Install qmail, ucspi-tcp and ucspi-ssl

Here we are ! We 'll proceed with core install !

We 'll use the source package for Qmail itself written by Dan Bernstein. While Qmail is available as Debian source package, it ends up being installed with parts of it in very different places which would render much of the available documentation invalid. Thus, we’re going to stick with the source package instead. It’s a little old by itself but we’re going to supercharge it with John Simpson’s combined patch set shortly.

FYI: A very good visual representation of how Qmail works can be found in ‘The Big Qmail Picture’

Extract the sources

cd /usr/src/qmail
tar -zxvf /downloads/qmail-1.03.tar.gz

Qmail

Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others!)

cd /usr/src/qmail/qmail-1.03
patch < /downloads/patches/qmail-1.03-jms1-7.10.patch

Compile it

make man
make setup check

Make the man pages and config files available like the usual Debian way

echo 'MANDATORY_MANPATH /var/qmail/man' >> /etc/manpath.config
ln -s /var/qmail/control /etc/qmail

Now let's generate a secure certificate that will be used to encrypt your server's TLS encrypted SMTP sessions...

sed -i 's/-days 366/-days 3650/' Makefile
make cert

Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Your FQDN server
Email Address []:Your e-mail adress

Adapt certificate permissions

cd /var/qmail/control
chmod 640 servercert.pem
chown vpopmail:vchkpw servercert.pem
rm clientcert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem

UCSPI-TCP and UCSPI-SSL

UCSPI-TCP (aka tcpserver) is a client/server program that manages TCP connections (like inetd or xinetd but this one has really useful features to work in combinaison with Qmail).

For more information on it, its home page is located here: http://cr.yp.to/ucspi-tcp.html

UCSPI-TCP has already been installed with a Debian package (here) but the SSL version has to be installed manually (it's not in the repository for licensing reason)

mkdir /packages
chmod 1755 /packages
cd /tmp
tar -zxvf /downloads/ucspi-ssl-0.70.tar.gz

mv /tmp/host/superscript.com/net/ucspi-ssl-0.70/ /packages
cd /packages/ucspi-ssl-0.70/
rm -rf /tmp/host/

sed -i 's/local\///' src/conf-tcpbin
sed -i 's/usr\/local/etc/' src/conf-cadir
sed -i 's/usr\/local\/ssl\/pem/etc\/ssl/' src/conf-dhfile
openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem (It takes long)

package/compile
package/rts (It takes long and you could ignore error message about no ciphers available) and unable to verify server certificate
package/install

Install Ezmlm-idx

Users comments

Thibs - 18/01/2012 02:04

@Michiel : I think I know why it's not working.

I've read http://www.thedumbterminal.co.uk/software/qmail_pci.shtml and it seems the patches used are netqmail-1.05-tls-smtpauth-20070417.patch and netqmail-1.06_tls_auth_high_sec.patch

In this guide, the combined patch http://qmail.jms1.net/patches/combined-details.shtml is used where it's not the same smtpauth patch (qmail-smtpd-auth) and where the second patch is not applied

Thibs - 18/01/2012 01:13

@Michiel : I've never tried to disable SSLv2 and don't knwon how to do.

Did you try to export a environment variable "TLSCIPHERS" as suggested in http://www.qmailwiki.org/index.php/Qmail-control-files#control.2Ftlsserverciphers

if yes and if it's not working, I can just advice you to read this page http://qmail.jms1.net/tls-auth.shtml

You won't find there the answer you are looking for ... but it's a good start to learn about this

Michiel - 10/01/2012 14:36

Hi,

I am trying to disable SSLv2 following http://www.qmailwiki.org/index.php/Qmail-control-files

But no mather what I do I always am able to get a SSLv2 connection on port 465 by testing:openssl s_client -connect mail.domain.com:465 -ssl2

Can you advise me how I can disable SSLv2? I think the TLS patch should take care of the /var/qmail/control/tlsserverciphers file but it does not, also settings the TLSCIPHERS variable in one of the /service/qmail-smtpssl/run of /service/qmail-smtp/run does not work.
SSLv2 is old and insecure, should be disabled by default :)

Thanks for your help.

Michiel

Fred - 06/12/2011 13:55

i have this after run package/rts

< sslclient: fatal: unable to verify server certificate
< 111
---
> sslperlchanged environment
> 0
31,32c31
< sslclient: fatal: unable to verify server certificate
< 111
---
> 0
80a80,82
> log: NOW=
> log: changed environment
> sslperl: done ...
94a97
> sslperl: done ...

is it normal ?

Thibs - 02/09/2011 09:44

If you want to renew your certificates, you can follow this guide : http://www.pc-freak.net/blog/how-to-renew-self-signed-qmail-toaster-and-qmail-rocks-expired-ssl-pem-certificate/

Thibs - 14/04/2011 08:44

@Mark : Yes it's normal to get it twice

Mark - 09/04/2011 11:51

About package/rts

I'm getting this error twice:

sslclient: fatal: unable to SSL connect:protocol error

Can this also be ignored?

Thibs - 30/03/2011 15:02

As you can read on http://qmail.org/netqmail/CHANGES, the only difference between netqmail 1.05 and netqmail 1.06 is the license.

Fred - 08/07/2010 17:06

What about the patches includes in netqmail-1.06

Color Coded Qmail Installation Key
	Regular Black Text	Qmail installation notes and summaries by the author.
	Bold Black Text	Commands to be run by you, the installer.
	Bold/Regular Red Text	Vital and/or critical information.
	Regular Blue text	Denotes helpful tips and hints or hyperlinks.
	Regular Orange Text	Command line output.
	Bold/Regular green text	Denotes the contents of a file or script.