Guide updated on 29th of February 2016

Install qmail, ucspi-tcp and ucspi-ssl


Here we are ! We 'll proceed with core install !

We 'll use the source package for Qmail itself written by Dan Bernstein. While Qmail is available as Debian source package, it ends up being installed with parts of it in very different places which would render much of the available documentation invalid. Thus, we’re going to stick with the source package instead. It’s a little old by itself but we’re going to supercharge it with John Simpson’s combined patch set shortly.

FYI: A very good visual representation of how Qmail works can be found in ‘The Big Qmail Picture’

Extract the sources

cd /usr/src/qmail
tar -zxvf /downloads/qmail-1.03.tar.gz

Qmail

Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others as you can see in the details section!)

cd /usr/src/qmail/qmail-1.03
patch < /downloads/patches/qmail-1.03-jms1-7.10.patch

Compile it

make man
make setup check

Make the man pages and config files available like the usual Debian way

echo 'MANDATORY_MANPATH /var/qmail/man' >> /etc/manpath.config
ln -s /var/qmail/control /etc/qmail

Now let's generate a secure certificate that will be used to encrypt your server's TLS encrypted SMTP sessions...

OPTIONAL : Even if you plan to use an officially signed certificate, please do the following and DO NOT use make cert here. You'll have the opportunity to use the same signed certificate for both TLS and courier at this step

sed -i 's/-days 366/-days 3650/' Makefile
make cert

Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Your FQDN server
Email Address []:Your e-mail adress

Adapt certificate permissions

cd /var/qmail/control
chmod 640 servercert.pem
chown vpopmail:vchkpw servercert.pem
rm clientcert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem

UCSPI-TCP and UCSPI-SSL

UCSPI-TCP (aka tcpserver) is a client/server program that manages TCP connections (like inetd or xinetd but this one has really useful features to work in combinaison with Qmail).

For more information on it, its home page is located here: http://cr.yp.to/ucspi-tcp.html

UCSPI-TCP has already been installed with a Debian package (here) but the SSL version has to be installed manually (it's not in the repository for licensing reason)

mkdir /packages
chmod 1755 /packages
cd /tmp
tar -zxvf /downloads/ucspi-ssl-0.95a.tgz

mv /tmp/host/superscript.com/net/ucspi-ssl-0.95a/ /packages
cd /packages/ucspi-ssl-0.95a/
rm -rf /tmp/host/

sed -i 's/local\///' /packages/ucspi-ssl-0.95a/src/conf-tcpbin
sed -i 's/usr\/local/etc/' /packages/ucspi-ssl-0.95a/src/conf-cadir
sed -i 's/usr\/local\/ssl\/pem/etc\/ssl/' /packages/ucspi-ssl-0.95a/src/conf-dhfile

openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem (It takes long)

package/compile

package/install
package/man

Install Ezmlm-idx


Users comments
Bob - 23/08/2017 08:45

Installing on ARM32 architecture gives an error where the -m64' flag is invalid. This happens on the package/compile command.

This can be solved by removing the -m64 argument from compile/load and src/conf-ld.

After that, everything works fine.

Thomas - 17/02/2017 10:21

Michiel: 

I agree! 

Have been working for a while now with ciphers and are trying to disable old versions - but that is not easy. 

Have you found a solution?

Michiel - 10/08/2016 22:21

I really think the new documentation should have support for strong ciphers. SSLv2 and v3 are insecure (POODLE attack) and support for strong TLS ciphers (v1.2 with AES-256 etc) would be much appreciated and is much more suited anno 2016.

Think about the NSA and all those government agencies doing MiTM with weak SSL ciphers:

Weak Diffie-Hellman and the Logjam Attack

DROWN Attack

I love Qmail but with correct and up2date patches that support a modern mail setup.

Thanks for the documentation nevertheless :)

Cheers,

Michiel

Bstd - 01/06/2015 11:55

I find it useful to edit the conf-spawn file before compiling, because there is a hardcoded limit of concurrent local and remote deliveries of 120. On a large server this is way too low. Personally, I prefer to set it to the maximum of 65000 and use the control/concurrencylocal and control/concurrencyremote files to actually set the amount of desired concurrent deliveries.

Greets

R0gu3ptm - 31/01/2015 14:02

It seems I found the problem:

# cat /package/ucspi-ssl-0.92/src/conf-ld
gcc -s 

gcc -s -m64

Remove the gcc -s -m64 and it would compile just fine. Cheers.
Mazhar - 02/12/2014 05:57

getting following error, how could be slove it?

make: *** [auto-str] Error 1
compile: fatal: cannot make it-base it-sslperl
Bupyca - 09/10/2014 01:24

I've tried to google it but I came out with nothing.

I've tried to install ucspi-ssl-0.94 both on i386 and amd64, but I got the same error with package/compile:

auto-str.c:7:6: warning: conflicting types for built-in function 'puts' [enabled by default]
./load auto-str unix.a
./load: 4: exec: -o: not found
make: *** [auto-str] Error 127
compile: fatal: cannot make it-base it-sslperl
Thibs - 27/08/2014 16:49

Sorry to hear that. I'm myself no longer using i386 since a long while.

I advice you to contact Erwin Hoffmann which is the author of the version I'm using in this guide

You can write him on : feh AT fehcom.de

http://www.fehcom.de/ipnet/ucspi-ssl.html


Eric - 26/08/2014 16:47

Yes, it fails on the install.  I have checked the other sources that you list on the page and other pages connected to the UCSPI-SSL.  Each one I have tested and each one failed due to trying to run it on a i386.

Thibs - 26/08/2014 09:28

@Eric 

As it's source files, you need to compile yourself with the command

package/install

Does it fail to compile on i386 ?

Eric - 25/08/2014 23:15

Is there an UCSPI-SSL for i386?  The one above is complied with AMD64.

Thibs - 20/08/2014 10:19

@Jay : no because it's not the goal of this tutorial. With a script, most of the time the sysadmin do not understand what he is doing

Jay - 19/08/2014 11:07

can you provide bash scripts to auto run the whole qmail installation?

Thibs - 08/08/2014 10:11

Hello Kenny,

Did you apply the patching of the source ?

Your error is  "errno.h" problem! 

You can solve it by editing conf-cc 
with the following : 

gcc -O2 -include /usr/include/errno.h 

This will be used to compile .c files. 

... but it was supposed to be applied with the patching of the sources

Kenny - 07/08/2014 21:17

Hey! need some help with this:

root@mail:/usr/src/qmail/qmail-1.03# make man check
make: Nothing to be done for `man'.
./load auto-str substdio.a error.a str.a
/usr/bin/ld: errno: TLS definition in /lib/x86_64-linux-gnu/libc.so.6 section .tbss mismatches non-TLS reference in substdio.a(substdo.o)
/lib/x86_64-linux-gnu/libc.so.6: could not read symbols: Bad value
collect2: error: ld returned 1 exit status
make: *** [auto-str] Error 1
Georgi georgiev (hip0) - 18/09/2012 08:46

One other thing.

I'm not 100% sure but I think

openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem

(It takes long)

command can take less if you just randomly type something from the keyboard. If I remember correctly the input from keyboard is taken for better randomization salt. (This has to be checked by you however to just confirm).

Doing so for me on 4GB memory host with 6Ghz cpu, took like 10 to 20 seconds.

Best

Georgi

Tomaszg - 11/04/2012 12:47

I've exported 3 certificate files (copy & edit PEM files co match .CRT data - left only lines between BEGIN... END..).

pop3s -> pop3d.pem
smtps -> servercert.pem
imaps -> imapd.pem

Then installed in client OS and it works. On Win7 it need to be installed in manually selected folder.

Thibs - 12/03/2012 22:24

@Tomaszg : To avoid message in mail client, you should put an official certificate in the part configure-courier.php.

Note that you can sign an official certificate for free on http://www.startssl.com/ ... but describing this is out of this guide scope

Tomaszg - 12/03/2012 13:48

I'm trying to figure out how to install mail system certificates on client side to avoid annoying "SSL verification error" in mail client..

Thibs - 18/01/2012 02:04

@Michiel : I think I know why it's not working.

I've read http://www.thedumbterminal.co.uk/software/qmail_pci.shtml and it seems the patches used are netqmail-1.05-tls-smtpauth-20070417.patch and netqmail-1.06_tls_auth_high_sec.patch

In this guide, I use the combined patch http://qmail.jms1.net/patches/combined-details.shtml. If you look to the details, you'll notice that the smtpauth patch is not the same (qmail-smtpd-auth). Moreover, the second patch is not applied

Thibs - 18/01/2012 01:13

@Michiel : I've never tried to disable SSLv2 and don't know how to do.

Did you try to export a environment variable "TLSCIPHERS" as suggested in http://www.qmailwiki.org/index.php/Qmail-control-files#control.2Ftlsserverciphers

?

if yes and if it's not working, I can just advice you to read this page http://qmail.jms1.net/tls-auth.shtml

You won't find there the answer you are looking for ... but it's a good start to learn about this

Michiel - 10/01/2012 14:36

Hi,

I am trying to disable SSLv2 following http://www.qmailwiki.org/index.php/Qmail-control-files

But no mather what I do I always am able to get a SSLv2 connection on port 465 by testing:openssl s_client -connect mail.domain.com:465 -ssl2

Can you advise me how I can disable SSLv2? I think the TLS patch should take care of the /var/qmail/control/tlsserverciphers file but it does not, also settings the TLSCIPHERS variable in one of the /service/qmail-smtpssl/run of /service/qmail-smtp/run does not work.
SSLv2 is old and insecure, should be disabled by default :)

Thanks for your help.

Michiel

Thibs - 02/09/2011 09:44

If you want to renew your certificates, you can follow this guide : http://www.pc-freak.net/blog/how-to-renew-self-signed-qmail-toaster-and-qmail-rocks-expired-ssl-pem-certificate/

Thibs - 30/03/2011 15:02

As you can read on http://qmail.org/netqmail/CHANGES, the only difference between netqmail 1.05 and netqmail 1.06 is the license.

Fred - 08/07/2010 17:06

What about the patches includes in netqmail-1.06


Color Coded Qmail Installation Key
  Regular Black Text     Qmail installation notes and summaries by the author.
  Bold Black Text     Commands to be run by you, the installer.
  Bold/Regular Red Text    Vital and/or critical information.
  Regular Blue text     Denotes helpful tips and hints or hyperlinks.
  Regular Orange Text     Command line output.
  Bold/Regular green text     Denotes the contents of a file or script.