Install a certificate on qmail
First, you will need an (unencrypted) private key file, a certificate file (file cert-0000000000-1234.cer), and a certificate chain file (file chain-0000000000-1234.txt).
If you haven't ordered your certificate yet, and want to generate a private key and a CSR, you can read our OpenSSL documentation.
TLS Support
Qmail does not offer native SSL or TLS support. There is a patch, qmail-tls written by Frederik Vermeulen.
If your distribution does not integrate this patched in its qmail package, you will need to get the sources, apply the patch, and compile qmail before using it.
Certificate bundle creation
You will need to concatenate (in the following order) your private key, your certificate, and the certificate chain file. The root certificate is not required.
The bundle name is hardcoded in the qmail-tls patch and must be servercert.pem.
cat private_key.key cert-0000000000-1234.cer chain-0000000000-1234.txt > servercert.pem
Install
You need to copy the servercert.pem file in the qmail control directory: /var/qmail/control
To copy the file:
cp servercert.pem /var/qmail/control/
To concatenate the certificate files and create the bundle in the correct directory:
cat private_key.key cert-0000000000-1234.cer chain-0000000000-1234.txt > /var/qmail/control/servercert.pem
TLS should now be active. You may need to restart qmail.
Security recommendations
You can customize the ciphers using a control file:
echo "!EDH:!DHE:!RC4:!ADH:!DSS:HIGH:+AES128:+AES256-SHA256:+AES128-SHA256:+SHA:!3DES:!NULL:!aNULL:!eNULL" > /var/qmail/control/tlsserverciphers
The Diffie-Hellman prime number group size seem to be currently limited to 1024bits, that is why we recommend disabling DHE to protect yourself from vulnerabilities exploiting DH groups.