qmail patches


This page tells you how to add some features to qmail, like SMTP authentication and multiple POP mailboxes.

Qmail was written by Daniel J. Bernstein. You can download qmail-1.03.tar.gz from this site, or the current version from the author's web site.


If you are using the FreeBSD ports collection, and you want to use all patches on this page, do this:

(
mkdir -p /usr/local/src && \
cd /usr/local/src && \
fetch http://tomclegg.net/qmail/maildirpop3d/maildirpop3d-0.8.tar.gz && \
tar xzf maildirpop3d-0.8.tar.gz && \
cd maildirpop3d-0.8 && \
make install

cd /usr/local/src && \
fetch http://tomclegg.net/qmail/cmd5checkpw-0.22.tar.gz && \
tar xzf cmd5checkpw-0.22.tar.gz && \
cd cmd5checkpw-0.22 && \
perl -pi~ -e 's,/etc/poppasswd,/usr/local/etc/smtp.passwd,g' main.c && \
make && \
pw useradd smtppasswd -s /usr/bin/true -d /nonexistent && \
install -m 06755 -o smtppasswd -g wheel cmd5checkpw \
 /usr/local/sbin/cmd5checkpw && \
touch /usr/local/etc/smtp.passwd && \
chown smtppasswd:wheel /usr/local/etc/smtp.passwd && \
chmod 400 /usr/local/etc/smtp.passwd

cd /usr/ports/mail/qmail/files && \
fetch -o patch-smtpd-auth \
 http://tomclegg.net/qmail/qmail-smtpd-auth.patch && \
fetch -o patch-remote-auth \
 http://tomclegg.net/qmail/qmail-remote-auth.patch && \
fetch -o patch-badmailfrom-wildcard \
 http://tomclegg.net/qmail/qmail-badmailfrom-wildcard.patch && \
fetch -o patch-capa-popup \
 http://tomclegg.net/qmail/qmail-capa-popup.patch && \
fetch -o patch-capa-pop3d \
 http://tomclegg.net/qmail/qmail-capa-pop3d.patch && \
fetch -o patch-smtpd-auth-log \
 http://tomclegg.net/qmail/smtpauthlog.patch && \
cd /usr/ports/mail/qmail && \
make clean && \
make

if [ -e /var/qmail/bin/qmail-smtpd ]
then
  # qmail is already installed -- just replace changed programs
  cd work/qmail-1.03 && \
  install -m 755 -g qmail qmail-smtpd /var/qmail/bin/qmail-smtpd && \
  install -m 711 -g qmail qmail-remote /var/qmail/bin/qmail-remote && \
  install -m 755 -g qmail qmail-pop3d /var/qmail/bin/qmail-pop3d && \
  install -m 711 -g qmail qmail-popup /var/qmail/bin/qmail-popup
else
  make install
fi
)

qmail-smtpd-auth

by brush@elysium.pl

Add SMTP authentication to qmail-smtpd.

Instructions:

  1. Download and extract the cmd5checkpw package: cmd5checkpw-0.22.tar.gz from this site, or the current version from the author's site.
  2. Edit cmd5checkpw's main.c; change "/etc/poppasswd" to "/usr/local/etc/smtp.passwd".
  3. Compile it.
  4. Install it into /usr/local/sbin/ and change its mode and owner.
    pw useradd smtppasswd -s /usr/bin/true -d /nonexistent
    install -m 06755 -o smtppasswd -g wheel cmd5checkpw \
     /usr/local/sbin/cmd5checkpw
  5. Download and extract the smtpauth package. You can download qmail-smtpd-auth-0.31.tar.gz from this site, or the current version from the author's site.
  6. qmail-smtpd-auth-0.31 has a minor bug if you use morercpthosts. After a failed authentication attempt, if the client attempts to send mail to a domain which is not listed in rcpthosts, qmail-smtpd is unable to read morercpthosts.cdb. Instead, it sends "421 unable to read controls (#4.3.0)" and drops the connection. qmail-smtpd-auth-close3.patch fixes this bug by closing file descriptor 3 (only if necessary) in the authentication child process rather than the parent process.
    mkdir -p /usr/local/src
    cd /usr/local/src
    fetch http://tomclegg.net/qmail/qmail-smtpd-auth-0.31.tar.gz
    fetch http://tomclegg.net/qmail/qmail-smtpd-auth-close3.patch
    tar xzf qmail-smtpd-auth-0.31.tar.gz
    cd qmail-smtpd-auth-0.31
  7. Apply auth.patch and the close3 patch to the qmail source directory. Add base64.c and base64.h to the qmail source code directory. Rebuild qmail-smtpd and install it in /var/qmail/bin/.
    qsrc=/usr/ports/mail/qmail/work/qmail-1.03
    cp -i base64.? $qsrc/
    (cd $qsrc && patch) < auth.patch
    (cd $qsrc && patch) < ../qmail-smtpd-auth-close3.patch
    cd $qsrc
    make qmail-smtpd
    cp -p qmail-smtpd /var/qmail/bin/

    Alternatively, the last two steps -- patching qmail-smtpd, fixing the close(3) bug, and adding base64.{c,h} -- can be combined like this:

    cd /usr/ports/mail/qmail/work/qmail-1.03
    fetch http://tomclegg.net/qmail/qmail-smtpd-auth.patch
    patch < qmail-smtpd-auth.patch
    make qmail-smtpd
    install -g qmail -m 755 qmail-smtpd /var/qmail/bin/qmail-smtpd
  8. Change your qmail-smtpd invocation to look like this:
    qmail-smtpd YOUR.HOST.NAME.HERE /usr/local/sbin/cmd5checkpw /usr/bin/true
  9. Create /usr/local/etc/smtp.passwd with mode 0400, owned by smtppasswd. Each line is a username, a colon, and a password:
    username1:password1
    username2:password2
    username3:password3
    For example:
    cd /usr/local/etc
    sh -c 'umask 0377; touch smtp.passwd'
    chown smtppasswd:wheel smtp.passwd
    cat <<'EOF' >>smtp.passwd
    username1:password1
    username2:password2
    username3:password3
    EOF

qmail-smtpd-auth-log

by tom@tomclegg.net

Add the authenticated username to qmail-smtpd's "authentication OK" response. This is useful if you're using recordio and you want the authenticated usernames to appear in your log.

Example (before):

235 ok, go ahead (#2.0.0)

Example (after):

235 ok, tomclegg, go ahead (#2.0.0)

This trivial patch is in the public domain.

To install: download smtpauthlog.patch and apply it after the smtpauth patch.

cd /usr/ports/mail/qmail/work/qmail-1.03
fetch http://tomclegg.net/qmail/smtpauthlog.patch
patch < smtpauthlog.patch
make qmail-smtpd
install -g qmail -m 755 qmail-smtpd /var/qmail/bin/qmail-smtpd

qmail-remote-auth

by Jay Soffian, modified by tom@tomclegg.net

Add SMTP authentication support (AUTH LOGIN) to qmail-remote. This is useful for relaying outgoing mail to a smarthost which requires authentication.

My modifications:

You need to install qmail-smtpd-auth as well, just because this patch needs base64.c and base64.h (and the attendant patches to Makefile).

To install:

cd /src/qmail-1.03
fetch http://tomclegg.net/qmail/qmail-remote-auth.patch
patch < qmail-remote-auth.patch
make qmail-remote
install -m 711 qmail-remote /var/qmail/bin/qmail-remote

To relay outgoing mail for "example.com" to an SMTP server at 10.9.8.7 port 2500 with username "foo" and password "bar":

echo example.com:10.9.8.7:2500 foo bar >>/var/qmail/control/smtproutes

To relay all outgoing mail to an SMTP server at 10.9.8.7 port 25 with username "foo" and password "bar":

echo :10.9.8.7 foo bar >>/var/qmail/control/smtproutes

qmail-badmailfrom-wildcard

by tom@tomclegg.net

If (like me) you're getting lots of unreturnable spam from addresses like "opt-in@mtsopt21.email-info.net", you want ".email-info.net" in controls/badmailfrom.

Without this patch, you would have to list "@mtsopt21.email-info.net", "@mtsopt22.email-info.net", etc. separately.

To install:

cd /src/qmail-1.03
fetch http://tomclegg.net/qmail/qmail-badmailfrom-wildcard.patch
patch < qmail-badmailfrom-wildcard.patch
make qmail-smtpd
install -m 755 qmail-smtpd /var/qmail/bin/qmail-smtpd

To refuse mail from any sender which ends with ".example.com":

echo ".example.com" >>/var/qmail/control/badmailfrom

You will still accept mail from foo@example.com unless you add "@example.com" as well:

echo "@example.com" >>/var/qmail/control/badmailfrom

The wildcard does not apply to the sender's local part. ".spam@example.com" will not block mail from example-spam@example.com. It will only block ".spam@example.com" which is probably not what you want.

maildirpop3d

by tom@tomclegg.net

Offer multiple POP mailboxes (with distinct passwords) with a single shell account.

maildirpop3d is a checkpassword replacement; it sits between qmail-popup and qmail-pop3d. If qmail-popup receives a username like "joe-foo", and ~joe/Maildir-foo is a directory, then maildirpop3d invokes qmail-pop3d (as joe) on ~joe/Maildir-foo.

maildirpasswd (included) is invoked by joe to set the password for the joe-foo mailbox. The password is encrypted and stored in ~joe/Maildir-foo/passwd.

If the supplied username is "joe-foo-bar-baz", then maildirpop3d looks first for a user called "joe-foo-bar-baz", then "joe-foo-bar", then "joe-foo", then "joe". If a user called "joe-foo-bar" exists, then maildirpop3d will not look for users called "joe-foo" or "joe", even if ~joe-foo-bar/Maildir-baz/ does not exist.

This package is released under the GNU General Public License.

Download maildirpop3d-0.8.tar.gz.

Read the INSTALL file.

(more documentation required)

Example:

exec tcpserver -vRl YOUR.HOST.NAME.HERE 0 pop3 \
  /var/qmail/bin/qmail-popup YOUR.HOST.NAME.HERE \
  /usr/local/sbin/maildirpop3d /var/qmail/bin/qmail-pop3d Maildir

If you're using a checkpassword program other than checkpassword, or if checkpassword is not in your PATH:

exec tcpserver -vRl YOUR.HOST.NAME.HERE 0 pop3 \
  /var/qmail/bin/qmail-popup YOUR.HOST.NAME.HERE \
  /usr/local/sbin/maildirpop3d /var/qmail/bin/qmail-pop3d \
  Maildir /PATH/TO/CHECKPASSWORD

If your username is joe and you want a separate mailbox called joe-lists, do this:

cd
maildirmake Maildir-lists
echo ./Maildir-lists/ >.qmail-lists
maildirpasswd lists
Changing password for POP mailbox joe-lists@YOUR.HOST.NAME.HERE
New password: bar
New password (again): bar
Ok, putting encrypted password 0ZsfajRLIfp0w in ~/Maildir-lists/passwd

(Your password will not really appear on your screen.)

You can pick up your mail by configuring your mail reader like this:

POP server: YOUR.HOST.NAME.HERE
Username: joe-lists
Password: bar

qmail-capa-popup and qmail-capa-pop3d

by ximenes@mythic.net and a bit by tom@tomclegg.net

Add a CAPA command to qmail's POP3 server. Some POP3 clients don't use UIDL (and run too slowly as a result) unless they can use CAPA to verify that the server supports UIDL. (This might apply to TOP and LAST as well.)

Example (before):

CAPA
-ERR authorization first

Example (after):

CAPA
+OK Capability list follows
TOP
UIDL
LAST
USER
APOP
.

These trivial patches are in the public domain.

Download qmail-capa-popup.patch and qmail-capa-pop3d.patch and apply them to qmail-popup.c (for CAPA before authorization) and qmail-pop3d.c (for CAPA after authorization) respectively.


Note: None of this stuff has any kind of warranty.