Blue Flower

Thursday, 23 July 2015 02:46

Setting up SSL Certs and starting Qmail

Written by
Rate this item
(0 votes)

We need to install ucspi-ssl so qmail will accept smtp connections with ssl. We can do that like so:


# cd /usr/ports/sysutils/ucspi-ssl
# make install clean

Shortly after this starts installing, you will get a popup box that has in it

Options for ca_root_nss 3.11.9_2
[X] ETCSYMLINK Add symlink to /etc/ssl/cert.pem

Make sure that box is checked by hitting the space bar and then hit tab and hit enter.

Creating an SSL key file

If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.)

Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file. As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work.

If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.

Lets start with creating the key:


# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value, If you just hit Enter, the field will be left blank. Please note: The common name must be the name of the mail server so make sure you enter it on that line:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:State
Locality Name (eg, city) []:City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: THIS IS YOUR EMAIL SERVER NAME
Email Address []:This email address is being protected from spambots. You need JavaScript enabled to view it.

Now lets give proper ownership to the files:


# chown root:nofiles servercert.pem

The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.


# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem
# chmod a+r /var/qmail/control/servercert.pem

The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the "clientcert.pem" file.


# chmod 640 clientcert.pem

The next thing we will need to do is configure the qmail-smtpd-ssl run file. The only thing we will need to set here is the IP if the server it will be listening on.


# vi /var/qmail/supervise/qmail-smtpd-ssl/run

You should set the following value:

IP=1.2.3.4 Substitute your own IP address. Do not leave this set to 0 without a good reason.

Before we start qmail we need to setup a few symlinks for tls to work properly:


# cd /usr/lib32
# ln -s libssl.so.8 libssl.so.7
# ln -s libcrypto.so.8 libcrypto.so.7

The final step is to start the service running:


# ln -s /var/qmail/supervise/qmail-smtpd-ssl /service/

Starting the qmail services

Okay, lets start the qmail services.


# svc -t /service/* /service/*/log

Lets check to make sure qmail is running okay:


# svstat /service/* /service/*/log

You should get the following output:


/service/qmail-send: up (pid 96738) 8 seconds
/service/qmail-smtpd: up (pid 96743) 8 seconds
/service/qmail-smtpd-ssl: up (pid 96747) 8 seconds
/service/qmail-updater: up (pid 96739) 8 seconds
/service/qmail-send/log: up (pid 96749) 8 seconds
/service/qmail-smtpd-ssl/log: up (pid 96746) 8 seconds
/service/qmail-smtpd/log: up (pid 96745) 8 seconds
/service/qmail-updater/log: up (pid 96748) 8 seconds

Please note we're not using the qmailctl file. The new qmailctl file includes the services for spamd, freshclam, clamav and dovecot. These programs have not been installed yet. These will start working once the service directories are created. Provided qmail-send, qmail-smtpd and qmail-smtpd-ssl are running that is all we need to be concerned about for now.

Read 2749 times Last modified on Sunday, 12 February 2017 13:34

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.