- Nov 20, 2023
* The patch now by default excludes X-Arc-Authentication-Results
* dkim can additionally use the environment variable EXCLUDE_DKIMSIGN to include colon separated list of headers to be excluded from signing (just like qmail-dkim). If -X option is used with dk-filter, it overrides the value of EXCLUDE_DKIMSIGN.
- Sep 26, 2023
-surblfilter logs the rejected URL in the qmail-smtpd log. It can now inspect both http and https URLs.
-Improvements in man dkim.9, qmail-dkim.9 and surblfilter.9
- Sep 5, 2023
-DKIM patch upgraded to v. 1.42
*dk-filter.sh: "source $envfn" has been replaced with ". $envfn" in oder to work for pure bourne shells
*minor corrections to the man pages
- Aug 20, 2023 (diff)
-install a sample control/smtpplugins file in case it does not exist yet, to avoid "unable to read control" crash.
- Jul 5, 2023 (diff)
-vpopmail-dir.sh: now uses getent to gain compatibility with alpine/docker (tx BenV)
- Jun 30, 2023
-DKIM patch upgraded to v. 1.41
*dknewkey will allow domains in control/domainkey
*Made a few adjustments to the man pages and dkimsign.cpp for DKIMDOMAIN to work with qmail-smtpd (in case some configures qmail-smtpd to sign instead of the usual dk-filter/qmail-remote)
-The broken link based on pobox.com in the default SPF error explanation was changed to https://mxtoolbox.com/SuperTool.aspx?action=spf
- Jun 18, 2023 (diff)
-vpopmail uid and gid are determined dinamically instead of assigning 89:89 ids by default
-vpopmail install directory determined dinamically (was /home/vpopmail). Now the variable in the conf-cc file is determined as well.
Feel free to post any issue in the comments as I'm not sure that /bin/sh will work in all Linux.
- Feb 19, 2023
- dkim patch upgraded to v. 1.37
* ed25519 support (RFC 8463)
* dropped old yahoo's domainkeys stuff (no longer need the libdomainkeys.a library)
I have created a combined patch including the latest versions of several commonly-used
- qmail queue custom error
- oversize DNS
- reread concurrency
- big concurrency
- big concurrency fix
- Better qmail-smtpd logging
- SMTP HELO/EHLO Greeting delay
- DKIM and SURBL
- qmail-smtpd liberal-lf
- reject null senders
You're invited to take a look at the next page of this guide, which presents several tests for these patches toward the bottom of the page.
- Download: http://www.libsrs2.org/
This library is a prerequisite of the SRS patch, which is part of my package. You must install this, otherwise the compilation will break.
wget http://www.libsrs2.org/srs/libsrs2-1.0.18.tar.gz tar xzf libsrs2-1.0.18.tar.gz cd libsrs2-1.0.18 ./configure make make install ldconfig cd ../
Be sure that libsrs2 is actually linked, otherwise you are going to have a
qmail-send infinite crash and finally an auto-DoS:
> ldconfig -p|grep libsrs2 libsrs2.so.0 (libc6,x86-64) => /usr/local/lib/libsrs2.so.0 libsrs2.so (libc6,x86-64) => /usr/local/lib/libsrs2.so
In case you decided to install the
libsrs2 library by means of a package provided by your Linux distribution, you should check the path where the library was installed. Check if the file
/usr/local/include/srs2.h actually exists; if not you may have to modify the
srs.c in the
netqmail source directory as follows:
#include </usr/local/include/srs2.h>#include </usr/include/srs2.h>
Apply the patch
wget https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/roberto-netqmail-1.06.patch-latest.gz cd netqmail-1.06 gunzip -c ../roberto-netqmail-1.06.patch-latest.gz | patch
The combined patch you downloaded has
chkuser enabled. It’s configured to perform recipient verification and MAV (Mail From: Address Verification).
You can customize your configuration by editing the
chkuser_settings.h file (in
/usr/local/src/netqmail-1.06) before compiling
qmail. In order to enable
chkuser, the following line must be uncommented:
#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"
Uncomment to enable the check of user and domain format for sender address. This will reject fake senders without any domain declared.
Uncomment to enable checking of domain MX for rcpt addresses
Uncomment to enable checking of domain MX for sender address
This enables usage of "#" and "+" characters within sender address. It is used by SRS (Sender Rewriting Scheme) products.
As far as my MTA is concerned, this solved an "invalid sender address format" reject message prompted by an email address of a mailman mailing list..
By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do
in your run file. Values other than 0 (or not declaring this variable at all) will force TLS before the authentication.
By default the auth is allowed with LOGIN or PLAIN mechanism. You are invited to look at the README.auth file for further details concerning the use of the SMTPAUTH environment variable, expecially if you want to use CRAM-MD5.
If this is a fresh installation for you compile qmail as follows:
make setup check
Then proceed to next paragraph (Creating an SSL key file), as the qmail configuration is presented in the next page.
Those who are upgrading and have qmail already running should stop
qmail before installing it:
The BIG-TODO patch included in my combined patch may require that your queue has to be rebuilt. So be aware that all existing messages in the queue will be destroyed when you erase the queue below.
To discover if your
qmail has messages in the queue:
> qmailctl stat qmail-smtpd: [ up ] (pid 5638) 4 day(s), 22:25:01 qmail-smtpd/log: [ up ] (pid 5642) 4 day(s), 22:25:01 qmail-smtpsd: [ up ] (pid 5662) 4 day(s), 22:25:01 qmail-smtpsd/log: [ up ] (pid 5663) 4 day(s), 22:25:01 qmail-submission: [ up ] (pid 5644) 4 day(s), 22:25:01 qmail-submission/log: [ up ] (pid 5641) 4 day(s), 22:25:01 qmail-send: [ up ] (pid 5664) 4 day(s), 22:25:01 qmail-send/log: [ up ] (pid 5665) 4 day(s), 22:25:01 vpopmaild: [ up ] (pid 5645) 4 day(s), 22:25:01 vpopmaild/log: [ up ] (pid 5660) 4 day(s), 22:25:01 vusaged: [ up ] (pid 5643) 4 day(s), 22:25:01 vusaged/log: [ up ] (pid 5661) 4 day(s), 22:25:01 messages in queue: 0 messages in queue but not yet preprocessed: 0
Only if this will be the first time you install the combined patch (which contains the BIG-TODO patch), you’ll need to rebuild the queue:
rm -r /var/qmail/queue
Now compile, install and restart
make setup qmailctl start
Creating an SSL key file
To secure the
smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs
vpopmail in our case.
> make cert Generating a 1024 bit RSA private key ..................++++++ .......++++++ writing new private key to '/var/qmail/control/servercert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:Italy Locality Name (eg, city) :Cagliari Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :smtp.yourdomain.net Email Address :email@example.com > make tmprsadh > chown vpopmail.vchkpw /var/qmail/control/*.pem
It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.
Now let’s create a cronjob to update the certificate every day:
> crontab -e 03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
Important: If you run
qmail-submission as a user other than
vpopmail, and you’re installing my combined patch, you must adjust
/var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.
Installing a Let's Encrypt valid certificate
- Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
- Version 0.8.3 (23.08.2015)
- Info: https://www.fehcom.de/qmail/smtpauth.html
It provides cram-md5, login, plain authentication support for qmail-smtpd (port 587) and qmail-remote.
Added FORCEAUTHMAILFROM environment variable to REQUIRE that authenticated user and 'mail from' are identical.
Added SMTPAUTHMETHOD, SMTPAUTHUSER and SMTP_AUTH_USER env variables for external plugins (see http://qmail-spp.sourceforge.net/doc/)
- Author: Frederik Vermeulen
- Info: http://inoa.net/qmail-tls/
- Version 20200107
- added DISABLETLS environment variable, useful if you want to disable TLS on a desired port
It implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA. I have adjusted the file
.pem files to
vpopmail, which runs
You may be interested to take a look to the page concerning
smtp-auth and TLS testing here.
- Author: Marcel Telka
- Version: 2016.05.15
optionally gets qmail to require TLS before authentication to improve security.
You have to declare FORCETLS=0 if you want to allow the auth without TLS
- Author: Antonio Nati
- Info: http://opensource.interazioni.it/qmail/chkuser.html
- Version 2.0.9
performs recipient verification and Mail From: Address Verification (MAV).
Small adjustments and a bug fix by Luca Franceschini here. Now CHKUSER_DISABLE_VARIABLE, CHKUSER_SENDER_NOCHECK_VARIABLE, CHKUSER_SENDER_FORMAT_NOCHECK, CHKUSER_RCPT_FORMAT_NOCHECK and CHKUSER_RCPT_MX_NOCHECK can be defined at runtime level as well.
You may be interested to take a look to this page concerning chkuser testing.
- Author: Flavio Curti
Enables simscan and qmail-dkim to return the appropriate message for each e-mail that qmail refuses to deliver. Simscan rejects with the name of the virus or the spam-score; qmail-dkim rejects with the verification failure message.
- Author: Christophe Saout.
- Patch modified by Manvendra Bhangui to make it IPv4-mapped IPv6 addresses compliant.
- Info: http://www.saout.de/misc/spf/
- Version rc5
- SPF configuration
It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers.
implements Sender Rewriting Scheme fixing SPF break upon email forwarding. To enable SRS read carefully the configuration instructions above.
This patch enables
qmail to handle large DNS packets.
- Author: Jul
- Version: 2
rereads control/concurrencylocal and control/concurrencyremote files when qmail-send receives a HUP signal.
- Author: Johannes Erdfelt
It sets the spawn limit above 255.
Fixes a compiler error if you set
concurrency higher than 509 in
- Author: Bill Shupp
- Version: 20050125
adds maildirquota support to qmail-pop3d and qmail-local.
Fixed a bug where the filesize part of the S=<filesize> component of the Maildir++ compatible filename is wrong (tx MG). More info here.
- Author: Kyle B. Wheeler
- Version: 5
- Info: http://www.memoryhole.net/qmail/#logging
qmail-smtpd logging its actions and decisions (search for a line starting with
qmail-smtp:). This is useful for discovering fake IP addresses with bad HELO’s when
qmail-smtpd doesn’t log anything.
adds a user-definable delay after SMTP clients have initiated SMTP sessions, prior to qmail-smtpd responding with "220 ESMTP". It can reject connections from clients which tried to send commands before greeting. You can control the delay via the environment variable
SMTPD_GREETDELAY (was GREETDELAY in the original patch). A value of
SMTPD_GREETDELAY=”30” will delay
qmail-smtpd’s response for 30 seconds.
- Author: Manvendra Bhangui (a big thanks for the support)
- qmail-dkim uses hacked libdkim libraries from libdkim project at http://libdkim.sourceforge.net/
surbfilter is built on djb functions and some functions have been ruthlessly borrowed from qmail surbl
interface by Pieter Droogendijk and the surblhost program at http://surblhost.sourceforge.net/
- Version: 1.43
- DKIM configuration
- SURBL configuration
- Original patch
adds DKIM signing & verification support to qmail at both
qmail-remote/local level and SURBL filtering support to qmail.
/var/qmail/control/cache and subdirs assigned to the vpopmail user.
addresses a problem known as the silly qmail (queue) problem.
- Author: Russell Nelson
qmail use a hashing mechanism in the todo folder similar to that used in the rest of the queue.
qmail-inject from rewriting the null sender, fixing an issue with sieve vacation/reject messages.
- Authors: Russell Nelson (modified version by Charles Cazabon)
Prevents double bounces from hitting your queue a second time provided that you delete the first line from
Provides the ability to archive each email that flows through the system. Archiving only messages from or to certain email addresses is possible as well.
- Author: Andy Repton (adjusted by Sergio Gelato)
- Robbie Walker provided a patch to correct qmail-qmqpc.c's call to timeoutconn(), because the function signature was modified by the original outgoingip patch
By default all outgoing emails are sent through the first IP address on the interface. In case of a multiple IP server this patch makes qmail send outgoing emails with the IP eventually stored in control/outgoingip. The ehlo domain is NOT modified by this patch.
makes qmail rfc2821 compliant.
Ali Erturk TURKER added implicit TLS (SMTPS) support (patch here).
makes qmail rfc2821 compliant
- Author: Fabio Busatto
- Modified by Luca Franceschini to add support for whitelists, TXT and A queries, configurable return codes 451 or 553 with custom messages
- More info here
allows you to reject spam and virus looking at the sender's ip address. Added a line to make qmail-smtpd log the reject reason as well as the envelope to facilitate diagnostics.
prevents a problem caused by an MX or other mail routing directive instructing qmail to connect to itself without realizing it's connecting to itself, saving CPU time.
- Author: Alex Nee
It will hide your Private or Public IP in the email Headers when you are sending Mail as a Relay Client.
- Author: John Saunders
causes the various qmail programs to generate date stamps in the local timezone.
- author: Dean Gaudet
- version: 0.95
- download: http://www.arctic.org/~dean/patches/qmail-0.95-liberal-lf.patch (local copy)
qmail-smtpd to accept messages that are terminated with a single
\n instead of the required
- author: Michael Samuel
allows you to set a limit on how many recipients are specified for any one email message by setting
control/maxrcpt. RFC 2821 section 188.8.131.52 says that an MTA MUST allow at least 100 recipients for each message, since this is one of the favourite tricks of the spammer.
I slightly modified the patch also to log its response.
eMPF follows a set of administrator-defined rules describing who can message whom. With this, companies can segregate various parts of their organizations email activities, as well as provide a variety of security-enhancing services.
It's useful in case of spammed servers, to temporarily stop outgoing messages. It adds a line like this in your
2015-03-30 18:05:54.442596500 policy_check: remote firstname.lastname@example.org -> local email@example.com (UNAUTHENTICATED SENDER) 2015-03-30 18:05:54.442612500 policy_check: policy allows transmission
- By Andrew St. Jean. Contributors: Jeremy Kitchen, Alex Pleiner, Thanos Massias. Original patch by Evan Borgstrom
- More info: http://www.arda.homeunix.net/downloads-qmail/ (dead?)
adds the ability to match address evelopes via Regular Expressions (REs) in the qmail-smtpd process.
Added new control file '
control/badrcptto (Tx Luca Franceschini).
- Author: Luca Franceschini, patch derived from goodrcptto-12.patch
- man qmail-smptd
control/brtlimit and BRTLIMIT variable to limit max invalid recipient errors before closing the connection.
- code grabbed by Luca Franceschini from several patches with additional features: http://qmail.jms1.net/patches/validrcptto.cdb.shtml, https://notes.sagredo.eu/files/qmail/patches/goodrcptto-ms-12.patch, http://patch.be/qmail/badrcptto.html.
It works in conjunction with chkuser with both cdb and mysql accounts. Look here for details
- Author: Russell Nelson
- More info here
It gets qmail to reject relay probes generated by so-called anti-spammers. These relay probes have '!', '%' and '@' in the local (username) part of the address.
bug fixed in smtpd.c addrparse function
Fixed a little bug in 'mail from' address handling (see the patch by Andre Opperman at http://qmail.cr.yp.narkive.com/kBry6GJl/bug-in-qmail-smtpd-c-addrparse-function)
smtpd logging with fixed format (note: 'size' field is evaluated only when control/databytes or DATABYTES are set. An entry 'qlogenvelope' is generated after accepting or rejecting every recipients in the envelope phase, example:
qlogenvelope: result=rejected code=553 reason=rblreject detail=b.barracudacentral.org helo=test.machine.it firstname.lastname@example.org email@example.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=184.108.40.206 localport=25 remoteip=220.127.116.11 remoteport=57502 remotehost= qp= id=39156 qlogenvelope: result=accepted code=250 reason=rcptto detail=chkuser helo=test firstname.lastname@example.org email@example.com relay=no rcpthosts=yes size= authuser= authtype= encrypted= sslverified=no localip=18.104.22.168 localport=25 remoteip=22.214.171.124 remoteport=57742 remotehost= qp= pid=37357
an entry 'qlogreceived' is generated after DATA (message accepted o rejected by qmail-queue)
qlogreceived: result=accepted code=250 reason=queueaccept detail= helo=test.machine.it firstname.lastname@example.org email@example.com relay=yes rcpthosts= size= firstname.lastname@example.org,email@example.com authtype=login encrypted=tls sslverified=no localip=192.168.200.162 localport=25 remoteip=192.168.200.162 remoteport=52602 remotehost= qp=30982 pid=30980
- by Luca Franceschini
useful in special cases if you temporarily need to reject the null sender (although breaks RFC compatibility). You just need to put 1 (actually any number different from 0) in your control/rejectnullsenders or define
REJECTNULLSENDERS to reject the null sender with 421 error message.
Removed dns_cname call in qmail-remote.c instead of changing the funcion in dns.c,in case another patch requires dns_cname(). Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.
- Author: Jonathan de Boyne Pollard
Avoids qmail getting large amounts of DNS data we have no interest in and that may overflow our response buffer.
- Author: Luca Franceschini
(based on original patch from Jay Soffian - download)
- Download the patch
- Download the rcptcheck-overlimit.sh script
- More info here
Originally designed for the purpose of receipt validation, it can also be used to limit the number of email a given IP and/or auth-user and/or domain can send in a given time interval. It has to be used in conjuction with the rcptcheck-overlimit.sh LF's script.
Allows you to add an arbitrary number of supplemental remote queues, each distinguished by a list of recipient domains and separate throttling (concurrency) capabilities. This patch also allows dynamic throttling of the concurrency control files so you can just send qmail-send a HUP signal instead of restarting the service every time.
This patch is useful when some email provider complains of too many emails receveid at the same time (in case of news letters for instance).
Edit conf-channels before compiling: Total number of channels (queues) available for delivery. Must be at least 2, and anything above 2 are considered supplemental channels.
qmail-remote to log sender, recipient and IP adddress all together in the "Delivery success/failure" line
Here is the sample log lines:
@400000004b1bdd4d1f89d84c delivery 10: success: <From:firstname.lastname@example.org_To:email@example.com>_193.140.X.X_accepted_message. /Remote_host_said:_250_ok_1260117440_qp_15626/ @400000004b1bdbb8191f1954 delivery 6: failure: <From:firstname.lastname@example.org_To:email@example.com>_212.252.x._does_not_like_recipient. /Remote_host_said:_550_non-existent_recipient/alici_bulunamadi/Giving_up_on_212.252.x.x/
addresses a vulnerability issue spotted by Georgi Guninski in 2005.
- Author: Pawel Foremski
- Version: 0.42
- More info here
qmail-spp provides plug-in support for
qmail-smtpd. It allows you to write external programs and use them to check
SMTP command argument validity. The plug-in can trigger several actions, like denying a command with an error message, logging data, adding a header and much more.
qmail-spp functionality is disabled by default, so that it will be transparent for ancient users of this patch. If you want to enable
qmail-spp just export the variable
ENABLE_SPP in your run file. Note that the variable
NOSPP is not available in this combined patch.
- Author: Bruce Guenter
- Download original patch
While sending individual messages with qmail consumes very little CPU, sending multiple large messages in parallel can effectively DoS a sender due to inefficiencies in qmail-remote's "blast" function. In its original form, this function scans the message one byte at a time to escape leading periods and newlines, as required by SMTP.
This patch modifies blast to scan the message in larger chunks. Tests show that the change reduces the CPU time consumed by qmail-remote by a factor of 10.