Patching qmail

June 4, 2023 Roberto Puzzanghera 423 comments


  • Jun 4, 2023 (diff)
    -vpopmail uid and gid are determined dinamically instead of assigning 89:89 ids by default
    -vpopmail install directory determined dinamically (was /home/vpopmail)
  • Apr 26, 2023
    -dkim patch updated to v. 1.40
    -qmail-dkim uses CUSTOM_ERR_FD as file descriptor for errors (more info here)
  • Mar 27, 2023
    -chkuser.c: double hyphens "--" are now allowed also in the rcpt email (tx Ali Erturk TURKER)
    -chkuser_settings.h: CHKUSER_SENDER_NOCHECK_VARIABLE commented out. Sender check is now enabled also for RELAYCLIENT
    -removed a couple of redundant log lines caused by qmail-smtpd-logging
    diff here
  • Mar 18, 2023
    - bugfix in dkimverify.cpp: now it checks if k= tag is missing (tx Raisa for providing detailed info)
    - redundant esmtp-size patch removed, as the SIZE check is already done by the qmail-authentication patch (tx Ali Erturk TURKER) diff here
  • Mar 17, 2023
    - Restoring the 2023.01.31 patch as a bug in the current version is under inspection
  • Mar 14, 2023
    - The split_str() function in dknewkey was modified in order to work on debian 11 (tx J)
  • Mar 12, 2023
    - The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER) diff here
  • Mar 1, 2023
    - added qmail-fastremote patch (tx Ali Erturk TURKER for the advise)
    - dropped qmail-remote CRLF (replaced by fastremote)
  • Feb 27, 2023
    - Now qmail-remote is rfc2821 compliant even for implicit TLS (SMTPS) connections (tx Ali Erturk TURKER)
  • Feb 24, 2023
    - several missing references to control/badmailto and control/badmailtonorelay files were corrected to control/badrcptto and control/badrcpttonorelay (tx Ali Erturk TURKER) diff here
  • Feb 19, 2023
    - dkim patch upgraded to v. 1.37
    * ed25519 support​ (RFC 8463)
    * dropped old yahoo's domainkeys stuff (no longer need the libdomainkeys.a library)

Installing a Let's Encrypt certificate for your qmail and dovecot servers

May 18, 2023 Roberto Puzzanghera 20 comments

More info:

Here is how to install and configure a valid certificate from Let's Encrypt for your qmail and dovecot servers. The installation will be done by certbot.

Certbot is part of EFF’s effort to encrypt the entire Internet. Secure communication over the Web relies on HTTPS, which requires the use of a digital certificate that lets browsers verify the identity of web servers (e.g., is that really Web servers obtain their certificates from trusted third parties called certificate authorities (CAs). Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority launched by the EFF, Mozilla, and others—and deploys it to a web server.


  • May 18, 2023
    added the option --key-type rsa to the certbot command, to avoid that certbot will silently default to ECDSA the private key format, which results not understandable by my openssl-1.1. In this way the format of the private key will be RSA. More info here.

SURBL filtering configuration

May 16, 2023 Roberto Puzzanghera 20 comments

SURBLs are lists of web sites that have appeared in unsolicited messages. Unlike most lists, SURBLs are not lists of message senders.

Web sites seen in unsolicited messages tend to be more stable than the rapidly changing botnet IP addresses used to send the vast majority of them. Sender lists like can be used in a first stage filter to help identify 80% to 90% of unsolicited messages. SURBLs can help find about 75% of the otherwise difficult, remaining unsolicited messages in a second stage filter. Used together with sender lists, SURBLs have proven to be a highly-effective way to detect 95% of unsolicited messages.

The SURBL filter is part of the DKIM patch by Manvendra Bhangui and it's embedded in my combined patch.


  • May 17, 2023
    -Top level domains URL is changed. The script has been adjusted accordingly



April 25, 2023 Roberto Puzzanghera 93 comments

qmailAdmin is a free software package that provides a web interface for managing a qmail system with virtual domains. It provides admin for adding/deleting users, Aliases, Forwards, Mailing lists and Autoresponders.

Combined patch details

  • qmailadmin-skin, a patch that I created during covid-19 spare time, provides a new responsive skin to the control panel. It modifies everything under the html dir and many .c files in order to adjust the html embedded into the source files. Added a style sheet in the "images" folder and a couple of png files for the qmail logo. It will be much easier to modify the qmailadmin's skin from now on.
  • A patch to call cracklib in order to check for the password strenght. This should avoid unsafe accounts created by domain administrators such as "test 123456".
  • A nice patch (thanks to Tony, original author unknown) which gets qmailadmin to have authentication failures logged. This makes possible to ban malicious IPs via fail2ban. It is required to create the log file /var/log/qma-auth.log initially and assign write priviledges to apache.
  • ezmlm-idx 7 compatibility patch (author unknown), which restores the compatibility with ezmlm-idx-7 (thanks to J.D. Trolinger for the advice).
  • a fix to the catchall account (thanks to Luca Franceschini).
  • another fix to autorespond.c to correct the way .qmail files are modified