- Mar 12, 2023
- The mail headers will change from "ESMTPA" to "ESMTPSA" when the user is authenticated via starttls/smtps (tx Ali Erturk TURKER) diff here
- Feb 16, 2022
- fixed a TLS Renegotiation DoS vulnerability. Disabled all renegotiation in TLSv1.2 and earlier (only openssl-1.1). (diff here)
I have put into a package the latest version of the following patches for
You may be interested to the combined patch I have put together here.
- Author: Erwin Hoffmann (updates the previous work of Krysztof Dabrowski and Bjoern Kalkbrenner)
- Version 0.8.3
- Info: http://www.fehcom.de/qmail/smtpauth.html
plain authentication support.
Fixed an issue on wrong capabilities in the ehlo message (thanks to Florian and genconc): removed the "-" sign before the AUTH verb
- if (smtpauth == 1 || smtpauth == 11) out("250-AUTH LOGIN PLAIN\r\n"); - if (smtpauth == 3 || smtpauth == 13) out("250-AUTH LOGIN PLAIN CRAM-MD5\r\n"); - if (smtpauth == 2 || smtpauth == 12) out("250-AUTH CRAM-MD5\r\n"); + if (smtpauth == 1 || smtpauth == 11) out("250 AUTH LOGIN PLAIN\r\n"); + if (smtpauth == 3 || smtpauth == 13) out("250 AUTH LOGIN PLAIN CRAM-MD5\r\n"); + if (smtpauth == 2 || smtpauth == 12) out("250 AUTH CRAM-MD5\r\n");
remember to restore the "-" sign if you are going to append a new line to the ehlo message.
- Author: Frederik Vermeulen
- Info: http://inoa.net/qmail-tls/
- Version 20200107
Implements TLS encrypted and authenticated SMTP between the MTAs and from MUA to MTA.
- Author: Marcel Telka
- Download original
- Version: 2016.05.15
qmail to require TLS before authentication to improve security.
wget https://notes.sagredo.eu/files/qmail/roberto-netqmail-1.06_auth_tls_force-tls.patch-latest wget http://qmail.org/netqmail-1.06.tar.gz tar xzf netqmail-1.06.tar.gz cd netqmail-1.06 chown -R root.root . patch < ../roberto-netqmail-1.06_auth_tls_force-tls.patch-latest make make setup check
By default the authentication will be denied if the client does not provide the STARTTLS command. If you want to allow connections without TLS, just do
run file. Values different from 0 or no declaration at all will force the TLS before the auth.
Managing auth options
You may want to take a look to the README.auth file expecially if you are planning to enable CRAM-MD5 auth.
Be aware that you have to export SMTPAUTH in you run file.
Creating an SSL key file
To secure the smtp authentication you must create the SSL certificate. The certificate must be owned by the user who runs
qmail-smtpd, in our case vpopmail.
> make cert Generating a 1024 bit RSA private key ..................++++++ .......++++++ writing new private key to '/var/qmail/control/servercert.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IT State or Province Name (full name) [Some-State]:Italy Locality Name (eg, city) :Cagliari Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Name Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :smtp.yourdomain.net Email Address :email@example.com > make tmprsadh > chown vpopmail.vchkpw /var/qmail/control/*.pem
It is important that the “Common Name” matches the domain name that your email clients will specify as their SMTP server.
Now let’s create a cronjob to update the certificate every day:
> crontab -e 03 05 * * * /var/qmail/bin/update_tmprsadh > /dev/null 2>&1
Important: If you run
qmail-submission as a user other than
vpopmail, and you’re installing my combined patch, you must adjust
/var/qmail/bin/update_tmprsadh accordingly. Otherwise you’ll probably exceed the connection timeout due to privilege problems, and won’t be able to send messages when connected remotely.
I have written a page concerning the creation of a certificate of third party (letsencrypt) for qmail. More info here.