@@ -17,14 +17,6 @@ Incoming SMTP on port 25:
1717- Add any qmail-spp programs (such as greylisting) to control/smtpplugins.
1818- Run "@RCD_SCRIPTS_DIR@/qmailsmtpd start".
1919
20- Greylisting:
21- - Add any exempt recipient addresses to control/greylist/exemptrcpts.
22- - Add any exempt recipient domains to control/greylist/exemptrcpthosts.
23- - Tuples are (IP,sender,recipient). To effectively omit IP, add
24- GL_WRAPPER_TCPREMOTEIP="127.127.127.127" to control/tcprules/smtp,
25- then run "@RCD_SCRIPTS_DIR@/qmailsmtpd cdb".
26- - Uncomment "greylisting-spp-wrapper" in control/smtpplugins.
27-
2820Authenticated message submission on port 587:
2921- Set qmailofmipd=YES in /etc/rc.conf.
3022- Add any qmail-qfilter programs to control/ofmipfilters.
@@ -38,19 +30,55 @@ TLS encryption for SMTP, submission, POP3, and remote delivery:
3830- Create cert and DH params (see @PREFIX@/share/doc/qmail/README.tls).
3931- Run "@RCD_SCRIPTS_DIR@/qmail restart".
4032
41- Sender Policy Framework:
42- - Configure Sender Rewriting Scheme (see @PREFIX@/share/doc/qmail/README.srs)
43- so your auto-forwarded messages will reach servers that choose to
44- enforce the forwarded domains' SPF policies.
45- - Publish a DNS TXT record with your desired policy.
46- - Incoming messages that explicit-fail published policy are nonetheless
47- accepted. To reject -- including rejecting auto-forwarded messages
48- from servers that haven't configured SRS -- add
49- SPP_SPF_RESULT_FAIL="E550 spf_smtp_msg" to control/tcprules/smtp,
33+ Greylisting:
34+ - Add any exempt recipient addresses to control/greylist/exemptrcpts.
35+ - Add any exempt recipient domains to control/greylist/exemptrcpthosts.
36+ - Tuples are (IP,sender,recipient). To effectively omit IP, add
37+ GL_WRAPPER_TCPREMOTEIP="127.127.127.127" to control/tcprules/smtp,
5038 then run "@RCD_SCRIPTS_DIR@/qmailsmtpd cdb".
51- - Messages that explicit-pass are not greylisted. To remove the
52- exemption, remove SPP_SPF_RESULT_PASS="SGL_WHITELISTED=1" from
39+ - Uncomment "greylisting-spp-wrapper" in control/smtpplugins.
40+
41+ SPF (Sender Policy Framework) outbound:
42+ - If you auto-forward any messages originating from other domains,
43+ configure SRS (Sender Rewriting Scheme, see
44+ @PREFIX@/share/doc/qmail/README.srs)
45+ so that servers which enforce the forwarded domains' SPF policies will
46+ accept these messages from you.
47+ - Publish a DNS TXT record with your domain's SPF policy.
48+
49+ SPF incoming:
50+ - To greylist SPF-passing incoming messages (assuming greylisting is
51+ enabled), remove SPP_SPF_RESULT_PASS="SGL_WHITELISTED=1" from
52+ control/tcprules/smtp, then run "@RCD_SCRIPTS_DIR@/qmailsmtpd cdb".
53+ By default, such messages are accepted.
54+ - To reject SPF-failing incoming messages (including auto-forwards from
55+ servers that forgot to configure SRS) when the domain's policy is
56+ explicit-fail, add SPP_SPF_RESULT_FAIL="E550 spf_smtp_msg" to
5357 control/tcprules/smtp, then run "@RCD_SCRIPTS_DIR@/qmailsmtpd cdb".
58+ By default, such messages are accepted.
59+
60+ DKIM (DomainKeys Identified Mail) outbound:
61+ - Run "mkdir control/domainkeys && chown qmailr control/domainkeys".
62+ - Run "cd control/domainkeys && mkdir yourdomain.com && cd yourdomain.com"
63+ - Generate a DKIM keypair for yourdomain.com:
64+ openssl genrsa -out default 1024 && chmod 640 default
65+ openssl rsa -in default -pubout -out default.pub
66+ - Publish a DNS TXT record for the "default" selector containing your
67+ domain's DKIM policy and public key.
68+ - To turn off signing entirely, set
69+ qmailsend_postenv="QMAILREMOTE=@PREFIX@/bin/qmail-remote"
70+ in /etc/rc.conf.
71+ By default, messages from domains that have DKIM keys will be signed.
72+
73+ DKIM incoming:
74+ - To verify DKIM signatures on incoming messages, read through
75+ @PREFIX@/bin/qmail-dkimverify-queue, set QMAILQUEUE to invoke it, set
76+ DKVERIFY in the environment to enable verification, be prepared to
77+ figure out what's not working, and report your findings to this
78+ package's maintainer. (It might just work; I haven't tried it yet.)
79+ By default, messages are accepted without verifying.
80+ - To get useful headers prepended, it's likely you'll need this custom
81+ dkimverify.pl: <URL:https://www.memoryhole.net/qmail/dkimverify.pl>
5482
5583
5684 Getting help
0 commit comments