Install qmail, ucspi-tcp and ucspi-ssl
Here we are ! We 'll proceed with core install !
We 'll use the source package for Qmail itself written by Dan Bernstein. While Qmail is available as Debian source package, it ends up being installed with parts of it in very different places which would render much of the available documentation invalid. Thus, we are going to stick with the source package instead. It's a little old by itself but we're going to supercharge it with John Simpson's combined patch set shortly.
FYI: A very good visual representation of how Qmail works can be found in "The Big Qmail Picture"
Extract the sources
tar -zxvf /downloads/qmail-1.03.tar.gz
Qmail
Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others as you can see in the details section!)
patch < /downloads/patches/qmail-1.03-jms1-7.10.patch
Compile it
make setup check
Make the man pages and config files available like the usual Debian way
ln -s /var/qmail/control /etc/qmail
Now let's generate a secure certificate that will be used to encrypt your server's TLS encrypted SMTP sessions...
OPTIONAL : Even if you plan to use an officially signed certificate, please do the following and DO NOT use make cert here. You'll have the opportunity to use the same signed certificate for both TLS and courier at this step
make cert
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Your FQDN server
Email Address []:Your e-mail adress
Adapt certificate permissions
cd /var/qmail/controlchmod 640 servercert.pem
chown vpopmail:vchkpw servercert.pem
rm clientcert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem
UCSPI-TCP and UCSPI-SSL
UCSPI-TCP (aka tcpserver) is a client/server program that manages TCP connections (like inetd or xinetd but this one has really useful features to work in combinaison with Qmail).
For more information on it, its home page is located here: http://cr.yp.to/ucspi-tcp.html
UCSPI-TCP has already been installed with a Debian package (here) but the SSL version has to be installed manually (it's not in the repository for licensing reason)
chmod 1755 /packages
cd /tmp
tar -zxvf /downloads/ucspi-ssl-0.95a.tgz
mv /tmp/host/superscript.com/net/ucspi-ssl-0.95a/ /packages
cd /packages/ucspi-ssl-0.95a/
rm -rf /tmp/host/
sed -i 's/local\///' /packages/ucspi-ssl-0.95a/src/conf-tcpbin
sed -i 's/usr\/local/etc/' /packages/ucspi-ssl-0.95a/src/conf-cadir
sed -i 's/usr\/local\/ssl\/pem/etc\/ssl/' /packages/ucspi-ssl-0.95a/src/conf-dhfile
openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem (It takes long)
package/compile
package/install
package/man
Users comments
In Ubuntu 20.04 I got the following error on the "make setup check" step:
qmail-smtpd.c:1028:12: error: dereferencing pointer to incomplete type ‘SSL’ {aka ‘struct ssl_st’}
1028 | ssl->state = SSL_ST_ACCEPT;
I beleive its because Ubuntu 20.04 has libssl1.1, and this compile needs libssl1.0. I was almost about to start over from scratch with netqmail1.06 and sagredo.eu patches and instructions when I found this other workaround from compiling an unrelated Ruby tool https://www.garron.me/en/linux/install-ruby-2-3-3-ubuntu.html.
Which basically says edit /etc/apt/sources.list to add:
deb http://security.ubuntu.com/ubuntu bionic-security main
Then "sudo apt-get update", (and optionally to see what other versions it has found "apt-cache policy libssl1.0"), and "sudo apt-get install libssl1.0-dev".
Then repeat the "make setup check" step.
In debian 9.9 to compile qmail you need :
apt install libssl1.0-dev
hope this help.
@Michiel
Strong cipher can be enable by editing the smtpd-ssl/run script
> under # options for tcpserver/sslserver add
Hi
I have debian 8.11 and problem with kompilations:
substdio.a error.a str.a fs.a auto_qmail.o \
`cat dns.lib` `cat socket.lib` -lssl
/usr/bin/ld: qmail-remote.o: undefined reference to symbol 'OPENSSL_add_all_algorithms_noconf@@OPENSSL_1.0.0'
//usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status
Can you ahelp me with this ?
sugested improvement:
install ucspi-ssl to manage ipv4/ipv6 ssl connections from https://www.fehcom.de/ipnet/ucspi-ssl.html
because is more updated version, ucspi-ssl 0.9x is a fork of Superscript's ucspi-ssl 0.70 version.
Install ucspi-tcp6 to manage ipv6 connections from https://www.fehcom.de/ipnet/ucspi-tcp6/ucspi-tcp6-1.10.tgz, ucspi-tcp6 is a fork of Dan Bernsteins's ucspi-tcp 0.88 version
I don't know if this helps or not....when I unzip ucspi-ssl-0.95a.tgz it seems to create a "ucspi-ssl-master" directory in /tmp (at least I think it does). How to proceed?
Well, not quite. After
unzip /downloads/ucspi-ssl-0.95a,tgz
the next step is to:
mv ./tmp/host/superscript.com/net/ucspi-ssl-0.95a/ /packages
but the /tmp/host/superscript.com/... does not exist. Any idea on what I missed and how to proceed?
Many thanks....
(not a typo this time) I get an error at
tar -zxvf /downloads/ucspi-ssl-0.95a.tgz
saying that it has multiple entry points and to use unzip instead. So, first unzip the file and then run tar xvf ..... Right?
Please ignore previous comment. I have muscle memory which keys in "ls" when I intend "ln".
Following along the install on Debian 8.11. I find that there is no /etc/qmail directory.
So, this step:
ln -s /var/qmail/control /etc/qmail
fails. Suggestions?
Thanks,.....
@Thomas - see the qmailtoaster website they use a different TLS setup and include patches from http://inoa.net/qmail-tls/ .
I understand that people like Qmail because of its security but all the used patches are way outdated and provide a new security hole in all used extra tools (daemontools, etc.)
I would recommend people using a different MTA with all the features on board en also good security and performance (OpenSMTPD, Postfix) or change this howto to use the qmailtoaster approach which still is a bunch of patches and hard to maintain with all the 3rd parties.
My 0,02 $
Michiel
To successfully compile qmail on Debian 9 with
make setup check
you need to install
apt-get install libssl1.0-dev
Installing on ARM32 architecture gives an error where the -m64' flag is invalid. This happens on the package/compile command.
This can be solved by removing the -m64 argument from compile/load and src/conf-ld.
After that, everything works fine.
Michiel:
I agree!
Have been working for a while now with ciphers and are trying to disable old versions - but that is not easy.
Have you found a solution?
I really think the new documentation should have support for strong ciphers. SSLv2 and v3 are insecure (POODLE attack) and support for strong TLS ciphers (v1.2 with AES-256 etc) would be much appreciated and is much more suited anno 2016.
Think about the NSA and all those government agencies doing MiTM with weak SSL ciphers:
Weak Diffie-Hellman and the Logjam Attack
I love Qmail but with correct and up2date patches that support a modern mail setup.
Thanks for the documentation nevertheless :)
Cheers,
Michiel
I find it useful to edit the conf-spawn file before compiling, because there is a hardcoded limit of concurrent local and remote deliveries of 120. On a large server this is way too low. Personally, I prefer to set it to the maximum of 65000 and use the control/concurrencylocal and control/concurrencyremote files to actually set the amount of desired concurrent deliveries.
Greets
It seems I found the problem:
# cat /package/ucspi-ssl-0.92/src/conf-ld
gcc -s
gcc -s -m64
Remove the gcc -s -m64 and it would compile just fine. Cheers.getting following error, how could be slove it?
make: *** [auto-str] Error 1 compile: fatal: cannot make it-base it-sslperl
I've tried to google it but I came out with nothing.
I've tried to install ucspi-ssl-0.94 both on i386 and amd64, but I got the same error with package/compile:
auto-str.c:7:6: warning: conflicting types for built-in function 'puts' [enabled by default] ./load auto-str unix.a ./load: 4: exec: -o: not found make: *** [auto-str] Error 127 compile: fatal: cannot make it-base it-sslperl
Sorry to hear that. I'm myself no longer using i386 since a long while.
I advice you to contact Erwin Hoffmann which is the author of the version I'm using in this guide
You can write him on : feh AT fehcom.de
http://www.fehcom.de/ipnet/ucspi-ssl.html
Yes, it fails on the install. I have checked the other sources that you list on the page and other pages connected to the UCSPI-SSL. Each one I have tested and each one failed due to trying to run it on a i386.
@Eric
As it's source files, you need to compile yourself with the command
package/install
Does it fail to compile on i386 ?
Is there an UCSPI-SSL for i386? The one above is complied with AMD64.
@Jay : no because it's not the goal of this tutorial. With a script, most of the time the sysadmin do not understand what he is doing
can you provide bash scripts to auto run the whole qmail installation?
Hello Kenny,
Did you apply the patching of the source ?
Your error is "errno.h" problem!
You can solve it by editing conf-cc
with the following :
gcc -O2 -include /usr/include/errno.h
This will be used to compile .c files.
... but it was supposed to be applied with the patching of the sources
Hey! need some help with this:
root@mail:/usr/src/qmail/qmail-1.03# make man check make: Nothing to be done for `man'. ./load auto-str substdio.a error.a str.a /usr/bin/ld: errno: TLS definition in /lib/x86_64-linux-gnu/libc.so.6 section .tbss mismatches non-TLS reference in substdio.a(substdo.o) /lib/x86_64-linux-gnu/libc.so.6: could not read symbols: Bad value collect2: error: ld returned 1 exit status make: *** [auto-str] Error 1
One other thing.
I'm not 100% sure but I think
openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem
(It takes long)
command can take less if you just randomly type something from the keyboard. If I remember correctly the input from keyboard is taken for better randomization salt. (This has to be checked by you however to just confirm).
Doing so for me on 4GB memory host with 6Ghz cpu, took like 10 to 20 seconds.
Best
Georgi
I've exported 3 certificate files (copy & edit PEM files co match .CRT data - left only lines between BEGIN... END..).
pop3s -> pop3d.pem smtps -> servercert.pem imaps -> imapd.pem
Then installed in client OS and it works. On Win7 it need to be installed in manually selected folder.
@Tomaszg : To avoid message in mail client, you should put an official certificate in the part configure-courier.php.
Note that you can sign an official certificate for free on http://www.startssl.com/ ... but describing this is out of this guide scope
I'm trying to figure out how to install mail system certificates on client side to avoid annoying "SSL verification error" in mail client..
@Michiel : I think I know why it's not working.
I've read http://www.thedumbterminal.co.uk/software/qmail_pci.shtml and it seems the patches used are netqmail-1.05-tls-smtpauth-20070417.patch and netqmail-1.06_tls_auth_high_sec.patch
In this guide, I use the combined patch http://qmail.jms1.net/patches/combined-details.shtml. If you look to the details, you'll notice that the smtpauth patch is not the same (qmail-smtpd-auth). Moreover, the second patch is not applied
@Michiel : I've never tried to disable SSLv2 and don't know how to do.
Did you try to export a environment variable "TLSCIPHERS" as suggested in http://www.qmailwiki.org/index.php/Qmail-control-files#control.2Ftlsserverciphers
?
if yes and if it's not working, I can just advice you to read this page http://qmail.jms1.net/tls-auth.shtml
You won't find there the answer you are looking for ... but it's a good start to learn about this
Hi,
I am trying to disable SSLv2 following http://www.qmailwiki.org/index.php/Qmail-control-files
But no mather what I do I always am able to get a SSLv2 connection on port 465 by testing:openssl s_client -connect mail.domain.com:465 -ssl2
Can you advise me how I can disable SSLv2? I think the TLS patch should take care of the /var/qmail/control/tlsserverciphers file but it does not, also settings the TLSCIPHERS variable in one of the /service/qmail-smtpssl/run of /service/qmail-smtp/run does not work.
SSLv2 is old and insecure, should be disabled by default :)
Thanks for your help.
Michiel
If you want to renew your certificates, you can follow this guide : http://www.pc-freak.net/blog/how-to-renew-self-signed-qmail-toaster-and-qmail-rocks-expired-ssl-pem-certificate/
As you can read on http://qmail.org/netqmail/CHANGES, the only difference between netqmail 1.05 and netqmail 1.06 is the license.
What about the patches includes in netqmail-1.06
In Debian11, before run 'make man' it's necessary edit the file 'error.h' whit this command:
sed -i 's/extern int errno;/#include /' error.h
However, after run 'make setup check', this error is displayed:
make: *** [Makefile:1589: qmail-smtpd.o] Erro 1
Can help me?