My Qmail installation guide

Nice, you are here for the extra mile.

The big picture: Qmail is bundled with a little but effective piece of anti-spam software, rblsmtpd that stands in front of the smptd server and checks DNS-based block lists of host servers known to disseminate spam, phishing attacks and other forms of malicious email. I can’t just put this in front of my main Qmail installation because most of our users send legitimate email trough dynamic ip addresses many of them listed in these lists. So, to be able to use this powerful (and low resources compared with SpamAssassin and Clamav), i will setup another Qmail instance, that i will call ‘’. This will be the server that will be published in DNS MX records, so the incoming email will be filtered by rblsmtpd then routed (with artificial smtproutes) to the main Qmail that will check the email with Clamav and SpamAssassin. Our users will be continue to to send (and receive) trough the main ‘’ instance.


As many stuff will be similar to the main Qmail instance it will not be as detailed. So, check the previous page if needed.

17 – Install a jail for the Mail eXchanger

Create a jail, you know how to do that, right? I recommend an excellent article about FreeBSD jails with ezjail…. now, enter into the jail, the next operations if not stated otherwise are all inside the newly created jail.

18 – Install daemontools and ucspi-tcp

cd /usr/ports/sysutils/daemontools 
make install clean

options selected: MAN, S_NORMAL, TESTS

add to /etc/rc.conf


make /service directory and start svscan

mkdir /service
/usr/local/etc/rc.d/svscan start


cd /usr/ports/sysutils/ucspi-tcp 
make install clean

options selected: LIMITS, MANPAGES, RSS_DIFF

19 – Install Qmail itself

cd /usr/ports/mail/qmail-tls 
make install clean


20 – Set-up main alias

Define the root, postmaster and mailer-daemon aliases to a account that you WILL later create

cd /var/qmail/alias 
echo "" > .qmail-root 
echo "" > .qmail-postmaster 
echo "" > .qmail-mailer-daemon

21 – Qmail configuration

First the tricky part, we must get lots of values from the main Qmail and keep them in sync, we will use a mount null_fs. Really hope that you choosen the ezjail path (if not adapt to your system).

cd /var/qmail/control
mkdir main

Now exit the jail to the host environment, and if you created the jail with ezjail (i sure hope so), just edit /etc/fstab.mx_domain_com and add a line so ezjail can do the null mount for you.

/var/qmail/control /usr/jails/ nullfs ro 0 0

Restart and log on

/usr/local/etc/rc.d/ezjail restart
ezjail-admin console

And there you go, all the control files of the main Qmail are right in /var/qmail/control/main. Now we need to pull 3 of them with symbolic links (rcpthosts, morercpthosts and morercpthosts.cdb). In a new Qmail install, morercpthosts and morercpthosts.cdb don’t exist, so touch them in the main host environment.

cd /var/qmail/control
rm rcpthosts
ln -s main/rcpthosts ./
ln -s main/morercpthosts ./
ln -s main/morercpthosts.cdb ./

Now, take care of other configuration files (in doubt what you are doing check previous page, section 8).

echo "20" > concurrencyincoming
echo "20" > concurrencylocal
echo "30" > concurrencyremote
echo "" > defaultdomain
echo "" > envnoathost
echo "" > plusdomain
cp /dev/null locals
echo "" > me
echo "172800" > queuelifetime
echo "120" > timeoutsmtpd 
echo "120" > timeoutremote
echo "4" > spfbehavior

Generate the certificate for TLS

openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
cat server.key server.crt > servercert.pem
chown qmaild servercert.pem

And available ciphers files

openssl ciphers > /var/qmail/control/tlsclientciphers
openssl ciphers > /var/qmail/control/tlsserverciphers

Setup /etc/tcp.smtp, this will be much more simpler that the one in the host environment.

echo :allow,QMAILQUEUE=\"/var/qmail/bin/qmail-queue\" > /etc/tcp.smtp
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

Now the magic that makes this thing actually work, the smtproutes, a file that let us create artificial SMTP routes. Of all the mail that arrives, we only accept for the domains that are in rcpthosts (and morercpthosts), so we can send all mail to our main Qmail server.

echo ":aaa.bbb.ccc.ddd" > smtproutes

22 - Qmail start-up scripts and directories

This is a simplified version of point 9.

cd /var/qmail/
edit rc

and copy the rc file content save and mark it executable

chmod +x rc

create the daemontools scripts directories

mkdir -p supervise/qmail-smtpd/log
mkdir -p supervise/qmail-send/log

and log directory

mkdir -p /var/log/qmail
chown qmaill /var/log/qmail

Now download and place the scripts for qmail-smptd (/var/qmail/supervise/qmail-smptd/run and /var/qmail/supervise/qmail-smptd/log/run) and qmail-send (/var/qmail/supervise/qmail-send/run and /var/qmail/supervise/qmail-send/log/run script). Don't forget to mark all the run scripts executable.

23 - Stop sendmail, replace sendmail with qmail and start qmail

/etc/rc.d/sendmail stop

and make it permanently in /etc/rc.conf


setup FreeBSD mailwrapper /etc/mail/mailer.conf

sendmail        /var/qmail/bin/sendmail
send-mail       /var/qmail/bin/sendmail
mailq           /var/qmail/bin/qmail-qread
newaliases      /var/qmail/bin/newaliases
hoststat        /var/qmail/bin/qmail-tcpto
purgestat       /var/qmail/bin/qmail-tcpok

Start Qmail

ln -s /var/qmail/supervise/* /service/

And, yes there you do have a qmailctl tailored to this Qmail installation (without pop3).

24 - Wrapping up and final thoughts

Like in the main server adjust the softlimit in /var/qmail/supervise/qmail-smptd/run (check how to do this in the previous page).

Anytime you create a new domain in the main Qmail, you must reload this instance so it will recognize the domain as local. As a lazy bastard i am, i put this in a root cronjob running once every 15 minutes

*/15 * * * * /usr/local/bin/qmailctl reload

Don't forget to configure the DNS MX record to point to this instance, and to have an A record like to hand out to users.

The main weakness of this installation, is that if a clever spammer discovers that accepts incoming emails for local domains, he can spam down your users bypassing the rbl tests.

Any comments, rants, soul pains, random thoughts are appreciated.

2 thoughts on “My Qmail installation guide”

Leave a Reply