Qmail PCI compliant patch: Overview

There is a great composite patch for the qmail mail server that enables SMTP Auth with SSL/TLS. The patch detailed on this page Is small improvement to this patch by improving some security settings required for PCI compliance.

The original SMTP/TLS patch is no longer maintained so with the consent of the previous maintainer I have included it here, please read the top section of this patch as it credits the original authors.


  • No support for SSL version 2
  • Only support PLAIN and LOGIN authentication mechanisms under SSLv3/TLS



  1. Download and extract netqmail v1.06 as normal.
  2. Download the two patches below to a temporary directory.
  3. Change into the extracted netqmail directory.
  4. Apply the original composite patch:
    patch </tmp/netqmail-1.05-tls-smtpauth-20070417.patch
  5. Apply the PCI patch:
    patch </tmp/netqmail-1.06_tls_auth_high_sec.patch
  6. Build and install qmail as usual.
  7. Configure server cipher list (excluding low quality ciphers):
    echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsserverciphers
  8. Configure client cipher list (excluding low quality ciphers):
    echo "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM" > /var/qmail/control/tlsclientciphers


netqmail-1.05-tls-smtpauth-20070417.patchOriginal composite patch
netqmail-1.06_tls_auth_high_sec.patchPCI Patch