Apt Get Install Qmail

Here we are ! We 'll proceed with core install !

  1. We will install and configure Qmail-Scanner, ClamAV and SpamAssassin with the plugins Pyzor, Razor, and DCC. Clam Antivirus ClamAV is an open source antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats.
  2. Apr 15, 2015 sudo apt-get update sudo apt-get -y install qmail sudo qmailctl start. Ryan (Post author) August 26, 2019 at 12:13 pm Hi Adam.
  3. Mar 29, 2004 apt-get install qmail-src apt-get install procmail build-ucspi-tcp I tried to run the first line, and it said that it couldn't find the package.

Note: I will use root login from here. Dig mx yourdomain.com. Prerequisite packages for Qmail: apt-get install libldap2-dev libssl-dev openssl sharutils unzip maildrop perl-suid.

We 'll use the source package for Qmail itself written by Dan Bernstein. While Qmail is available as Debian source package, it ends up being installed with parts of it in very different places which would render much of the available documentation invalid. Thus, we’re going to stick with the source package instead. It’s a little old by itself but we’re going to supercharge it with John Simpson’s combined patch set shortly.

FYI: A very good visual representation of how Qmail works can be found in ‘The Big Qmail Picture’

Extract the sources

cd /usr/src/qmail
tar -zxvf /downloads/qmail-1.03.tar.gz


Patch it with John M. Simpson's combined patches (includes every patch which is part of netqmail-1.05 ... but also some others as you can see in the details section!)

cd /usr/src/qmail/qmail-1.03
patch < /downloads/patches/qmail-1.03-jms1-7.10.patch

Compile it

Make the man pages and config files available like the usual Debian way

echo 'MANDATORY_MANPATH /var/qmail/man' >> /etc/manpath.config
ln -s /var/qmail/control /etc/qmail

Now let's generate a secure certificate that will be used to encrypt your server's TLS encrypted SMTP sessions...

OPTIONAL : Even if you plan to use an officially signed certificate, please do the following and DO NOT use make cert here. You'll have the opportunity to use the same signed certificate for both TLS and courier at this step

sed -i 's/-days 366/-days 3650/' Makefile
make cert
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:Brussels
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company name
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Your FQDN server
Email Address []:Your e-mail adress

Adapt certificate permissions

cd /var/qmail/control
chmod 640 servercert.pem
chown vpopmail:vchkpw servercert.pem
rm clientcert.pem
cp servercert.pem clientcert.pem
chown root:qmail clientcert.pem
chmod 640 clientcert.pem


UCSPI-TCP (aka tcpserver) is a client/server program that manages TCP connections (like inetd or xinetd but this one has really useful features to work in combinaison with Qmail).

For more information on it, its home page is located here: http://cr.yp.to/ucspi-tcp.html

UCSPI-TCP has already been installed with a Debian package (here) but the SSL version has to be installed manually (it's not in the repository for licensing reason)

mkdir /packages
chmod 1755 /packages
cd /tmp
tar -zxvf /downloads/ucspi-ssl-0.95a.tgz
mv /tmp/host/superscript.com/net/ucspi-ssl-0.95a/ /packages
cd /packages/ucspi-ssl-0.95a/
rm -rf /tmp/host/
sed -i 's/local///' /packages/ucspi-ssl-0.95a/src/conf-tcpbin
sed -i 's/usr/local/etc/' /packages/ucspi-ssl-0.95a/src/conf-cadir
sed -i 's/usr/local/ssl/pem/etc/ssl/' /packages/ucspi-ssl-0.95a/src/conf-dhfile
openssl dhparam -check -text -5 1024 -out /etc/ssl/dh1024.pem (It takes long)

Pawel 'okno' zorzan urban - 17/06/2019 00:18

In debian 9.9 to compile qmail you need :

apt install libssl1.0-dev

hope this help.

Fiqri zailani - 11/06/2019 06:42


Strong cipher can be enable by editing the smtpd-ssl/run script

> under # options for tcpserver/sslserver add

and run qmailctl stop; killall -9 multilog; sleep 10; qmailctl start
hope this help..
Mami - 14/02/2019 17:40


I have debian 8.11 and problem with kompilations:

substdio.a error.a str.a fs.a auto_qmail.o

`cat dns.lib` `cat socket.lib` -lssl

/usr/bin/ld: qmail-remote.o: undefined reference to symbol 'OPENSSL_add_all_algorithms_noconf@@OPENSSL_1.0.0'

//usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0: error adding symbols: DSO missing from command line

collect2: error: ld returned 1 exit status

Can you ahelp me with this ?

Zinkro - 22/10/2018 03:50

sugested improvement:

install ucspi-ssl to manage ipv4/ipv6 ssl connections from https://www.fehcom.de/ipnet/ucspi-ssl.html

because is more updated version, ucspi-ssl 0.9x is a fork of Superscript's ucspi-ssl 0.70 version.

Install ucspi-tcp6 to manage ipv6 connections from https://www.fehcom.de/ipnet/ucspi-tcp6/ucspi-tcp6-1.10.tgz, ucspi-tcp6 is a fork of Dan Bernsteins's ucspi-tcp 0.88 version

Mark - 19/08/2018 16:52

I don't know if this helps or not....when I unzip ucspi-ssl-0.95a.tgz it seems to create a 'ucspi-ssl-master' directory in /tmp (at least I think it does). How to proceed?

Mark - 18/08/2018 17:03

Well, not quite. After

unzip /downloads/ucspi-ssl-0.95a,tgz

the next step is to:
mv ./tmp/host/superscript.com/net/ucspi-ssl-0.95a/ /packages

but the /tmp/host/superscript.com/... does not exist. Any idea on what I missed and how to proceed?
Many thanks....

Mark - 18/08/2018 16:53

(not a typo this time) I get an error at
tar -zxvf /downloads/ucspi-ssl-0.95a.tgz

saying that it has multiple entry points and to use unzip instead. So, first unzip the file and then run tar xvf ..... Right?

Mark - 13/08/2018 20:37

Please ignore previous comment. I have muscle memory which keys in 'ls' when I intend 'ln'.

Mark - 13/08/2018 19:39

Following along the install on Debian 8.11. I find that there is no /etc/qmail directory.

So, this step:
ln -s /var/qmail/control /etc/qmail

fails. Suggestions?

Apt-get Install Mailutils


Michiel - 22/01/2018 11:28

@Thomas - see the qmailtoaster website they use a different TLS setup and include patches from http://inoa.net/qmail-tls/ .
I understand that people like Qmail because of its security but all the used patches are way outdated and provide a new security hole in all used extra tools (daemontools, etc.)
I would recommend people using a different MTA with all the features on board en also good security and performance (OpenSMTPD, Postfix) or change this howto to use the qmailtoaster approach which still is a bunch of patches and hard to maintain with all the 3rd parties.
My 0,02 $

Nikolay - 01/12/2017 13:37

To successfully compile qmail on Debian 9 with

make setup check

you need to install

apt-get install libssl1.0-dev

Bob - 23/08/2017 06:45

Installing on ARM32 architecture gives an error where the -m64' flag is invalid. This happens on the package/compile command.

This can be solved by removing the -m64 argument from compile/load and src/conf-ld.

After that, everything works fine.

Thomas - 17/02/2017 09:21


I agree!

Have been working for a while now with ciphers and are trying to disable old versions - but that is not easy.

Have you found a solution?

Apt get install qmail freeMichiel - 10/08/2016 20:21

I really think the new documentation should have support for strong ciphers. SSLv2 and v3 are insecure (POODLE attack) and support for strong TLS ciphers (v1.2 with AES-256 etc) would be much appreciated and is much more suited anno 2016.

Think about the NSA and all those government agencies doing MiTM with weak SSL ciphers:

I love Qmail but with correct and up2date patches that support a modern mail setup.

Thanks for the documentation nevertheless :)



Bstd - 01/06/2015 09:55

I find it useful to edit the conf-spawn file before compiling, because there is a hardcoded limit of concurrent local and remote deliveries of 120. On a large server this is way too low. Personally, I prefer to set it to the maximum of 65000 and use the control/concurrencylocal and control/concurrencyremote files to actually set the amount of desired concurrent deliveries.


R0gu3ptm - 31/01/2015 13:02

It seems I found the problem:

Mazhar - 02/12/2014 04:57

getting following error, how could be slove it?

Bupyca - 08/10/2014 23:24

I've tried to google it but I came out with nothing.

I've tried to install ucspi-ssl-0.94 both on i386 and amd64, but I got the same error with package/compile:

Thibs - 27/08/2014 14:49

Sorry to hear that. I'm myself no longer using i386 since a long while.

I advice you to contact Erwin Hoffmann which is the author of the version I'm using in this guide

You can write him on : feh AT fehcom.de

Eric - 26/08/2014 14:47

Yes, it fails on the install. I have checked the other sources that you list on the page and other pages connected to the UCSPI-SSL. Each one I have tested and each one failed due to trying to run it on a i386.

Thibs - 26/08/2014 07:28


As it's source files, you need to compile yourself with the command


Does it fail to compile on i386 ?

Eric - 25/08/2014 21:15

Is there an UCSPI-SSL for i386? The one above is complied with AMD64.

Thibs - 20/08/2014 08:19

@Jay : no because it's not the goal of this tutorial. With a script, most of the time the sysadmin do not understand what he is doing

Jay - 19/08/2014 09:07

can you provide bash scripts to auto run the whole qmail installation?

Thibs - 08/08/2014 08:11

Hello Kenny,

Did you apply the patching of the source ?

Your error is 'errno.h' problem!

You can solve it by editing conf-cc
with the following :
gcc -O2 -include /usr/include/errno.h
This will be used to compile .c files.

... but it was supposed to be applied with the patching of the sources

Kenny - 07/08/2014 19:17

Hey! need some help with this:

Georgi georgiev (hip0)Apt - 18/09/2012 06:46

One other thing.

I'm not 100% sure but I think

(It takes long)

command can take less if you just randomly type something from the keyboard. If I remember correctly the input from keyboard is taken for better randomization salt. (This has to be checked by you however to just confirm).

Sudo Apt Get Install Build Essential

Doing so for me on 4GB memory host with 6Ghz cpu, took like 10 to 20 seconds.



Tomaszg - 11/04/2012 10:47

I've exported 3 certificate files (copy & edit PEM files co match .CRT data - left only lines between BEGIN... END..).

Then installed in client OS and it works. On Win7 it need to be installed in manually selected folder.

Thibs - 12/03/2012 21:24

@Tomaszg : To avoid message in mail client, you should put an official certificate in the part configure-courier.php.

Note that you can sign an official certificate for free on http://www.startssl.com/ ... but describing this is out of this guide scope

Tomaszg - 12/03/2012 12:48

I'm trying to figure out how to install mail system certificates on client side to avoid annoying 'SSL verification error' in mail client..

Thibs - 18/01/2012 01:04

@Michiel : I think I know why it's not working.

I've read http://www.thedumbterminal.co.uk/software/qmail_pci.shtml and it seems the patches used are netqmail-1.05-tls-smtpauth-20070417.patch and netqmail-1.06_tls_auth_high_sec.patch

In this guide, I use the combined patch http://qmail.jms1.net/patches/combined-details.shtml. If you look to the details, you'll notice that the smtpauth patch is not the same (qmail-smtpd-auth). Moreover, the second patch is not applied

Thibs - 18/01/2012 00:13

@Michiel : I've never tried to disable SSLv2 and don't know how to do.

Did you try to export a environment variable 'TLSCIPHERS' as suggested in http://www.qmailwiki.org/index.php/Qmail-control-files#control.2Ftlsserverciphers


if yes and if it's not working, I can just advice you to read this page http://qmail.jms1.net/tls-auth.shtml

You won't find there the answer you are looking for ... but it's a good start to learn about this

Michiel - 10/01/2012 13:36


I am trying to disable SSLv2 following http://www.qmailwiki.org/index.php/Qmail-control-files

But no mather what I do I always am able to get a SSLv2 connection on port 465 by testing:openssl s_client -connect mail.domain.com:465 -ssl2

Can you advise me how I can disable SSLv2? I think the TLS patch should take care of the /var/qmail/control/tlsserverciphers file but it does not, also settings the TLSCIPHERS variable in one of the /service/qmail-smtpssl/run of /service/qmail-smtp/run does not work.
SSLv2 is old and insecure, should be disabled by default :)

Thanks for your help.


Thibs - 02/09/2011 07:44

If you want to renew your certificates, you can follow this guide : http://www.pc-freak.net/blog/how-to-renew-self-signed-qmail-toaster-and-qmail-rocks-expired-ssl-pem-certificate/

Thibs - 30/03/2011 13:02

As you can read on http://qmail.org/netqmail/CHANGES, the only difference between netqmail 1.05 and netqmail 1.06 is the license.

Fred - 08/07/2010 15:06

What about the patches includes in netqmail-1.06