Server Name Indication (SNI) for qmail and dovecot

February 25, 2026 by Roberto Puzzanghera 0 comments

Server Name Indication (SNI) is a TLS extension that enables a server to present different certificates based on the hostname requested by the client during the TLS handshake.

In modern email environments, multiple domains frequently share the same IP address for SMTP, IMAP, POP3 and submission services. Without SNI, a mail server can expose only a single certificate per listening socket, forcing administrators to rely on multi-domain (SAN) certificates or wildcard certificates. This approach increases operational problems among unexperienced end users, who are unable to use the client wizards to correctly configure their mailboxes.

Enabling SNI in mail services allows the server to present the appropriate certificate based on the hostname requested by the client, contained in its email address.

The SNI support for my qmail distribution has been added by Andreas Gerstlauer (commits here and here), whom I would like to thank.

Upgrading qmail

April 7, 2026 by Roberto Puzzanghera 598 comments

• Latest version 2026.04.07 (github)
• Changelog
• Readme

For my convenience I moved the qmail sources to my github space. Nonetheless, all information about qmail and related programs will continue to be posted in this web space, and this pages remain the place to  eventually seek support. From now on, instead of releasing a combined patch for qmail, I'll release a package which is the result of the ancient netqmail-1.06 plus my modifications. The original patches that I accomodated in my qmail package are listed below.

Changelog

• Apr 7, 2026
  - (security) Remote Code Execution via Shell Injection in qmail-remote TLS Error Handler in #42 (tx Diep Pham)
• Apr 2, 2026
  - qmail-remote auth improvements by pierluigi in #39
  - Fixed DKIM ed25519-sha256 signing and verification to conform to RFC8463 by @agerstla in #40
  - Updated qmail-qfilter to support filters defined in control/qfilters by @agerstla in #41
• Feb 25, 2026
  - Improved DKIM status handling by @agerstla in #35
  - Ported over DKIM_BAD_IDENTITY support from Indimail (tx Manvendra Bhangui and Andreas Gerstlauer 1299b55)
  - SNI support for qmail-smtpd by @agerstla in #37
  - Added qmail-qfilter by @agerstla in #38
• Feb 3, 2026
  - Bug fix for verifying multiple DKIM signatures (second one always failed due to a DNS lookup bug). tx Andreas Gerstlaurer #31
  - config-all.sh upgrade #33
  * config-all.sh: moreipme is now populated with IPs in separate lines
  * config-all.sh: rsa dh keys can be created even if the certificate creation is skipped
  * config-all requires to accept overwriting with y/N/a=all options
• Jan 8, 2026
  - Bug fixed in helodnscheck: it allowed only domains with one dot #30
• Jan 5, 2026
  - helodnscheck.cpp: PCRE dependency avoided, to make happy Debian 13 d987ec4
  - config-all now grabs the correct network interface c60d3fa
  - config-all will now prompt for 1024/2048 key length for DKIM c842cea
  - Fixed typo in qmailctl 3f1ea75
  - Makefile: Fixed incorrect rule syntax for 'make cert' 80222cc
• Sep 8, 2025
  - Fixes in SPP handling and support for [pass] plugins after RCPT accept. Support for RBLRESULT environment variable and RBL ignore ('=') option. (tx Andreas Gerstlauer)
  - Added -std=gnu17 to conf-cc, fixed some other issues and now it compiles on gcc-15.2 in #28
  - scripts/qmail-pop3d and qmail/pop3sd: ports changed to 110 and 995
  - Received: email header now hides the sender's hostname when the sender is RELAYCLIENT or is authenticated. 785e84b
• Apr 25, 2025
  - added a configuration script config-all, which configure and installs the control files (as per the original config-fast script), aliases, SRS (uses control/me as the srs_domain), log dirs in /var/log/qmail, tcprules (basic, just to make initial tests), supervise scripts, qmailctl script, DKIM control/filterargs and control/domainkeys dir, SURBL, smtpplugins, helodnscheck spp plugin, svtools, qmHandle, queue-repair, SSL key file (optional).
  Consider this feature as "testing"
• Feb 11, 2025
  - Several adjustments to get freeBSD and netBSD compatibility. More info in the commit history. Hints/comments are welcome.
  - freeBSD users have to leave the very 1st line of the file "conf-lib" blank, as libresolv.so is not needed on freeBSD.
  - Dropped files install-big.c, idedit.c and BIN.* files.
  - Dropped files byte_diff.c, str_cpy.c, str_diff.c, str_diffn.c and str_len.c, which break compilation on clang and can be replaced by the functions shipped by the compiler (tx notqmail).
  - Old documentation moved to the "doc" dir. install.c and hier.c modified accordingly
  - conf-cc and conf-ld now have -L/usr/local/lib and -I/usr/local/include to look for srs2 library
  - conf-cc and conf-ld now have -L/usr/pkg/lib and -I/usr/pkg/include to satisfy netBSD
  - vpopmail-dir.sh: minor correction to vpopmail dir existence check
  - srs.c: #include <srs2.h> now without path

Installing Dovecot and sieve on a VpopMail + qmail server

March 30, 2026 by Roberto Puzzanghera 157 comments

Changelog

• Mar 30, 2026
  - dovecot 2.4.3 released. Changed dovecot_config_version and dovecot_storage_version in dovecot.conf
  - the new version requires lua by default. Just add --without-lua at configure command
• Feb 25, 2026
  - Added Server Name Indication (SNI) settings in sni.conf.template, imported from local.conf commit
  - userdb iterate query now orders by domain and username commit
  - 15-mailboxes.conf: fts_autoindex = no added to Trash and Junk folders commit
  - 10-auth.conf: + character added to auth_username_chars commit
• Nov 24, 2025
  - dropped 'enforce = no' from 90-quota.conf to enforce quota limits (commit)
• Nov 22, 2025
  - quota driver switched to 'count' (commit). 'count' is  the recommended way of calculating quota on recent Dovecot installations.
• Oct 30, 2025
  - dovecot upgraded to v. 2.4.2
• Mar 15, 2025 (config version 2.4.0.1 diff) 
  - Added quota warnings feature. Improved quota configuration in 90-quota.conf (more info here)
  - Configured auth-master.conf.ext and auth-deny.conf.ext. To be included in local.conf
• Mar 9, 2025
  - fixed quota calculation in sql queries (tx Hakan Cakiroglu) (commit)
• Feb 22, 2025 (version 2025.02.25b)
  - Bug fix in 90-sieve.conf: global script to move spam into Junk now working
  - Bug fix in move-spam.sieve: it was erroneously matching "YES" in the header if "BAYES" was present (Feb 15, 2025 config version not affected, no need to recompile the sieve script)
• Feb 15, 2025
  - added support for vpopmail configured with --disable-many-domains
• Feb 8, 2025
  - dovecot_postlogin.sh: query changed in order to add new records as well (tx Bai Borko)
  - bug fix: pop3 service was executing imap instead of pop3 (tx Gabriel Torres)
• Jan 29, 2025
  - dovecot upgraded to v. 2.4.0. Old configuration files are not valid anymore and you have to install dovecot from scratch.
• Nov 15, 2024
  - added a postlogin script to update the vpopmail.lastauth SQL table on login (see 10-master.conf, thanks kengheng)
• Dec 29, 2023
  default_pass_scheme = SHA512-CRYPT (was MD5-CRYPT) in dovecot-sql.conf.ext, as vpopmail-5.6.x has now SHA512-CRYPT password by default

Roundcube webmail

March 18, 2026 by Roberto Puzzanghera 16 comments

• Info: https://roundcube.net
• Version: 1.6.14

Roundcube is a full featured webmail with a nice interface.

Changelog

• Feb 8, 2026
  version 1.6.13
• Mar 9, 2025
  added $config['quota_zero_as_unlimited'] = true; to show quota unlimited instead of unknown for accounts with unlimited quota

Read the release note at https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md for more info.

Installing ClamAV

March 4, 2026 by Roberto Puzzanghera 24 comments

• Info: http://www.clamav.net
• Latest version: 1.5.2

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Changelog

• Mar 4, 2026
  - clamav upgraded to v 1.5.2
• Oct 11, 2025
  - clamav upgraded to v 1.5.0. A recent version of rust is needed (successfully using 1.88 here). Just reinstall as explained below. No particular change is needed in the config files.

Installing a Let's Encrypt certificate for your qmail, dovecot and apache servers

February 25, 2026 by Roberto Puzzanghera 29 comments

Changelog

• Feb 25, 2026
  - the hook.sh script optionally configures qmail and dovecot for Server Name Indication (SNI)
• Jun 6, 2025
  - dehydrated now launches a hook.sh script which handles the post-installation tasks (assemble and copy the certificate into the qmail dir, restart the server and eventually alert the administrator in case of problems). It replaces the old scripts.
• Feb 22, 2025
  - Let’s Encrypt have announced that they will end their free alerting service. Added a script to achieve the same internally.
• Aug 6, 2023
  - The certificates installation is now based on dehydrated. The previous documentation based on certbot will be left as is at the bottom of this page, but it won't be updated anymore.
• May 18, 2023
  - added the option --key-type rsa to the certbot command, to avoid that certbot will silently default to ECDSA the private key format, which results not understandable by my openssl-1.1. In this way the format of the private key will be RSA. More info here.

Installing and configuring VPopMail

February 11, 2026 by Roberto Puzzanghera 222 comments

• VPopMail version: 5.6.13
• github: sagredo-dev/vpopmail
• Download
• Changelog
• README.vdelivermail
• Inter7's original page

Vpopmail provides an easy way to manage virtual email domains and non /etc/passwd email accounts on your mail servers.

Changelog

• Feb 11, 2026
  - vlimits.c: avoids no file found exit when .qmailadmin-limits is not existent because no limits are defined yet (a565779)
  - added sql files to be imported on upgrade to v. 5.6.x (8136480)
• Feb 8, 2026 (v. 5.6.12)
- vmysql.c changes (#10)
  * valias_create_table now checks if table is already created in order to avoid warnings in dotqmail2valias
  * solved quotes issue in query in valias_insert function
  - improved the upgrade section
• Nov 20, 2025 (v. 5.6.11)
  - vutil: 'isSomething' functions reviewed to satisfy qmailadmin calls in #9
  - Added definition of 'call_onchange' function and cured its calls to avoid break 97ffe38
• Oct 30, 2025 (v. 5.6.10)
  - Added specific usage informations for s/qmail users (look here)
  - Dropped -std=gnu17 from compilation options and solved (probably) all breaks and warnings on gcc 15.2 2d8526d
  - configure.ac now looks for mariadb include and lib dir in addition to mysql dab36e8
  - configure.ac automatically looks for vanilla qmail's users/cdb and s/qmail's users/assign.cdb file 723efb3
  - Updated the usage() funcion message in vadduser.c to clarify the use of pre-hashed passwords with -e 5b5ccdb
  - control/defaultdelivery is now installed by vpopmail if --enable-defaultdelivery 77f54eb
  - vrcptcheck plugin for s/qmail: it now checks all kind of address (users, forwards, valiases) #7
  - Dropped unused functions in vpopmail.c #8
• Sep 1, 2025 (v. 5.6.9)
  - added -std=gnu17 to gain compatibility with gcc-15 (PR #6)
  - pw_clear_passwd field enlarged to varchar(128) to create room for long passwords (tx Ricardo Brisighelli) c54688d
• Mar 29, 2025 (v5.6.8)
  defaultdelivery feature (--enable-defaultdelivery) changes (more info here, commit):
  • vdelivermail is installed by default in .qmail-default of newly created domains with option 'delete' as in the previous version.
  • if no user's valiases and no .qmail are found, then the message is sent to the control/defaultdelivery file, so that dovecot-lda (or whatelse) can execute the sieve rules and finally store the message into inbox.
  • if vdelivermail is found in control/defaultdelivery, then it is ignored to avoid loops. The delivery is done by vdelivermail
  • v. 5.6.8 is backward compatible. The users having .qmail from previous versions of the defaultdelivery feature are not affected by this change.
• Mar 23, 2025 (v. 5.6.7)
  - bug fix in vpopmaild.c: Crypted[64] enlarged to Crypted[128] to make room for SHA-512 passwords. This restores the usability of the RoundCube's 'password' plugin (commit)
  - fixed quota calculation in sql procedures for dovecot (tx Hakan Cakiroglu) (commit)
  - minor changes to the usage function of vmakedotqmail.c (commit)
• Feb 9, 2025 (v. 5.6.5)
  - added pwd strength check also for vadduser.c
  - removed -std=c99 -D_XOPEN_SOURCE=500 arguments from CFLAGS in configure.ac to make clang happy
  - several changes to compile on FreeBSD clang v. 18.1.6
• Dec 20, 2024 (v 5.6.4)
  - Password strength enforcement (PR #5, grabbed from Matt Brookings' 5.5.0-dev version)
  - Dropped min pwd length feature.
  - vmysql.h: tables' layout changed in order to have VARCHAR instead of CHAR. Fields containing ip addresses enlarged to VARCHAR(39), to create room for ipv6. Unix timestamps definition changed from BIGINT(20) to INT(11). (commit 44bad58) Have a look to the upgrade notes below.
• Oct 14, 2024 (v. 5.6.2)
  - fixed a configure break where a trivial C test program exits on error with gcc-14.1 due to missing headers
  - vusaged/domain.c: fixed -Wimplicit-function-declaration compilation warning
  - vmysql.h: dropped the multicolumn PRIMARY KEY in valias table to allow multiple forwards for a given alias.
     In case one already has the valias table defined, this is the sql query for the upgrade:
     ALTER TABLE `vpopmail`.`valias` DROP PRIMARY KEY, ADD INDEX (`alias`, `domain`, `valias_type`) USING BTREE;
     ALTER TABLE `vpopmail`.`valias` ADD `id` INT NOT NULL AUTO_INCREMENT FIRST, ADD PRIMARY KEY (`id`);

VqAdmin

February 11, 2026 by Roberto Puzzanghera 49 comments

• Original author: Inter7
• Version 2.4.7
• Changelog
• Download from github
• My old patches

vqadmin is a web based control panel that allows system administrators to perform actions which require root access — for example, adding and deleting domains.

As you can see, VqAdmin has a new version with a new skin, all my patches (with ALI's patch included) and a lot of work in polishing the code. I also solved all autotools and C compilation warnings and changed a couple of things in order to rebuild the HTML theme (have a look at the changelog for more details). As always, your contributions in the comments are welcome.

PS: the apache side has some modification as well.

Have fun!

Changelog

• Feb 18, 2026 (v 2.4.7)
  - 'show domain's users' page lists valiases too #4
  - bug fix in mod_domain.html: Mailing Lists domain limit was not copied correctly (ecce453)
• Jan 31, 2026
  - relaylimits added to control files 4c5a859
  - disabled maintainer mode to avoid autotools regeneration on user builds #3
• Jan 25, 2026
  - Domain's users listed alphabetically by domain and username #2 451da48
  - Dropped simsizelimit control file 868b8b2
• Dec 06, 2024 (version 2.4.3)
  - added a patch to highlight users with restrictions and with admin privileges (PR #1, thanks Bai Borko)
  - added control files notlshosts_auto and tlsserverciphers

read more