You are here: Home > OpenBSD mail server: OpenSMTPD tweaks and testing

No Hair Github Pages

Setting up a mailserver on OpenBSD 6.9: OpenSMTPD tweaks and testing

J. Further configuration of OpenSMTPD

After adding in all the components above, smtpd.conf is modified as seen below. Changes from the initial file above are indicated in bold.

# smtpd.conf for mail.example.com mailserver 8/15/21

# PKI keys for TLS
pki mail cert "/etc/ssl/mail.example.com.fullchain.pem"
pki mail key "/etc/ssl/private/mail.example.com.key"

# Macros
filters = " { check_rdns check_fcrdns rspamd } "

# Filters
filter check_rdns phase connect match !rdns disconnect "550 DNS error"
filter check_fcrdns phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"

# Tables
table aliases file:/etc/mail/aliases
table credentials passwd:/etc/mail/credentials
table virtuals file:/etc/mail/virtuals

# Listeners
listen on all tls pki "mail" hostname "mail.example.com" mask-src filter $filters
listen on egress port submission tls-require pki "mail" hostname "mail.example.com" \
  auth <credentials> filter "rspamd"

# Actions
action "local_mail" mbox alias <aliases>
action "domain_mail" maildir "/var/vmail/example.com/%{dest.user:lowercase}" virtual <virtuals>
action "outbound" relay

# Rules
# Local
match from local for local action "local_mail"
match from local for domain "example.com" action "domain_mail"
match from local for any action "outbound"

# Remote
match from any for domain "example.com" action "domain_mail"
match auth from any for any action "outbound"

OpenSMTPD reads the directives in smtpd.conf from top to bottom. In particular, when a message is processed, the actions are read top to bottom and the message in processed according to the first action which is matched.The filter definition are for two built-in filters (rdns and fcrdns) where OpenSMTPD checks whether the message is from a sender with a proper reverse DN and forward-confirmed reverse DNS. IF not, the message is tossed. After that, the message goes to rspamd for calssification.

Next, the first listener is for incoming mail. The "tls" instead of "tls-require" is used because some mail relays still do not use tls. The second line is for outgoing mail which can only be sent by a authorized user and is checked for spam.

The last line requires authorization for sending mail, which prvents our mail server for being used as an open relay.

Next: pfbadhost

Previous: sieve configuration


Posted by Gordon, No Hair Github Pages, August 24, 2021

© nohair.net and the author

For comments, corrections, and addenda, email: gordon[AT]nohair.net

Github Pages index | Nohair.net | Links | Surfcams