picture of tbs certificates
picture of tbs certificates
Our products range

Install a certificate on qmail

First, you will need an (unencrypted) private key file, a certificate file (file cert-0000000000-1234.cer), and a certificate chain file (file chain-0000000000-1234.txt).

If you haven't ordered your certificate yet, and want to generate a private key and a CSR, you can read our OpenSSL documentation.

TLS Support

Qmail does not offer native SSL or TLS support. There is a patch, qmail-tls written by Frederik Vermeulen.

If your distribution does not integrate this patched in its qmail package, you will need to get the sources, apply the patch, and compile qmail before using it.

Certificate bundle creation

You will need to concatenate (in the following order) your private key, your certificate, and the certificate chain file. The root certificate is not required.

The bundle name is hardcoded in the qmail-tls patch and must be servercert.pem.

cat private_key.key cert-0000000000-1234.cer chain-0000000000-1234.txt > servercert.pem


You need to copy the servercert.pem file in the qmail control directory: /var/qmail/control

To copy the file:

cp servercert.pem /var/qmail/control/

To concatenate the certificate files and create the bundle in the correct directory:

cat private_key.key cert-0000000000-1234.cer chain-0000000000-1234.txt > /var/qmail/control/servercert.pem

TLS should now be active. You may need to restart qmail.

Security recommendations

You can customize the ciphers using a control file:

echo "!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL" > /var/qmail/control/tlsserverciphers

The Diffie-Hellman prime number group size seem to be currently limited to 1024bits, that is why we recommend disabling DHE to protect yourself from vulnerabilities exploiting DH groups.

Additional links