April 17, 2019 Roberto Puzzanghera77 comments
qmail-smtpdnow retains authentication upon rset (tx to Andreas)
qmail-smtpd.ccausing a double 250-STARTTLS, thanks to Andreas
qmail-remote.cthat was causing the sending of an additional ehlo greeting, thanks to Cristoph Grover
I have put into a package the latest version of the following patches for
netqmail-1.06. You may be interested to the combined patch I have put together here.
plain authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb
- if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n"); - if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n"); - if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n"); + if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n"); + if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n"); + if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");
remember to restore the "-" sign if you are going to append a new line to the ehlo message.
Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.
qmail to require TLS before authentication to improve security.
wget https://notes.sagredo.eu/files/qmail/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest wget http://qmail.org/netqmail-1.06.tar.gz tar xzf netqmail-1.06.tar.gz cd netqmail-1.06 chown -R root.root . patch < ../roberto-netqmail-1.06_auth_tls_force-tls.patch-latest make make setup check
By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do
run file. Values different from 0 or no declaration at all will force the TLS before the auth.
You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.
Be aware that you have to export SMTPAUTH in you run file.
To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs
qmail-smtpd, in our case vpopmail.
> make cert Generating a 1024 bit RSA private key ..................++++++ .......++++++ writing new private key to '/var/qmail/control/servercert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:Italy Locality Name (eg, city) :Cagliari Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :smtp.yourdomain.net Email Address :email@example.com > make tmprsadh > chown vpopmail.vchkpw /var/qmail/control/*.pem
It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.
Now let’s create a cronjob to update the certificate every day:
> crontab -e 03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
Important: If you run
qmail-submission as a user other than
vpopmail, and you’re installing my combined patch, you must adjust
/var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.
I have written a page concerning the creation of a certificate of third party (letsencrypt) for qmail. More info here.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin