Merry Xmas and happy new... patch!

Massive Christmas present by my italian friend Luca Franceschini of digitalmind. He merged his combo with my combined patch (2016.12.02 version) adding several (heavily customized) patches and functionalities. Luca is an expert system administrator and a C programmer who manages big servers.

Patching qmail


The complete changelog is inside the patch file.

  • 2016-12-19
    -Several new patches and improvements added (thanks to Luca Franceschini)
    More info here http://notes.sagredo.eu/node/178
    -qregex patch
    -brtlimit patch
    -validrcptto patch
    -rbl patch (updates qmail-dnsbl patch)
    -reject-relay-test patch
    -added DISABLETLS environment variable, useful if you want to disable TLS on a desired port
    -added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical
    -fixed little bug in 'mail from' address handling (patch by Andre Opperman at http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)
    -added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins
    -qlog patch
    -reject null senders patch
    -qmail-taps-extended (updates qmail-tap)
  • 2016-12-02
    -fixed BUG in qmail-remote.c: in case of remote servers not allowing EHLO the response for an alternative HELO was checked twice, making the connection to die. (Thanks to Luca Franceschini)
    Patch applied: http://notes.sagredo.eu/sites/notes.sagredo.eu/files/qmail/patches/fix_sagredo_remotehelo.patch
  • 2016-09-18
    -qmail-tls patch updated to v. 20160918
      * bug: qmail-remote accepting any dNSName, without checking that is matched (E. Surovegin)
      * bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)
  • 2016-05-15
    -force-tls patch improved (a big thanks to Marcel Telka). Now qmail-smtpd avoids to write the auth verb if the STARTTLS command was not sent by the client
  • 2016-03-09
    -dkim patch updated to v. 1.19
    * verification will not fail when a dkim signature does not include the subject provided that the  UNSIGNED_SUBJECT environment variable is declared. More info here.
  • 2015-12-26
    -qmail-tls updated to v. 20151215
    * typo in #if OPENSSL_VERSION_NUMBER for 2015-12-08 patch release (V. Smith)
    * add ECDH to qmail-smtpd
    * increase size of RSA and DH pregenerated keys to 2048 bits
    * qmail-smtpd sets RELAYCLIENT if relaying allowed by cert
    more info here

I have created a combined patch including the latest versions of several commonly-used qmail patches:

[Follow the patch details here]

Other patches:

Roundcube webmail

Roundcube is a full featured webmail with a nice interface.

RoundCube 0.8 showing its new skin

smtp-auth + qmail-tls + forcetls patch for qmail


  • 2016-09-19
    -qmail-tls patch updated to v. 20160918
      * bug: qmail-remote accepting any dNSName, without checking that is matches (E. Surovegin)
      * bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)
  • 2016-05-15 force-tls patch improved (a big thanks to Marcel Telka). Now qmail-smtpd avoid to write the auth verb if the STARTTLS command was not sent by the client
  • 2015-12-26 qmail-tls: updated to v. 20151215
    * typo in #if OPENSSL_VERSION_NUMBER for 2015-12-08 patch release (V. Smith)
    * add ECDH to qmail-smtpd
    * increase size of RSA and DH pregenerated keys to 2048 bits
    * qmail-smtpd sets RELAYCLIENT if relaying allowed by cert
  • 2015-10-05 qmail-authentication: updated to v. 0.8.3
  • 2015.08-24 fixed a bug on qmail-smtpd.c causing a double 250-STARTTLS, thanks to Andreas
  • 2015.08.08 fixed a bug on qmail-remote.c that was causing the sending of an additional ehlo greeting, thanks to Cristoph Grover

I have put into a package the latest version of the following patches for netqmail-1.06. You may be interested to the combined patch I have put together here.


Provides cram-md5, login, plain authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb

-  if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n");
-  if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n");
-  if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n");
+  if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n");
+  if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+  if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");

remember to restore the "-" sign if you are going to append a new line to the ehlo message.


Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.


Optionally gets qmail to require TLS before authentication to improve security.

qmail + vpopmail + Dovecot | Roberto's qmail notes


Quoting D. J. Bernstein definition

qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts


You can find a comprehensible introduction on how a mail server works in this page of the Dovecot site. The qmail newbie's guide to relaying by Chris Johnson is very clear. It’s very suitable reading material for someone who’s just getting started.


The aim of this short guide is NOT to teach you how a mail server works, even though by the time you’re finished reading it you will hopefully have a working e-mail server. These notes just serve as a reminder of the main steps to follow in order to build a quick installation of qmail and related software. I published them because of the lack of any up-to-date documentation concerning the qmail “distributions” I was familiar with, hoping that these notes could be useful to others out there. And I created this guide partly just because I enjoy doing this kind of thing.
Therefore, to learn in depth how a mail server works, you are invited to read carefully at least the references I will mention in each page.

Secondly, I am NOT responsible for what you do with your server :) Use my guide at your own risk.

Finally, comments, criticisms and suggestions are always welcome! :-p

Which distro?

These notes have been written without a specific Linux distribution in mind. I tested them on my Slackware virtual mail servers, both 64 and 32 bit, and a number of guys out there can confirm that it works with other common distributions.

Is this a toaster?

According to the DJB's definition of a toaster, the answer would be yes. I personally consider a toaster something a la Bill Shupp or qmailtoaster, which comes with the packages included. Since I prefer to let you check for the latest versions of everything yourself, strictly speaking this shouldn’t properly be considered a toaster. I would simply call this site “Roberto’s qmail notes” instead. At any rate, I’ve included a paragraph about qmail toasters here just to satisfy the search engines -as most people come here actually looking for a toaster :)).

Before we start...

As I am not  a native english speaker, I will gladly accept every hint to improve the understanding of this guide.

Configuring DKIM for qmail

This note concerns the DKIM patch embedded in my combined patch (more info here). This topic is advanced and you can skip it at the beginning.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The validation technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a domain name to the message and then also affixing a digital signature of it and the message. The value is placed in the DKIM-Signature: header field. The verifier recovers the signer's public key using the DNS, and then verifies the signature.

You are invited to take a look to the man pages starting from dkim(8) and spawn-filter(8).


  • 2016-03-09
    Upgraded to v. 1.19: verification will not fail when a dkim signature does not include the subject provided that the   UNSIGNED_SUBJECT environment variable is declared. More info here


I would like to address a special thank to Manvendra Bhangui, the author of the DKIM patch, for kindly assisting me during all the configuration.

Setting up your firewall with fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

I will show shortly how to install and configure fail2ban to ban malicious IPs, expecially those related to the qmail-dnsrbl patch. This will avoid to be banned ourselves by spamhaus, which is free up to 100.000 queries per day.

Installing and configuring Spamassassin

SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.

Upgrading spamassassain to version 3.4.1

The release of version 3.4.1 was announced on Apr 30 2015. The TxRep plugin is now included and disabled by default for new installs, because it goes in confict with AWL, which must be disabled.

Here is how to update quickly:

qmailctl stop
spamdctl stop
perl -MCPAN -e shell
cpan> o conf prerequisites_policy ask
cpan> force notest install  Mail::SpamAssassin Mail::SpamAssassin::Plugin::Razor2
cpan> quit

Now I enabled all new plugins from /etc/mail/spamassassin/v341.pre and disabled Mail::SpamAssassin::Plugin::AWL from v310.pre. Finally I inserted those two options in my local.cf:

use_txrep 1
txrep_factory Mail::SpamAssassin::SQLBasedAddrList

Then I restarded spamd and qmail

spamdctl start
qmailctl start

qmailadmin password-strenght patch

A big lack of qmail account managers, expecially qmailadmin, is that they do not provide any password complexity check. A couple of days ago I discovered in one of my servers a "test 123456" account and I realized that the time has come to put a patch on it.

Since I had no luck in having cracklib working inside qmailadmin (see crackilib patch, any help  on the purpose would be veeerrry much appreciated) I've quickly found a solution via a javascript form validation, which refuses unsecure passwords. You can easily customize how it decides to accept/refuse the passwords modifying the file pw_strenght_chk.js in the html dir.

Sieve interpreter & Dovecot ManageSieve

The Pigeonhole project provides Sieve support as a plugin for Dovecot's Local Delivery Agent (LDA) and also for its LMTP service. The plugin implements a Sieve interpreter, which filters incoming messages using a script specified in the Sieve language. The Sieve script is provided by the user and, using that Sieve script, the user can customize how incoming messages are handled. Messages can be delivered to specific folders, forwarded, rejected, discarded, etc.

Dovecot Managesieve Server is a service used to manage a user's Sieve script collection.