Qmail

Initial setup
A directory for qmail to reside in needs to be created:

mkdir /var/qmail

Rather than being a single program, Qmail is a collection of smaller programs doing specific tasks. Each run as their own user to provide further security to your server - those users need to be created.
One thing to note - the numeric UID/GID values used by qmail and vpopmail are hard-coded into the programs when they are compiled. If you backup and restore your mail onto a different server, the UID and GID MUST HAVE THE SAME NUMERIC VALUE ON BOTH SERVERS! The easiest way to ensure this is to manually specify the values when the users and groups are created. Check your /etc/passwd and /etc/groups files first to make sure the numbers given here aren't used. Most Linux systems use numbers higher than 500 for "regular" users and less than 100 for "system" so we've picked a middle ground.

groupadd -g 161 nofiles
groupadd -g 162 qmail
adduser -u 161 -g 161 -s /bin/true -M -d /var/qmail/alias -c 'QMail alias user' alias
adduser -u 162 -g 161 -s /bin/true -M -d /var/qmail -c 'QMail daemon user' qmaild
adduser -u 163 -g 161 -s /bin/true -M -d /var/qmail -c 'QMail log user' qmaill
adduser -u 164 -g 161 -s /bin/true -M -d /var/qmail -c 'QMail password user' qmailp
adduser -u 165 -g 162 -s /bin/true -M -d /var/qmail -c 'QMail queue user' qmailq
adduser -u 166 -g 162 -s /bin/true -M -d /var/qmail -c 'QMail remote user' qmailr
adduser -u 167 -g 162 -s /bin/true -M -d /var/qmail -c 'QMail send user' qmails

Download Compile Qmail
Qmail, by itself, is lacking some of the capabilities we want on our server. So we'll also download the latest version of John Simpson's Combined Patch which will add some very useful features to our install.

cd /extra/src
wget http://qmail.jms1.net/patches/qmail-1.03-jms1-7.10.patch
wget http://cr.yp.to/software/qmail-1.03.tar.gz
tar xzf qmail-1.03.tar.gz
cd qmail-1.03

Apply the patch then compile and install qmail:

patch < ../qmail-1.03-jms1-7.10.patch
make setup check

Configure Qmail

cd /var/qmail/control
echo server.domain.com > me
echo domain.com > defaultdomain
echo "server.domain.com NO UCE" > smtpgreeting
echo 50 > concurrencyremote
echo 1 > mfcheck
echo 100 > maxrcpt
echo 3 > spfbehavior
touch locals
touch rcpthosts
chmod 644 *
cd /var/qmail/alias
echo '&postmaster@domain.com' > .qmail-mailer-daemon
echo '&postmaster@domain.com' > .qmail-postmaster
echo '&postmaster@domain.com' > .qmail-root
chmod 644 .qmail-*

Set up the daemontools service
Create the "container" directory which will contain the service directories for all of the qmail-related services...

mkdir -m 755 /var/service

Create the service directory structure for the qmail-send service itself:

cd /var/service
mkdir -m 1755 qmail-send
cd qmail-send
wget http://qmail.jms1.net/scripts/service-qmail-send-run
mv service-qmail-send-run run
chmod 755 run

Then create the log directory and run script:

mkdir -m 755 log
cd log
wget http://qmail.jms1.net/scripts/service-any-log-run
mv service-any-log-run run
chmod 755 run

Finally, start the service running.

ln -s /var/service/qmail-send /service/

After a few seconds, confirm that the service is running:

svstat /service/qmail-send

Create an SSL certificate

  • Certificate from LetsEncrypt

    cd /var/qmail/control
    ln -s /etc/letsencrypt/live/server.domain.com/combined-for-pound.pem servercert.pem
    ln -s /etc/letsencrypt/live/server.domain.com/combined-for-pound.pem clientcert.pem
  • Self-Signed Certificate
    In order to provide secure, encrypted access to some of the services on this server, we're going to create a self-signed SSL certificate. When creating the certificate, it will ask for a "Common Name" - this must exactly match the name by which clients will connect to your server.

    cd /var/qmail/control

    Create the "servercert.pem" file, which is used to encrypt incoming SMTP connections as needed:

    openssl req -newkey rsa:1024 -nodes -x509 -days 3650 -keyout servercert.pem -out servercert.pem

    Change the permissions to secure the file:

    chown root:nofiles servercert.pem
    chmod 640 servercert.pem

    Then make a copy of the key file and change it's group to qmail. The copy will be used by the qmail-remote user for outgoing mail deliveries.

    cd /var/qmail/control
    cp servercert.pem clientcert.pem
    chown root:qmail clientcert.pem
    chmod 640 clientcert.pem

Remove Sendmail

  • CentOS 5/6
    Now that qmail is up and running, we'll remove Sendmail from our machine. Find out what the Sendmail package is called:

    rpm -qa | grep sendmail

    Then stop Sendmail and remove the found package. On a CentOS 4 server it was sendmail-8.13.1.3.2.el4 for CentOS 5 it was sendmail-8.13.8-2.el5.

    /etc/rc.d/init.d/sendmail stop
    rpm -e --nodeps sendmail-8.13.8-2.el5

    Qmail works as a drop-in replacement for Sendmail, so create some symbolic links for any programs on our system that might use Sendmail:

    ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
    ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail
  • CentOS 7
    Stop and disable Postfix:

    systemctl stop postfix
    systemctl disable postfix

    Find out what the Postfix package is called:

    rpm -qa | grep postfix

    Then stop Sendmail and remove the found package.

    rpm -e --nodeps postfix-2.10.1-6.el7.x86_64

    Add the symlinks:

    ln -s /var/qmail/bin/sendmail /usr/lib/sendmail
    ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail

Install the man pages
The man pages are installed in /var/qmail/man You'll need to add that to your MANPATH variable. Edit /etc/man.config and add:

MANPATH /var/qmail/man

Or export it temporarily with

MANPATH=$MANPATH:/var/qmail/man; export MANPATH

Credits

Various bits of code, scripts, and procedures were put together with information from John Simpson's qmail.jms1.net website. It's an excellent resource on managing and setting up a Qmail server.

Recent Updates

  • 11 months 3 weeks ago
  • 11 months 3 weeks ago
    Removed original versions of ucspi-tcp and ucspi-ssl and replaced them with upgraded versions. The old ones were failing PCI compliance tests by Security Metrics. ucspi-ssl also had issues installing on CentOS 7 - new version installed without issues.
  • 11 months 3 weeks ago
    1.3.7 update
  • 11 months 3 weeks ago
  • 1 year 1 hour ago
    MariaDB