Qmail PCI compliant patch: Overview
There is a great composite patch for the qmail mail server that enables SMTP Auth with SSL/TLS. The patch detailed on this page Is small improvement to this patch by improving some security settings required for PCI compliance.
The original SMTP/TLS patch is no longer maintained so with the consent of the previous maintainer I have included it here, please read the top section of this patch as it credits the original authors.
Improvements
- No support for SSL version 2
- Only support PLAIN and LOGIN authentication mechanisms under SSLv3/TLS
Requirements
- Netqmail v1.06 (other versions untested)
Installation
- Download and extract netqmail v1.06 as normal.
- Download the two patches below to a temporary directory.
- Change into the extracted netqmail directory.
-
Apply the original composite patch:
patch </tmp/netqmail-1.05-tls-smtpauth-20070417.patch
-
Apply the PCI patch:
patch </tmp/netqmail-1.06_tls_auth_high_sec.patch
- Build and install qmail as usual.
-
Configure server cipher list (excluding low quality ciphers):
echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsserverciphers
-
Configure client cipher list (excluding low quality ciphers):
echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsclientciphers
Downloads
| Patch | Notes |
|---|---|
| netqmail-1.05-tls-smtpauth-20070417.patch | Original composite patch |
| netqmail-1.06_tls_auth_high_sec.patch | PCI Patch |