Patching qmail

March 18, 2023 Roberto Puzzanghera 413 comments


  • Mar 18, 2023
    - bugfix in dkimverify.cpp: now it checks if k= tag is missing (tx Raisa for providing detailed info)
    - redundant esmtp-size patch removed, as the SIZE check is already done by the qmail-authentication patch (tx Ali Erturk TURKER) diff here
  • Mar 17, 2023
    - Restoring the 2023.01.31 patch as a bug in the current version is under inspection
  • Mar 14, 2023
    - The split_str() function in dknewkey was modified in order to work on debian 11 (tx J)
  • Mar 12, 2023
    - The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER) diff here
  • Mar 1, 2023
    - added qmail-fastremote patch (tx Ali Erturk TURKER for the advise)
    - qmail-remote CRLF removed (replaced by fastremote)
  • Feb 27, 2023
    - Now qmail-remote is rfc2821 compliant even for implicit TLS (SMTPS) connections (tx Ali Erturk TURKER)
  • Feb 24, 2023
    - several missing references to control/badmailto and control/badmailtonorelay files were corrected to control/badrcptto and control/badrcpttonorelay (tx Ali Erturk TURKER) diff here
  • Feb 19, 2023
    - dkim patch upgraded to v. 1.37
    * ed25519 support​ (RFC 8463)
    * old yahoo's domainkeys stuff removed (no longer need the libdomainkeys.a library)

Configuring DKIM for qmail

March 18, 2023 Roberto Puzzanghera 185 comments

This note concerns the DKIM patch embedded in my combined patch (more info here). This topic is advanced and you can skip it at the beginning.

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. The validation technique is based on public-key cryptography: Responsibility is claimed by the signer by adding a domain name to the message and then also affixing a digital signature of it and the message. The value is placed in the DKIM-Signature: header field. The verifier recovers the signer's public key using the DNS, and then verifies the signature.

You are invited to take a look to the man pages starting from dkim(8) and spawn-filter(8).


  • Mar 18, 2023
    - bugfix in dkimverify.cpp: now it checks if k= tag is missing (tx Raisa for providing detailed info)
  • Mar 14, 2023
    - The split_str() function in dknewkey was modified in order to work on debian 11 (tx J)
  • Feb 19, 2023 (v. 1.37 upgrade)
    - ed25519 support​ (RFC 8463)
    - multiple signatures/selectors via the enhanced control/dkimkeys or DKIMSIGNDKIMSIGNEXTRADKIMSIGNOPTIONS  DKIMSIGNOPTIONSEXTRA variables
    - domainkey script replaced by dknewkey in order to create ed25519 keys and rsa keys with 1024/2048/4096 bit
    - dropped yahoo's domainkeys support (no longer need the libdomainkeys.a library)
    - man pages revised and enhanced
    - domainkeys directory moved to /var/qmail/control/domainkeys
    - the documentation in this page has been revised. You can find how to sign with the rsa key together with the ed25519 key below.


February 18, 2023 Roberto Puzzanghera 30 comments

vqadmin is a web based control panel that allows system administrators to perform actions which require root access — for example, adding and deleting domains.


Installing and configuring vpopmail

February 18, 2023 Roberto Puzzanghera 88 comments

Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.

The purpose of this note is to show how to use Mysql as the authentication system. Having a users database also offers the advantage of communicating with the database via PHP, and creating web-based user interfaces to manage accounts.

Patch details

The patch we'll apply is the result of the following bunch of patches:

  • sql-aliasdomains patch, which makes vpopmail save the aliasdomains to MySQL. This makes the dovecot sql auth driver aware of the aliasdomains, provided that you modify the sql query as well (see the dovecot page for more info).
  • defaultdelivery patch, which makes vpopmail to copy your favourite delivery agent (stored in QMAILDIR/control/defauldelivery) into the .qmail-default file of any newly created domain, overriding the default vpopmail's behaviour, where vpopmail copies its delivery agent vdelivermail. You have to configure with --enable-defaultdelivery to enable this.
    If the functionality is disabled (--disable-defaultdelivery, which is the default option) vdelivermail is installed with the "delete" option instead of "bounce-no-mailbox", which is not reasonable anymore.
  • dovecot-sql-procedures patch
    If you want to use the dovecot's sql auth driver with one table for each domain (--disable-many-domains) you have to heavily customize your queries to the sql database. With this patch vpopmail installs the sql procedures and functions in the database when you create a new domain. The procedures can be called by dovecot to perform the auth.
    The sql stuff supports aliasdomains and mysql limits and will be loaded from ~/vpopmail/etc/disable-many-domains_procedures.sql. You can customize the sql procedure editing this file.
    You have to configure with --enable-mysql-bin=PATH as we have to install the procedures calling the mysql bin as a shell command (no way to load an sql query from a file in C language, comments welcome).
  • vusaged configure patch
    It seems that at least on Debian 11 vusaged refuses to run the configure successfully, as the mysql libraries are not linked (configure: error: No vauth_getpw in libvpopmail). After some inspection, I noticed that avoiding the break of the configure command, the following make command will find libmysqlclient and compile with no problems, and the program works as expected.
    NB: an autoreconf -f -i into the vusaged directory is needed before configuring, as the script was modified.
  • recipient check patch. It can be used with Erwin Hoffmann's s/qmail to accomplish the recipient check. Not important in my installation, look at doc/README.vrcptcheck for more info.
  • vuserinfo-D_newline, a cosmetic patch which prints a new line to separate users' infos when typing "vuserinfo -D domain"
  • gcc-10-compat patch, which gets vpopmail to compile with gcc-10
  • A fix to the following issues (patch by Ali Erturk TURKER):
    - vdelivermail.c checks spamassassin permissions, instead of maildrop permissions.
    - vopen_smtp_relay() return values corrected, so that open_smtp_relay() can detect and report database connection errors (vmysql.c, voracle.pc, vpgsql.c )
    - vdel_limits() core-dumps if a database connection is not available beforehand. (vmysql.c, voracle.pc)