Patching qmail

• Latest stable combined patch for netqmail-1.06 v. 2013.03.31 (MD5)

Changelog

• 2013-03-31
  qmail-auth updated to latest v. 0.8.1 Added authentication by recipient domain for qmail-remote. Look at README.auth for further details
• 2013-02-11
  some code adjustments in qmail-smtpd.c smtpd_ehlo() to restore total compatibility with esmtp-size patch
• 2013-02-08
  qmail-auth updated to latest v. 0.7.6. Look at README.auth for further details
• 2013-01-28
  fixed an issue on qmail-pop3d which was causing a double +OK after the pass command (thanks to Rakesh, Orbit and Simplex for helping in testing and troubleshooting)
• 2013-01-06
  environment variable GREETDELAY renamed to SMTPD_GREETDELAY
• 2012-10-31
  qmail-auth updated to latest v. 0.7.5. Look at README.auth for further details
  The qmail-forcetls patch was simplyfied accordingly.
  You MUST export SMTPAUTH="" in your run file now.
• 2012-04-25
  -added qmail-remote CRLF (thanks to Pierre Lauriente for the help on testing and troubleshooting)
  The qmail-remote CRLF patch solved a problem of broken headers after sieve forwarding that was caused by a bad handling of the CR (carriage return) by qmail-remote. The issue is also reported here http://www.dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html
• 2012.04.16
  -added qmail-tap
• 2012.02.08
  -added smtp-size patch
• 2012.01.29
  -added doublebounce-trim patch
• 2011.12.12
  -file update_tmprsadh modified to chown the .pem files to vpopmail to avoid hang-ups during the smtp conversation on port 587 caused by permission problems.
• 2011.10.06
  -qmail-remote.c: fixed. It was not going into tls on authentication (thanks to Krzysztof Gajdemski)
  -force-tls now quits if the starttls command is not provided when required (thanks to Jacekalex)

I have created a combined patch which contains the latest versions of several commonly-used qmail patches. It includes:

• qmail-authentication
• qmail-tls
• force-tls
• chkuser
• qmail queue custom error
• qmail-SPF
• oversize DNS
• reread concurrency
• big concurrency
• big concurrency fix
• maildir++
• Better qmail-smtpd logging
• SMTP HELO/EHLO Greeting delay
• DKIM
• EXT-TODO
• BIG-TODO
• qmail-inject-null-sender
• doublebounce-trim
• esmtp-size
• qmail-tap
• qmail-remote CRLF

[Follow the patch details here]

Other patches:

• Patch including only smtp-auth, qmail-tls and force-tls
• All patches directory

You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.

Installing libdomainkeys

This library is a prerequisite of the DKIM patch by Manvendra Bhangui, which is part of my package. You must compile this, otherwise the compilation will break.

• Info: http://domainkeys.sourceforge.net/
• Download: http://sourceforge.net/projects/domainkeys/
• Download the patch

cd /usr/local/src
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/tar/libdomainkeys-0.69.tar.gz
tar xzf libdomainkeys-0.69.tar.gz
wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/libdomainkeys-0.69.diff
ln -s libdomainkeys-0.69 libdomainkeys
cd libdomainkeys
chown -R root.root .
patch < ../libdomainkeys-0.69.diff
make
cd ../

Apply the patch

wget http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06.patch-latest.gz
cd netqmail-1.06
gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch

Configuring chkuser

• More info here: http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html

The combined patch you downloaded has chkuser enabled. It’s configured to perform recipient verification and MAV (Mail From: Address Verification). 

You can customize your configuration by editing the chkuser_settings.h file(in /usr/local/src/netqmail-1.06) before compiling qmail. In order to enable chkuser, the following line must be commented out:

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

Uncomment to enable the check of user and domain format for sender address.

#define CHKUSER_SENDER_FORMAT

Uncomment to enable checking of domain MX for rcpt addresses

#define CHKUSER_RCPT_MX

Uncomment to enable checking of domain MX for sender address

#define CHKUSER_SENDER_MX

This enables usage of "#" and "+" characters within sender address. It is used by SRS (Sender Rewriting Scheme) products.

As far as my MTA Is concerned, this solved an "invalid sender address format" reject message prompted by an email address of a mailman mailing list..

#define CHKUSER_ALLOW_SENDER_SRS

force-tls variables

By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do

export FORCETLS=0

in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the auth.

qmail-auth variables

By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.

Recompiling qmail

The BIG-TODO patch included in my combined patch may require that your queue be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.

To discover if your qmail has messages in the queue:

> qmailctl stat

/service/qmail-send: up (pid 18127) 6 seconds
/service/qmail-send/log: up (pid 18134) 6 seconds
/service/qmail-smtpd: up (pid 18126) 6 seconds
/service/qmail-smtpd/log: up (pid 18135) 6 seconds
/service/qmail-submission: up (pid 18131) 6 seconds
/service/qmail-submission/log: up (pid 18132) 6 seconds
/service/vpopmaild: up (pid 18129) 6 seconds
/service/vpopmaild/log: up (pid 18128) 6 seconds
messages in queue: 0
messages in queue but not yet preprocessed: 0

If this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to take these steps:

qmailctl stop
rm -r /var/qmail/queue

Now compile qmail:

make

If qmail is running stop the services before installing:

qmailctl stop

Finally install qmail:

make setup check

Creating an SSL key file

If you don’t want to enable SMTP relay (using SMTP/TLS access), you can skip this section.

To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user which runs qmail-smtpd, in our case vpopmail.

> make cert

Generating a 1024 bit RSA private key
..................++++++
.......++++++
writing new private key to '/var/qmail/control/servercert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IT
State or Province Name (full name) [Some-State]:Italy
Locality Name (eg, city) []:Cagliari
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:smtp.yourdomain.net
Email Address []:postmaster@yourdomain.net

> make tmprsadh
> chown vpopmail.vchkpw /var/qmail/control/*.pem

It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.

Now let’s create a cronjob to update the certificate every day:

> crontab -e

03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1

Important: If you run qmail-submission as a user other than vpopmail, and you’re installing my combined patch, you must adjust /var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.

Combined patch details

qmail-authentication

• Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
• Version 0.8.1 (24/03/2013)
• Info: http://www.fehcom.de/qmail/smtpauth.html
• README.auth

It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.

qmail-tls

• Author: Frederik Vermeulen
• Info: http://inoa.net/qmail-tls/
• Version 20110119

It implements SSL or TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file update_tmprsadh to chown the .pem files to vpopmail, which runs qmail-smtpd.

You may interested to take a look to the page concerning smtp-auth and TLS testing here.

force-tls

• Author: Roberto Puzzanghera
• Download original
• Version: 2012.10.28

optionally gets qmail to require TLS before authentication to improve security.

chkuser

• Author: Antonio Nati
• Info: http://opensource.interazioni.it/qmail/chkuser.html
• Version 2.0.9

performs recipient verification and Mail From: Address Verification (MAV).

You may be interested to take a look to this page concerning chkuser testing.

qmail-queue-custom-error.patch

• Author: Flavio Curti
• More info here: https://no-way.org/uploads/qmail-error/

Enables simscan and qmail-dkim to return the appropriate message for each e-mail it refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.

qmail-SPF

• Author: Christophe Saout's
• Info: http://www.saout.de/misc/spf/
• Version rc5

It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.

Oversize DNS

• Author: Christopher K. Davis
• Info: http://www.ckdhr.com/ckd/qmail-103.patch

This patch enables qmail to handle large DNS packets.

Reread concurrency patch

• Author: Jul
• Version: 2
• Download: local copy

rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.

Big Concurrency patch

• Author: Johannes Erdfelt
• Info: http://qmail.org/big-concurrency.patch

It sets the spawn limit above 255.

Big Concurrency fix

• Author: Mihai Secasiu
• Version: 1.0
• Info: http://patchlog.com/linux/qmail-big-concurrency/

Fixes a compiler error if you set concurrency higher than 509 in /usr/local/src/netqmail-1.06/conf-spawn.

maildir++ patch

• Author: Bill Shupp
• Version:  20050125
• Info: http://shupp.org/patches/netqmail-maildir++.patch (local copy)

adds maildirquota support to qmail-pop3d and qmail-local.

Better qmail-smtpd Logging patch

• Author: Kyle B. Wheeler
• Version: 4 (05 Jan 2010)
• Info: http://www.memoryhole.net/qmail/#logging

Facilitates diagnosing qmail-smtpd logging its actions and decisions (search for a line starting with qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when qmail-smtpd doesn’t log anything.

SMTP HELO/EHLO Greeting delay patch

• Author: Erwin Hoffman
• Info: http://www.fehcom.de/qmail/qmail.html##greetdelay

Reduces spam by adding a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with “220 ESMTP”. You can control the delay via the environment variable SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of SMTPD_GREETDELAY=”30” will delay qmail-smtpd’s response for 30 seconds.

DKIM patch

• Author: Manvendra Bhangui (a big thanks for the support)
• Version: 1.7
• Info: http://indimail.blogspot.com/2009/04/how-to-set-dkim-signature-in-indimail.html
• Original patch

adds DKIM signing & verification support to qmail at both qmail-smtpd and qmail-remote/local level.

This is the page where the DKIM configuration is shortly explained.

EXT-TODO patch

• Authors: Claudio Jeker and Andre Oppermann's
• Release: 5. Jan. 2003
• http://www.nrg4u.com/qmail/ext_todo-20030105.patch

addresses a problem known as the silly qmail (queue)  problem.

BIG-TODO patch

• Author: Russell Nelson
• http://www.qmail.org/big-todo.103.patch

Makes qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.

qmail-inject-null-sender patch

• Author: Stéphane Cottin
• Download from local
• More info here

Prevents qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.

doublebounce-trim patch

• Authors: Russell Nelson (modified version by Charles Cazabon)
• http://qmail.org/doublebounce-trim.patch
• Download from local

Prevents double bounces from hitting your queue a second time provided that you delete the first line from /var/qmail/control/doublebounceto

esmtp-size patch

• Author: Will Harris' (?)
• http://will.harris.ch/qmail-smtpd.c.diff
• More info

Enables qmail-smtpd to reject messages if they’re larger than the maximum number of bytes allowed (you can set this value in the /var/qmail/control/databytes control file).

qmail-tap

• Author: Inter7
• http://www.inter7.com/index.php?page=qmailtap
• Download from local

Provides the ability to archive each email that flows through the system.

qmail-remote CRLF patch

• Author: Rolf Eike Beer
• http://opensource.sf-tec.de/qmail/ (diff)

Enables qmail-remote to handle CR (\r) properly, always sending the line breaks as CRLF (\r\n) and avoiding to double the CR (like qmail-remote normally does). This often caused me a broken header when forwarding messages by means of a sieve rule.