Before you start you need libssl-dev and qmail-uids-gids packages installed (or you can create qmail users/groups manually according to qmail README.
Make the debian package:
$ git clone https://github.com/devane/netqmail-1.06-tls
$ cd netqmail-1.06-tls
$ dpkg-buildpackage -uc
Source contains extracted source from Debian Testing package of netqmail-1.06 + debian patches + TLS patch (from http://inoa.net/qmail-tls/)
Install the package:
# dpkg -i ../qmail_1.06-6_amd64.deb
Make the package 'hold' so it won't be updated in next qmail update.
# echo "qmail hold" |dpkg --set-selections
To generate certificates for TLS change to netqmail-1.06-tls directory and then:
$ make cert
Answer the questions and then copy generated .pem file in /var/qmail/control/servercert.pem . Clientcert.pem is the same so make a link:
# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
If there is no certificates in control directory the server will answer on EHLO that there is no TLS supported:
$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.
220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-PIPELINING
250 8BITMIME
If there is correct pem file in control dir EHLO will show STARTTLS support:
$ telnet mail.domain.com 25
Trying mail.domain.com...
Connected to mail.domain.com.
Escape character is '^]'.
220 mail.domain.com blah-blah ready SMTP
ehlo
250-mail.domain.com blah-blah ready SMTP
250-STARTTLS
250-PIPELINING
250 8BITMIME
When a 2048 bit RSA key is provided in /var/qmail/control/rsa2048.pem this key will be used instead of (slow) on-the-fly generation by qmail-smtpd.
Generate DH file:
# openssl genrsa -out /var/qmail/control/rsa2048.pem
That is all. Qmail now is ready for STARTTLS connections. You should see in message source of every mail something like this:
Received: from unknown (HELO mail.superhosting.bg) (195.191.148.117)
by 0 with ESMTPS (DHE-RSA-AES256-SHA encrypted); 18 Jul 2017 13:34:05 -0000
You can test if smtp server supports STARTTLS with openssl command line (example is for google.bg mx):
$ openssl s_client -connect google.com.s9a2.psmtp.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = mx.google.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGoTCCBYmgAwIBAgIIYOJxdtm1IIIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzEyMTIyNjQ1WhcNMTcxMDA0MTE1NzAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNbXgu
Z29vZ2xlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoxfLCz
daupDLdRGgdWDoaRQyGcMBSfAocOmRu1lqUZsyi0lpahF5wwu3p07QUY5TFfGkmh
K3vM8MRwDYsUYicromAsbknZiPjYJyHHrZE/XzmLkcPI+bBHGvE+O+iJDpwvGk3Z
Yfs3/GIBywP+CPUAnDSkPNumvY6A4gWLKzFTVtBCnOFMxD9KMwJvFi3PfLIgavn8
sLlpZZf6RAsZB5zskMpaMvjsl4ta83eTO4MAkAQmBN5xQIXtCHtt6atyIcy1i+sA
PKqtwb4wuAaPLGl90BFdb7F357R4Vb53UThr7k/3yt8kyCwfp0Y9/m3M2Pc5ZWdC
pKvRmwkhhnqB/WECAwEAAaOCA20wggNpMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjCCAjkGA1UdEQSCAjAwggIsgg1teC5nb29nbGUuY29tghdhbHQxLmFz
cG14LmwuZ29vZ2xlLmNvbYIfYWx0MS5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNv
bYIdYWx0MS5nbXItc210cC1pbi5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgubC5n
b29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQy
Lmdtci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIXYWx0My5hc3BteC5sLmdvb2dsZS5j
b22CH2FsdDMuZ21haWwtc210cC1pbi5sLmdvb2dsZS5jb22CHWFsdDMuZ21yLXNt
dHAtaW4ubC5nb29nbGUuY29tghdhbHQ0LmFzcG14LmwuZ29vZ2xlLmNvbYIfYWx0
NC5nbWFpbC1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0NC5nbXItc210cC1pbi5s
Lmdvb2dsZS5jb22CEmFzcG14LmwuZ29vZ2xlLmNvbYIVYXNwbXgyLmdvb2dsZW1h
aWwuY29tghVhc3BteDMuZ29vZ2xlbWFpbC5jb22CFWFzcG14NC5nb29nbGVtYWls
LmNvbYIVYXNwbXg1Lmdvb2dsZW1haWwuY29tghpnbWFpbC1zbXRwLWluLmwuZ29v
Z2xlLmNvbYIRZ21yLW14Lmdvb2dsZS5jb22CGGdtci1zbXRwLWluLmwuZ29vZ2xl
LmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0dHA6Ly9wa2kuZ29v
Z2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly9jbGllbnRzMS5n
b29nbGUuY29tL29jc3AwHQYDVR0OBBYEFI3zlxPuB6qYk5LY0mZT0tGcvNP1MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWBtrtiGrpagS8wIQYD
VR0gBBowGDAMBgorBgEEAdZ5AgUBMAgGBmeBDAECAjAwBgNVHR8EKTAnMCWgI6Ah
hh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3JsMA0GCSqGSIb3DQEBCwUA
A4IBAQADKHpAjici5XzZXXaTzfFsOe0Kmib+FI+TECQVS4qBgvZ4hRhG3robiSyR
0RJBadT+swzTu96nE7Np9pAgZ6VT7fapCWnxR9ETslqo237X+6v6Jbuv3/EqHUey
43VGs+10cZPGC5+zZ/hOlizwM5mSjtv/8byp7MFiGEBpIvyub+dLHVh6C3OgRmd3
REC/ta8FmQ2mWieTr/iCoY2+ywwKmvfw/04KaBTosUt9Ah8jtcTIjkK2tUl8ZrCE
/0ezZXGYO+C7CReDLjQWDDdUOPntx7AcjhkPf3V6BhTjWXhwF5Z2EFkFgGbJMOJC
q6hLiGRQPeo3e2OQ5uxk5gY6qO2H
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4598 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 9C4C99B3836290C5DF1F7375390EE4D827601E06A0E05B7BCBA863610722895E
Session-ID-ctx:
Master-Key: 92BFA180AE310D72FF0A94F1D56DAF802FB37FB78EAC9EB91D7909949AE53E943A593DCDC314FFB01F923B9EC1906D6B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 36 a0 e1 35 64 47 64-26 f7 d9 dc d5 0f cc 03 .6..5dGd&.......
0010 - 18 b1 15 ed 44 ba 2a 20-01 9c b2 d7 9a d0 f2 07 ....D.* ........
0020 - 21 7c 03 a0 13 b8 ec 5d-d4 a5 6d 44 48 db d3 02 !|.....]..mDH...
0030 - ef 3e d5 64 80 b6 a6 e2-dd 1a 74 15 b0 9d e8 d2 .>.d......t.....
0040 - d0 da 18 4a a1 86 40 df-4a 8f 53 41 1c 85 20 08 ...J..@.J.SA.. .
0050 - b5 f9 c3 3c 8a b9 99 c9-a2 9c df 8b f4 02 34 65 ...<..........4e
0060 - 28 4e 30 71 fe c7 7b b1-cc ee 21 32 c5 c9 77 f2 (N0q..{...!2..w.
0070 - 7e 6d 6d fe f2 5c 1e fb-bf 12 23 8c 08 18 c3 46 ~mm..\....#....F
0080 - 15 40 7a 16 3a d1 48 24-06 f5 84 fa b9 4e eb c3 .@z.:.H$.....N..
0090 - 39 d2 22 9b ec 31 10 f9-69 29 0b 9c cb 87 a1 22 9."..1..i)....."
00a0 - f9 68 58 fa 4e 53 e1 e3-03 e2 44 e2 17 6e 56 d2 .hX.NS....D..nV.
00b0 - a4 83 b0 a4 7f 7b ca dc-78 7d 51 dd 3d 1c 8f 86 .....{..x}Q.=...
00c0 - 36 4d 30 47 e6 6e cf 96-fb 96 9a d0 d3 e3 06 a5 6M0G.n..........
00d0 - 00 60 b0 12 97 e9 a3 de-28 cf .`......(.
Start Time: 1500646890
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8