Home » Wiki » How to Install an SSL Certificate on Qmail

How to Install an SSL Certificate on Qmail

by | SSL Installation Guides

How to Install an SSL Certificate on Qmail

Qmail Server SSL Certificate Installation Guide

Qmail is a popular open-source mail transfer agent (MTA) developed by Dan Bernstein. It is known for its security, reliability, and speed. Enabling SSL encryption in Qmail is crucial to secure email communication and protect sensitive data sent via emails.

In this comprehensive guide, we will walk you through the entire process of obtaining, installing, and configuring an SSL certificate on Qmail step-by-step.

Prerequisites before installing SSL Certificate on Qmail

Before starting with the SSL installation process, your server should meet the following requirements:

  • Qmail should be already installed and configured on your server. If not, install it from source or using your Linux distribution’s package manager.
  • You must have root access to the server for installing packages and modifying configurations.
  • Your domain name should point to the IP address of this server.
  • Ports 25 (SMTP) and 443 (HTTPS) should be open on your server. Configure the firewall accordingly.

A Step-by-Step Guide to Install SSL Certificate on Qmail Server

Update Qmail Server Packages

Before installing the new certificate, ensure you’re running the latest updated version of Qmail and related components.

Connect to your server via SSH as root (or prefixed with sudo) and update the packages:

# yum update qmail
# yum update ucspi-tcp

On Debian/Ubuntu servers, use apt instead:

# apt update
# apt upgrade qmail libucspi-tcp6
Refresh any services, if required, after updates complete. The latest patched versions reduce security risks, so this is an essential preparatory step.

Configure OpenSSL

To use the purchased SSL certificate files with Qmail, they need to be converted to compatible formats.

We will use the OpenSSL toolkit for handling cryptographic protocols to process the certificate and key files.

Install OpenSSL

If OpenSSL is not already present, install it on your server:

Redhat/CentOS

# yum install openssl

Debian/Ubuntu

# apt install openssl

Compile from Source

Alternatively, you can compile the latest OpenSSL version from source. This allows using new features and security enhancements.

Convert Certificate to PEM

Your CA may provide the SSL certificate and bundle in different formats from the PEM format required by Qmail.

Use the following OpenSSL command to convert .crt or .cer files to .pem format:

# openssl x509 -in domain.crt -out domain.pem -outform PEM

If your certificate is already in PEM format, you can skip this step.

Convert Private Key to PEM (if required)

Like the certificate, your private key may also need conversion to PEM format depending on the original file extension.

For .key files, use the pkcs8 switch:

# openssl pkcs8 -topk8 -in domain.key -out domain.key.pem -nocrypt

This converts .key to passwordless .key.pem used later.

If your private key already has the .pem extension, no conversion may be needed.

At this point, you should have the following PEM files ready:

  • pem (Certificate)
  • key.pem (Private Key)
  • pem/txt (Certificate Authority bundle)

With the certificates converted and OpenSSL setup done, we can now proceed with configuring Qmail.

Configure Qmail for SSL

The converted SSL certificate files now must be installed and configured on the Qmail server for encrypting the SMTP connections.

Follow these steps carefully to complete the changes:

1. Generate self-signed certificates

Even with a paid SSL certificate, Qmail expects locally generated self-signed certificate files to start off its configuration.

Execute the following commands to create these:

Server Certificate & Key

# openssl req -new -x509 -nodes -out /var/qmail/control/servercert.pem -keyout /var/qmail/control/serverkey.pem -days 3650

You will be prompted to enter identifying details of your organization and domain.

Client Certificate & Key

# openssl req -new -x509 -nodes -out /var/qmail/control/clientcert.pem -keyout /var/qmail/control/clientkey.pem -days 3650

Again, enter appropriate certificate details when prompted.

Remember the self-signed certs will be replaced later by your CA-signed certificate. They are currently needed only for initial startup.

2. Install CA-Signed Certificate

With the temporary self-signed certificates generated, you can now install the actual SSL certificate purchased from the CA:

# cp /home/ssl/domain.pem /var/qmail/control/servercert.pem
# cp /home/ssl/domain.key.pem /var/qmail/control/serverkey.pem

Replace domain with your actual domain name in the paths above.

This overwrites the temporary self-signed cert and key created earlier.

3. Set Permissions

Ensure your Qmail runs under user id qmails by default. To allow this user access to certificates, run:

# chown qmails /var/qmail/control/servercert.pem
# chown qmails /var/qmail/control/serverkey.pem
# chmod 400 /var/qmail/control/serverkey.pem

Similarly, set permissions for client keys:

# chown qmails /var/qmail/control/clientcert.pem
# chown qmails /var/qmail/control/clientkey.pem
# chmod 400 /var/qmail/control/clientkey.pem

4. Enable cleartext logging (for testing)

This step verifies if Qmail properly loads the new certificates.

To check its working initially, enable cleartext logging which dumps SSL handshake details.

Open /var/qmail/supervise/qmail-smtpd/run and add:

TCPSERVER_OPTS="${TCPSERVER_OPTS} -x"

Save changes and restart Qmail:

# service qmail restart

5. Send test email

Try sending a test email from another server to your mail domain protected by Qmail.

Check logs at /var/log/qmail/smtpd for any SSL errors and verify certificate details.

If all okay, your CA-signed certificates are correctly loaded by Qmail. You can now disable cleartext logging enabled earlier.

6. Disable Cleartext Logging

Once SSL setup is validated, disable cleartext logging by removing or commenting out the -x parameter you added earlier to the run script.

Then restart Qmail for the change:

# service qmail restart

This completes the main Qmail SSL installation steps. But additional tweaks are still needed for running it more securely.

Post Installation Security Measures

You’ve installed SSL certificates to encrypt communication between your Qmail server and remote hosts attempting to deliver emails.

However, without further locking down the setup, the local delivery of messages will still happen unencrypted within your server.

To enforce SSL on the inbound side as well follow these additional steps:

1. Use SMTP AUTH for Local Delivery

By default, Qmail allows any local UNIX user account to send mails if an .qmail file exists under its home directory.

This is convenient but insecure. To strengthen, force SMTP auth for inbound local messages too just like remote ones.

To do this, edit /var/qmail/supervise/qmail-smtpd/run and append:

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

The -R flag rejects non-authenticated RCPT TO commands even from local users. They must now use SMTP AUTH over SSL to submit messages just like external senders.

2. Configure Pop/IMAP Servers

Your local mailbox access protocols like POP or IMAP should also connect to Qmail through the loopback interface using SSL only:

127.0.0.1:995   (POP3S)
127.0.0.1:993   (IMAPS)

Update their configuration files (e.g dovecot) accordingly to permit only encrypted access internally.

3. Use SMTP Over TLS

Though implicit SSL is sufficient in most cases, SMTP over TLS provides further flexibility like allowing authentication before encrypting data and supporting legacy clients.

To combine both, edit your tcp.smtp file and specify the STARTTLS directive:

127.0.0.1:587   STARTTLS

Restart Qmail after updating the TCP server’s configuration. Clients can still connect on 465 (SMTPS) while supporting STARTTLS upgrades too.

That completes common best practices for a robust Qmail SSL installation.

Maintenance Guidelines

Following certain guidelines will help keep your SSL setup running optimally for longer periods:

  • Monitor Expiry: Track certificate expiry dates and renew them well in advance to prevent disruptions.
  • OS & Software Updates: Keep your operating system and Qmail server patched by promptly applying any security fixes released.
  • Protocol Upgrades: Check periodic improvements in the SSL/TLS space and upgrade your cryptographic protocols when feasible.
  • Access Control: Review permission levels and access of certificate files regularly. Revoke unauthorized access if detected over time.
  • Key Management: Regenerate private keys and move to stronger hashing algorithms as computing capabilities improve every few years.

Building a routine around these practices reduces the risk profile over time and contributes to reliable long-term functioning of Qmail with SSL.

Troubleshooting Common SSL Problems

Review below how to diagnose some often-encountered problems with Qmail SSL deployments:

1. SMTP handshake failures in logs

This points to issues with the server certificate or keys preventing encryption protocol negotiation.

  • Verify correct certificate paths and file permissions are set
  • Check private key matches public certificate installed
  • Confirm key is in supported PEM RSA format

2. SMTP auth failures for local users

If local mail clients are unable to authenticate via SMTP even with valid credentials after enforcing -R:

  • Check /var/qmail/supervise/qmail-smtpd/run for missing AUTH directives
  • Restart Qmail and TCP server after updating configurations

3. Remote delivery rejections

If remote servers reject mails with TLS errors despite having SSL installed:

  • Validate your IP address matches the A record for the domain
  • Ensure firewall is not blocking inbound port 25 and 465 traffic
  • Test Telnet access to ports from remote site

Still facing issues? Feel free to sign up for professional Qmail support services for troubleshooting.

Conclusion on Install SSL Certificate on Qmail

Installing an SSL certificate provides transport layer security for Qmail and secures sensitive email data during transfer.

By deploying on the recommended ports with authentication and access restrictions, you can achieve end-to-end secure mail delivery.

Aim to obtain your SSL certificate from a reputed CA, use strong cryptographic ciphers, and follow sound key management practices.

Taken together, Qmail and SSL can guarantee compliance, prevent leaks, and fortify your critical mail infrastructure against common attacks.

Equipping your MTA with encryption is no longer an optional nice-to-have but a fundamental requirement in today’s threat landscape.

Frequently Asked Questions on Install SSL Certificate on Qmail

Does Qmail support SNI for multiple SSL sites?

Yes, Qmail has SNI support since 2010 which allows hosting multiple TLS/SSL sites and certificates on the same IP address. Just ensure your OS and TCP stack also handles SNI properly.

Can I use self-signed certificates instead for encrypting Qmail?

Self-signed certificates can encrypt mail data during delivery. However, they will lead to trust warnings on most client devices which is not recommended. Invest in a low-cost commercial SSL certificate from a known CA for best results.

Do SMTP servers see my messages if using SSL?

No, enabling SSL in Qmail encrypts the communication channel between two SMTP servers only. The full contents are visible only to the recipient’s mail server where emails finally get deposited, not intermediate ones.

Does STARTTLS provide the same security as implicit SSL?

Both STARTTLS and implicit SSL offer practically similar security when enabled as per standards. The difference is that STARTTLS encrypts an already established TCP connection. This provides more flexibility which admins can leverage based on their needs.

What ports does Qmail use for SSL?

Qmail listens on port 465 (SMTPS) and 587 (SMTP with STARTTLS) for SSL enabled SMTP connections by default. For local encrypted mailbox access protocols, use 993 (IMAPS) and 995 (POP3S) over loopback.

Can I renew an existing Qmail server SSL without reinstalling?

Yes, you can renew an expiring Qmail server certificate by simply replacing the .pem files for your certificate and private key in the control directory. Restart Qmail and it will load the updated certificate without needing a full reconfiguration.

Is 2048-bit encryption strong enough for Qmail SSL?

2048 bits is currently still considered sufficiently secure for most Qmail installations. However, for longer safety you may opt for even higher grade 4096 bit certificates now supported on modern infrastructures and clients.