Lets make sure that you are running the latest version of John Simpsons qmail patch. If you are not, this may not be applicable. Please visit http://qmail.jms1.net/patches/combined-details.shtml . Qmailrocks users please read the section IN RED.
Copied with permission from:
Install ucspi-ssl First!
If you are using FreeBSD, the port is at /usr/ports/sysutils/ucspi-ssl
If you are not using FreeBSD, the URL is at http://www.superscript.com/ucspi-ssl/intro.html
This is an SSL-only service. It only accepts mail from authorized clients- it requires the AUTH command before accepting any messages. This makes an ideal "SMTP relay service" for your authorized users.
# cd /var/qmail/supervise
# mkdir -m 1755 qmail-smtpd-ssl
# cd qmail-smtpd-ssl
# fetch http://goodcleanemail.com/files/run.smtp.sslserver
# mv run.smtp.sslserver run
# vi run
This will start up a text editor on the script. I prefer vi, but you are free to use pico, nano, emacs, or any other text editor you like. Set the options as needed for your service. The file itself contains documentation on the options you can set.
You should set the following values:
IP=188.8.131.52 Substitute your own IP address. Do not leave this set to 0 without a good reason.
PORT=465 Set the port number we will be listening on.
SSL=1 Run an SSL-only service.
FORCE_TLS=0 Ignored for SSL services.
DENY_TLS=0 Ignored for SLS services.
AUTH=1 Allow the AUTH command.
REQUIRE_AUTH=1 Refuse to accept mail from clients who have not done AUTH.
Once you are finished editing and have saved the file...
# chmod 700 run
# mkdir -m 755 log
# cd log
# fetch http://goodcleanemail.com/files/run.log
# mv run.log run
# chmod 700 run
Creating an SSL key file
If you are setting up an SSL or TLS server, you will need to create a /var/qmail/control/servercert.pem file. This file contains the public and private keys used to set up SSL or TLS encryption. It should be readable to the userid which your "qmail-smtpd" program runs as (which is normally the "qmaild" user.) Part of the file is a "certificate", which is the public key with a signature applied to it. This is the same kind of signature used when you create an SSL key for use with a secure web site- in fact, if you already have such a certificate from an SSL web site, you can use it (with the matching ".key" file) to build this .pem file.
As long as the key and the certificate are both stored in PEM-encoded format, you can "cat" the files together and save the result as "servercert.pem", and it will work. If you don't have such a key, you can create a key and then sign it using itself (also known as a "self-signed" certificate.) Clients will complain about the certificate not being signed by a trusted certificate authority, but the encryption is just as secure. The following example shows how to create a self-signed certificate which expires ten years from the date it was created.
# cd /var/qmail/control
# openssl req -newkey rsa:1024 -x509 -nodes -days 3650 -out servercert.pem -keyout servercert.pem
Generating a 1024 bit RSA private key
writing new private key to 'servercert.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]: Country
State or Province Name (full name) [Some-State]: State
Locality Name (eg, city) : City
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Your Name (optional)
Organizational Unit Name (eg, section) : Optional
Common Name (eg, YOUR name) : Not Optional, see below
This name MUST MATCH the name your clients will put into their mail program as their SMTP server name.
Email Address : Email (Not Optional)
# chown root:nofiles servercert.pem
The "nofiles" group is the group which "qmaild" belongs to. This combination of ownership and permissions allows qmail-smtpd to read the key, but not change or delete it.
# chmod 640 servercert.pem
# cp servercert.pem clientcert.pem
# chown root:qmail clientcert.pem
The "qmail" group is the group with the "qmailr" user belongs to. This user should be able to read, but not write, the clientcert.pem file.
# chmod 640 clientcert.pem
Setting up the tcpserver access files
If you have already setup the Makefile, skip down to Creating the smtpssl file. I do something a little different with my tcpserver access control files than most other people. Instead of calling the files /etc/tcp.smtp and /etc/tcp.smtp.cdb (the files are in /etc/ and have names which start with "tcp.") I call them /etc/tcp/smtp and /etc/tcp/smtp.cdb. The idea is that /etc/tcp is a directory containing all of my tcpserver access control files, along with a Makefile which rebuilds any out-of-date cdb files whenever their source text files have been updated.
If you use the "run" scripts from my web site, you will find them written this way. Of course you can edit the scripts and change the filenames if you like, but I have found this to be a much easier way to administer the control files (I use tcpserver for a lot more than just qmail.)
To set this up on your own server, These commands should be run as root.
# mkdir -m 755 /etc/tcp
# cd /etc/tcp
# fetch http://goodcleanemail.com/files/etc-tcp-makefile
# mv etc-tcp-makefile Makefile
Creating the smtpssl file
At this point it should be ready to go- all you need to do is create the "smtpssl" file, containing the normal access control list. It may look something like this:
Edit the makefile and add smtpssl.cdb, save and exit
or if you're not running FreeBSD:
Run the following:
# cd ~vpopmail/bin
# chown vpopmail:vchkpw vchkpw
# chmod 6711 vchkpw
The final step is to start the service running.
# ln -s /var/qmail/supervise/qmail-smtpd-ssl /service/
# svstat /service/qmail-smtpd-ssl
/service/qmail-smtpd-ssl: up (pid 25832) 7 seconds
The number of seconds should be two or greater, and if you re-run the same command again, you should see the count going up rather than cycling back to zero. If the count never passes three, or if the service is not listed as "up" to start with, check the logs to see what's going on.
# tail log/main/current