUMBER for 2015-12-08 patch release (V. Smith)
* add ECDH to qmail-smtpd
* increase size of RSA and DH pregenerated keys to 2048 bits
* qmail-smtpd sets RELAYCLIENT if relaying allowed by cert
more info here
-DKIM patch updated to v. 1.18 (a big thank to Manvendra Bhangui for his kind support). More info here
-qmail-authentication: updated to v. 0.8.3
-fixed a bug on
qmail-remote.cthat was causing the sending of an additional ehlo greeting (thanks to Cristoph Grover)
-qmail-authentication: updated to v. 0.8.2
-qmail-tls: upgraded to v. 20141216 (POODLE vulnerability fixed)
I have created a combined patch including the latest versions of several commonly-used qmail patches:
- qmail queue custom error
- oversize DNS
- reread concurrency
- big concurrency
- big concurrency fix
- Better qmail-smtpd logging
- SMTP HELO/EHLO Greeting delay
- DKIM and SURBL
- qmail-remote CRLF
- qmail-smtpd pid, qp log patch
- qmail-smtpd liberal-lf
You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.
NB: first of all, you must have a valid MX record for your
/var/qmail/control/me domain, otherwise you'll get errors when trying to send to
~alias/qmail-log (more info here).
This library is a prerequisite of the DKIM patch by Manvendra Bhangui, which is part of my package. You must compile this, otherwise the compilation will break.
- Info: http://domainkeys.sourceforge.net/
- Download: http://sourceforge.net/projects/domainkeys/
- Download the patch
cd /usr/local/src wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/tar/libdomainkeys-0.69.tar.gz tar xzf libdomainkeys-0.69.tar.gz wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/libdomainkeys-0.69.diff ln -s libdomainkeys-0.69 libdomainkeys cd libdomainkeys chown -R root.root . patch < ../libdomainkeys-0.69.diff make cd ../
- Download: http://www.libsrs2.org/
This library is a prerequisite of the SRS patch, which is part of my package. You must install this, otherwise the compilation will break.
wget http://www.libsrs2.org/srs/libsrs2-1.0.18.tar.gz tar xzf libsrs2-1.0.18.tar.gz cd libsrs2-1.0.18 ./configure make make install ldconfig cd ../
Be sure that libsrs2 is actually linked, otherwise you are going to have a qmail-send infinite crash and finally an auto-DoS:
> ldconfig -p|grep libsrs2 libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0 libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so
In case you decided to install the
libsrs2 library by means of a package provided by your Linux distribution, you should check the path where the library was installed. Check if the file
/usr/local/include/srs2.h actually exists; if not you may have to modify the
srs.c in the netqmail source dir as follows:
#include </usr/local/include/srs2.h>#include </usr/include/srs2.h>
Apply the patch
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz cd netqmail-1.06 gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch
The combined patch you downloaded has chkuser enabled. It’s configured to perform recipient verification and MAV (Mail From: Address Verification).
You can customize your configuration by editing the chkuser_settings.h file (in /usr/local/src/netqmail-1.06) before compiling qmail. In order to enable chkuser, the following line must be commented out:
#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"
Uncomment to enable the check of user and domain format for sender address. This will reject fake senders without any domain declared (like <foo>).
Uncomment to enable checking of domain MX for rcpt addresses
Uncomment to enable checking of domain MX for sender address
This enables usage of "#" and "+" characters within sender address. It is used by SRS (Sender Rewriting Scheme) products.
As far as my MTA Is concerned, this solved an "invalid sender address format" reject message prompted by an email address of a mailman mailing list..
By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do
in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the auth.
By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.
The BIG-TODO patch included in my combined patch may requires that your queue has to be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.
To discover if your qmail has messages in the queue:
> qmailctl stat /service/qmail-send: up (pid 18127) 6 seconds /service/qmail-send/log: up (pid 18134) 6 seconds /service/qmail-smtpd: up (pid 18126) 6 seconds /service/qmail-smtpd/log: up (pid 18135) 6 seconds /service/qmail-submission: up (pid 18131) 6 seconds /service/qmail-submission/log: up (pid 18132) 6 seconds /service/vpopmaild: up (pid 18129) 6 seconds /service/vpopmaild/log: up (pid 18128) 6 seconds messages in queue: 0 messages in queue but not yet preprocessed: 0
If this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to take these steps:
qmailctl stop rm -r /var/qmail/queue
Now compile qmail:
If qmail is running stop the services before installing:
Finally install and start qmail:
make setup check qmailctl start
Creating an SSL key file
If you don’t want to enable SMTP relay (using SMTP/TLS access), you can skip this section.
To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs qmail-smtpd, in our case vpopmail.
> make cert Generating a 1024 bit RSA private key ..................++++++ .......++++++ writing new private key to '/var/qmail/control/servercert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:Italy Locality Name (eg, city) :Cagliari Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :smtp.yourdomain.net Email Address :email@example.com > make tmprsadh > chown vpopmail.vchkpw /var/qmail/control/*.pem
It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.
Now let’s create a cronjob to update the certificate every day:
> crontab -e 03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.
- Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
- Version 0.8.3 (23.08.2015)
- Info: http://www.fehcom.de/qmail/smtpauth.html
It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.
- Author: Frederik Vermeulen
- Info: http://inoa.net/qmail-tls/
- Version 20160918
It implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.
The POODLE vulnerability has been fixed.
You may be interested to take a look to the page concerning smtp-auth and TLS testing here.
- Author: Marcel Telka
- Download original
- Version: 2016.05.15
optionally gets qmail to require TLS before authentication to improve security.
You have to declare FORCETLS=0 if you want to allow the auth without TLS
- Author: Antonio Nati
- Info: http://opensource.interazioni.it/qmail/chkuser.html
- Version 2.0.9
performs recipient verification and Mail From: Address Verification (MAV).
You may be interested to take a look to this page concerning chkuser testing.
- Author: Flavio Curti
Enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.
- Author: Christophe Saout. Patch modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant.
- Info: http://www.saout.de/misc/spf/
- Version rc5
It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.
- Author: Marcelo Coelho
- Info: http://www.mco2.com.br/opensource/qmail/srs/
implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.
- Author: Christopher K. Davis
- Info: http://www.ckdhr.com/ckd/qmail-103.patch
This patch enables qmail to handle large DNS packets.
- Author: Jul
- Version: 2
- Download: local copy
rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.
- Author: Johannes Erdfelt
- Info: http://qmail.org/big-concurrency.patch
It sets the spawn limit above 255.
- Author: Mihai Secasiu
- Version: 1.0
- Info: http://patchlog.com/linux/qmail-big-concurrency/
Fixes a compiler error if you set concurrency higher than 509 in /usr/local/src/netqmail-1.06/conf-spawn.
- Author: Bill Shupp
- Version: 20050125
- Download original patch (local copy)
adds maildirquota support to qmail-pop3d and qmail-local.
- Author: Kyle B. Wheeler
- Version: 4 (05 Jan 2010)
- Info: http://www.memoryhole.net/qmail/#logging
Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.
adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.
- Author: Manvendra Bhangui (a big thanks for the support)
qmail-dk is based on Russ Nelson's patch: http//:www.qmail.org/qmail-1.03-dk-0.54.patch
qmail-dkim uses hacked libdkim libraries from libdkim project at http://libdkim.sourceforge.net/
surbfilter is built on djb functions and some functions have been ruthlessly borrowed from qmail surbl
interface by Pieter Droogendijk and the surblhost program at http://surblhost.sourceforge.net/
- Version: 1.19
- DKIM configuration: http://notes.sagredo.eu/node/92
- SURBL configuration: http://notes.sagredo.eu/node/155
- Original patch
adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level and SURBL filtering support to qmail.
The file hier.c modified to chown /var/qmail/control/cache and subdirs to vpopmail.
- Authors: Claudio Jeker and Andre Oppermann's
- Release: 5. Jan. 2003
addresses a problem known as the silly qmail (queue) problem.
- Author: Russell Nelson
Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.
Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.
- Authors: Russell Nelson (modified version by Charles Cazabon)
- Download from local
Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto
Enables qmail-smtpd to reject messages if they’re larger than the maximum number of bytes allowed (you can set this value in the /var/qmail/control/databytes control file).
Provides the ability to archive each email that flows through the system.
Enables qmail-remote to handle CR (\r) properly, always sending the line breaks as CRLF (\r\n) and avoiding to double the CR (like qmail-remote normally does). This often caused me a broken header when forwarding messages by means of a sieve rule.
- Author: Andy Repton (adjusted by Sergio Gelato)
- Original patch: http://www.qmail.org/outgoingip.patch
- Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch
By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.
- Author: Frank Denis
- Original patch: http://qmail.omnis.ch/www.jedi.claranet.fr/qmail-bounce.patch
limits the size of bounces. The default limit for bounces is 50000 bytes, but you can create a file in crontrol/bouncemaxbytes in order to change that number.
- Author: Iain Patterson
- Original patch: http://iain.cx/qmail/patches.html#smtpd_pidqp
makes qmail-smtpd log a line similar to the following:
@4000000039b89c95026a89b4 mail recv: pid 8155 from <firstname.lastname@example.org> qp 8157
The pid allows you to match the message up with a given tcpserver process and the qp lets you find a particular delivery.
- Author: Jonathan de Boyne Pollard
- Original patch: http://www.memoryhole.net/qmail/#any-to-cname
avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.
- Author: Matthias Andree
- Original patch: http://www-dt.e-technik.uni-dortmund.de/~ma/qmail/patch-qmail-1.03-rfc2821.diff (local copy)
- More info here
makes qmail rfc2821 compliant
makes qmail rfc2821 compliant
allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.
prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.
- Author: Alex Nee
- Download here
It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.
- Author: John Saunders
- Download here
causes the various qmail programs to generate date stamps in the local timezone.
- author: Dean Gaudet
- version: 0.95
- download: http://www.arctic.org/~dean/patches/qmail-0.95-liberal-lf.patch (local copy)
qmail-smtpd to accept messages that are terminated with a single
\n instead of the required
- author: Michael Samuel
- download: http://copilotco.com/mail-archives/qmail.1997/msg03066.html (local copy)
allows you to set a limit on how many recipients are specified for any one email message by setting
control/maxrcpt. RFC 2821 section 184.108.40.206 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response.
- Download here
extra.h to record the Message-ID in the
qmail-send log as explained here towards the bottom of the page. An alias
~alias/.qmail-log had to be added as well to store the
awk command with the regex which retrieves the Message-ID.
Thanks to Simone for the hint.
Be aware that you must have a valid MX record for your FQDN (look at
qmail-send log now appears as follows:
eMPF follows a set of administrator-defined rules describing who can message whom. With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services.
It's useful in case of spammed servers, to temporarily stop outgoing messages. It adds a line like this in your
2015-03-30 18:05:54.442596500 policy_check: remote email@example.com -> local firstname.lastname@example.org (UNAUTHENTICATED SENDER) 2015-03-30 18:05:54.442612500 policy_check: policy allows transmission