Dirtbag's Blog

Getting smtp-auth to work on Gentoo with qmail

[ link: smptauth | tags: qmail gentoo | updated: Fri, 17 Apr 2020 12:08:25 -0400 ]

Ive been using qmail for years and its a nice software package, but its damned hard sometimes to find accurate information on how to configure it. I finally got smtp-auth working on my server. I also enabled TLS as well. All the other smtp-auth howtos ive read are assuming that youre using vpopmail and virtual domains and other crazy shit that Im just not using. Read on for how to just do straight-up smtp auth on gentoo with the mail-mta/netqmail from portage.

First off, I will assume that you have qmail installed configured and working to some degree. I used "qmail-spp" and "ssl" in my USE flags. You will need the "ssl" flag in order to install qmail with the ability to encrypt when you authenticate to the smtp server. Here is some more info in TLS.

Anyway, you have l-mta/netqmail installed with SSL/TLS capabilites. Next, you will need to emerge net-mail/checkpassword. After Its emerged, do

chmod 4755 /bin/checkpasswd

This is because qmail does not run with the privileges necessary to actually use this program.

after that, you will need to edit your /var/qmail/control/conf-smtpd file and make sure you have a line that looks like the following:

QMAIL\_SMTP\_POST="/bin/checkpassword /bin/true"

Next, we need to download/compile/install the spp plugin from here. This is what will actually be doing the smtp authentication. The instructions on how to install it at that link are very simple.

Optional but highly suggested, if you want to do TLS autentication (and you really should), you need to generate a server certificate. First edit the /var/qmail/control/servercert.cnf file and edit the appropriate fields. If you have ever done a self-signed cert with apache, this should look familiar. After that, you can run

/var/qmail/bin/mkservercert
to generate the cert, but I would suggest that you edit the mkservercert script first and change the days variable in the script to be something other than the default

days="3650"

is what I used.

After you run the mkservercert script, you should have a nice new /var/qmail/control/servercert.pem file. Now we can test it.


jason@badman ~ $ telnet monsterjam.org 25
Trying 71.70.174.94...
Connected to monsterjam.org.
Escape character is '^]'.
220 monsterjam.org ESMTP
ehlo testing
250-monsterjam.org
250-STARTTLS 
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN CRAM-MD5 

assuming you see the STARTTLS and the AUTH lines above, hopefully you are good to go. Next you just need to configure your email client to authenticate to the smtp server and optionally use TLS. Here is an example of what this should sort of look like in thunderbird. In my configuration, I only had to put in my userid, not userid@domain.com

Note: If you do heavy-duty smtpRBL like I do, you probably want to hop over to this dude's page and check out how to remedy this.

-db

Like this article? Buy me a beer!