Using SMTP-TLS with qmail
It’s implemented using the STARTTLS command, and goes over the standard SMTP port.
To get it to work, you’ll need a server certificate, in PEM format. The simplest way to get hold of one is to copy the one you used when securing IMAP:
# cp /etc/opt/bincimap/bincimap.pem /var/qmail/control/servercert.pem # chmod 400 /var/qmail/control/servercert.pem
You’ll also need to make it readable by the user account under which qmail-smtpd is running. For a normal installation, this is
qmaild.qmail. For my vpopmail installation, it’s
# chown vpopmail.vchkpw /var/qmail/control/servercert.pem
If it’s not working, you can debug it by telnetting to port 25 on your host and typing in the
STARTTLS command. The output is usually pretty descriptive. For example:
220 peculiar.differentpla.net ESMTP HELO 250 peculiar.differentpla.net STARTTLS 454 TLS missing certificate: error:0200100D:system library:fopen:Permission denied (#4.3.0)
If it’s working, you should see the following:
220 peculiar.differentpla.net ESMTP HELO 250 peculiar.differentpla.net STARTTLS 220 ready for tls
For more information, check out http://iain.cx/ssl/?qmailtls.