Qmail PCI compliant patch: Overview
There is a great composite patch for the qmail mail server that enables SMTP Auth with SSL/TLS. The patch detailed on this page Is small improvement to this patch by improving some security settings required for PCI compliance.
The original SMTP/TLS patch is no longer maintained so with the consent of the previous maintainer I have included it here, please read the top section of this patch as it credits the original authors.
- No support for SSL version 2
- Only support PLAIN and LOGIN authentication mechanisms under SSLv3/TLS
- Netqmail v1.06 (other versions untested)
- Download and extract netqmail v1.06 as normal.
- Download the two patches below to a temporary directory.
- Change into the extracted netqmail directory.
Apply the original composite patch:
Apply the PCI patch:
- Build and install qmail as usual.
Configure server cipher list (excluding low quality ciphers):
echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsserverciphers
Configure client cipher list (excluding low quality ciphers):
echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsclientciphers
|netqmail-1.05-tls-smtpauth-20070417.patch||Original composite patch|