mail server

Configuring DKIM for qmail

This note concerns the DKIM patch embedded in my combined patch (more info here). This topic is advanced and you can skip it at the beginning.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The validation technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a domain name to the message and then also affixing a digital signature of it and the message. The value is placed in the DKIM-Signature: header field. The verifier recovers the signer's public key using the DNS, and then verifies the signature.

You are invited to take a look to the man pages starting from dkim(8) and spawn-filter(8).


  • 2017-05-14
    -DKIM patch updated to v. 1.20
    It now manages long TXT records, avoiding the rejection of some messages.
  • 2016-03-09
    Upgraded to v. 1.19: verification will not fail when a dkim signature does not include the subject provided that the   UNSIGNED_SUBJECT environment variable is declared. More info here


I would like to address a special thank to Manvendra Bhangui, the author of the DKIM patch, for kindly assisting me during all the configuration.

Patching qmail


The complete changelog is inside the patch file.

  • 2017-05-14
    -DKIM patch updated to v. 1.20
    It now Manages long TXT records, avoiding the rejection of some messages.
  • 2016-12-19
    -Several new patches and improvements added (thanks to Luca Franceschini)
    More info here
    -qregex patch
    -brtlimit patch
    -validrcptto patch
    -rbl patch (updates qmail-dnsbl patch)
    -reject-relay-test patch
    -added DISABLETLS environment variable, useful if you want to disable TLS on a desired port
    -added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical
    -fixed little bug in 'mail from' address handling (patch by Andre Opperman at
    -added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins
    -qlog patch
    -reject null senders patch
    -qmail-taps-extended (updates qmail-tap)
  • 2016-12-02
    -fixed BUG in qmail-remote.c: in case of remote servers not allowing EHLO the response for an alternative HELO was checked twice, making the connection to die. (Thanks to Luca Franceschini)
    Patch applied:
  • 2016-09-18
    -qmail-tls patch updated to v. 20160918
      * bug: qmail-remote accepting any dNSName, without checking that is matched (E. Surovegin)
      * bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)

I have created a combined patch including the latest versions of several commonly-used qmail patches:

[Follow the patch details here]

Other patches:

smtp-auth + qmail-tls + forcetls patch for qmail


  • 2016-09-19
    -qmail-tls patch updated to v. 20160918
      * bug: qmail-remote accepting any dNSName, without checking that is matches (E. Surovegin)
      * bug: documentation regarding RSA and DH keys (K. Peter, G. A. Bofill)
  • 2016-05-15 force-tls patch improved (a big thanks to Marcel Telka). Now qmail-smtpd avoid to write the auth verb if the STARTTLS command was not sent by the client
  • 2015-12-26 qmail-tls: updated to v. 20151215
    * typo in #if OPENSSL_VERSION_NUMBER for 2015-12-08 patch release (V. Smith)
    * add ECDH to qmail-smtpd
    * increase size of RSA and DH pregenerated keys to 2048 bits
    * qmail-smtpd sets RELAYCLIENT if relaying allowed by cert
  • 2015-10-05 qmail-authentication: updated to v. 0.8.3
  • 2015.08-24 fixed a bug on qmail-smtpd.c causing a double 250-STARTTLS, thanks to Andreas
  • 2015.08.08 fixed a bug on qmail-remote.c that was causing the sending of an additional ehlo greeting, thanks to Cristoph Grover

I have put into a package the latest version of the following patches for netqmail-1.06. You may be interested to the combined patch I have put together here.


Provides cram-md5, login, plain authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb

-  if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n");
-  if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n");
-  if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n");
+  if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n");
+  if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n");
+  if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");

remember to restore the "-" sign if you are going to append a new line to the ehlo message.


Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.


Optionally gets qmail to require TLS before authentication to improve security.

qmail + vpopmail + Dovecot | Roberto's qmail notes


Quoting D. J. Bernstein definition

qmail is a secure, reliable, efficient, simple message transfer agent. It is designed for typical Internet-connected UNIX hosts


You can find a comprehensible introduction on how a mail server works in this page of the Dovecot site. The qmail newbie's guide to relaying by Chris Johnson is very clear. It’s very suitable reading material for someone who’s just getting started.


The aim of this short guide is NOT to teach you how a mail server works, even though by the time you’re finished reading it you will hopefully have a working e-mail server. These notes just serve as a reminder of the main steps to follow in order to build a quick installation of qmail and related software. I published them because of the lack of any up-to-date documentation concerning the qmail “distributions” I was familiar with, hoping that these notes could be useful to others out there. And I created this guide partly just because I enjoy doing this kind of thing.
Therefore, to learn in depth how a mail server works, you are invited to read carefully at least the references I will mention in each page.

Secondly, I am NOT responsible for what you do with your server :) Use my guide at your own risk.

Finally, comments, criticisms and suggestions are always welcome! :-p

Which distro?

These notes have been written without a specific Linux distribution in mind. I tested them on my Slackware virtual mail servers, both 64 and 32 bit, and a number of guys out there can confirm that it works with other common distributions.

Is this a toaster?

According to the DJB's definition of a toaster, the answer would be yes. I personally consider a toaster something a la Bill Shupp or qmailtoaster, which comes with the packages included. Since I prefer to let you check for the latest versions of everything yourself, strictly speaking this shouldn’t properly be considered a toaster. I would simply call this site “Roberto’s qmail notes” instead. At any rate, I’ve included a paragraph about qmail toasters here just to satisfy the search engines -as most people come here actually looking for a toaster :)).

Before we start...

As I am not  a native english speaker, I will gladly accept every hint to improve the understanding of this guide.

Adjusting the tcprules files for qmail

This is my tcprules file:

> more /home/vpopmail/etc/tcp.smtp,RELAYCLIENT="",SMTPD_GREETDELAY="0",RELAYCLIENT="",SMTPD_GREETDELAY="0"

As you can see, the localhost, the internal subnet 10.0.0., and the external server's IP are allowed to use the MTA as a relay (RELAYCLIENT=""), and does not face a GREETDELAY.

All other clients are allowed to send us emails (allow:), will face a GREETDELAY specified in the qmail-smtpd run script, and are not allowed to use our MTA as a relay.

Testing ESMTP-SIZE patch for qmail

The patch allows the qmail-smtpd to reject the message if it's too big according to its accepted databytes before it has been received.

Installing and configuring vpopmail

Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.

The purpose of this note is to show how to use Mysql as the authentication system. Having a users database also offers the advantage of communicating with the database via PHP, and creating web-based user interfaces to manage accounts.

Setting up rblsmtpd

NB: you can skip this page if you decided to use qmail-dnsbl instead


A Realtime Blackhole List (RBL) is a list of addresses that an RBL list supplier believes are a source of Spam.
rblsmtpd blocks mail from RBL-listed sites. It works with any SMTP server that can run under tcpserver.

qmail-smtpd's run script is already set to run rblsmtpd before qmail-smtpd. The following lines are related to rblsmtpd (others are omitted):

# This enables greetdelay anti-spam functionality on rblsmtpd
export GREETDELAY=15

# This disables rblsmtpd reject
#export RBLSMTPD=""

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
    /usr/local/bin/tcpserver -v -H -R -l 0 \
    -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0 25 \
    /usr/local/bin/rblsmtpd -W \
        -b -r \
        -b -r \
    /var/qmail/bin/qmail-smtpd 2>&1

Configuring qmail

Defining alias and control files

echo 3 > /var/qmail/control/spfbehavior
echo "| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox" > /var/qmail/control/defaultdelivery
echo 20 > /var/qmail/control/concurrencyincoming
echo > /var/qmail/control/bouncefrom

Greetdelay for qmail

  • Download here
  • Author of the patch: John Simpson (?)

I replaced the original greetdelay by Erwin Hoffmann with the patch by John Simpson. Now communications trying to send commands before the greeting will be closed provided that you declare DROP_PRE_GREET; premature disconnections will be logged as well.This is the log line you will get: