OpenSMTPD and Dovecot on OpenBSD 5.7
768 words, 4 minutes
Those are my notes about configuring OpenSMTPD 5.4.4 and Dovecot 2.2.15 on OpenBSD 5.7. I’ve setup virtual domains and users. In this simple configuration, the virtual users are matched with local users for mail delivery. SMTP submission is authenticated and passwords for all mail services are stored in usual system files. Of course, mail reception is protected by spamd. Here are the directions.
Register the system users
The available email addresses will be delivered to system users. Add a bunch of them and set the password for SMTP submission and IMAP authentication the usual way.
# useradd -m -u 1000 -g nogroup -s /sbin/nologin user1
# useradd -m -u 1001 -g nogroup -s /sbin/nologin user2
# passwd user1
# passwd user2
Reference virtual domains and users
Basic email aliases are stored in /etc/mail/aliases. Email addresses for real users and extra aliases are referenced in a dedicated file.
# cat > /etc/mail/vusers
contact@carnat.net user1
contact@tumfatig.net user1
joel@carnat.net user1
jca@tumfatig.net user1
Email domains are stored in a dedicated file. Even though server’s FQDN contains one of the virtual domain, it seems to be required to reference it in the virtual domains file.
# cat > /etc/mail/vdomains
carnat.net
tumfatig.net
Install SSL certificate
Public certificate used in TLS connexion can be installed in the usual SSL directory. The private key was generated years ago with OpenSSL. So far, there doesn’t seem to be any issue with the LibreSSL implementation from this OpenBSD instance.
# install -o root -g wheel -m 0644 gandi.crt /etc/ssl/gandi.crt
# install -o root -g wheel -m 0600 gandi.key /etc/ssl/private/gandi.key
Configure OpenSMTPD
To ease upgrades, I like to comment the default configuration file and include an external one.
# egrep -v '^$|^#' /etc/mail/smtpd.conf
include "/etc/mail/smtpd.conf.local"
I’ve setup clear connection on loopback. The public SMTP connexion can go unencrypted or can be used via TLS. The public SMTP submission must be encrypted and authenticated to be used.
The configuration for aliases, virtual domains and users are done with file reference.
I only accept public delivery for my virtual domains and users. Only local and authenticated connection can relay to the external world.
# cat /etc/mail/smtpd.conf.local
# OpenSMTPD configuration
#
pki www.tumfatig.net certificate "/etc/ssl/gandi.crt"
pki www.tumfatig.net key "/etc/ssl/private/gandi.key"
listen on lo0
listen on egress tls pki www.tumfatig.net auth-optional
listen on egress port submission tls-require pki www.tumfatig.net auth
table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains
accept for local alias deliver to maildir
accept from any for domain virtual deliver to maildir
accept from local for any relay
The server doesn’t have a name that is known from the Internet ; the one configured in the TLS certificate. To have those match, there’s a tweak to apply via a configuration file.
# cat /etc/mail/mailname
www.tumfatig.net
The OpenSMTPD can now be started and tested.
# rcctl enable smtpd
# /etc/rc.d/smtpd restart
smtpd(ok)
smtpd(ok)
Protect your mail daemon
I like to use spamd to drop dummy spammers activity. It requires configuring PF to redirect SMTP connexions to spamd and setting an optional white-list.
# cat /etc/pf.conf
(...)
# rules for spamd(8)
table persist
table persist file "/etc/mail/nospamd"
table persist file "/etc/mail/nospamd_spf"
pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from to any port smtp
pass in on egress proto tcp from to any port smtp
pass in log on egress proto tcp from to any port smtp
pass out log on egress proto tcp to any port smtp
# touch /etc/mail/nospamd
# pfctl -f /etc/pf.conf
Finally, spamd and spamlogd can be configured to be launched automatically.
# rcctl enable spamd
# rcctl set spamd flags -G 5:4:864 -h www.tumfatig.net
# rcctl enable spamlogd
# /etc/rc.d/spamd start
# /etc/rc.d/spamlogd start
Read your email via IMAP
I’m using Dovecot to provide IMAP access to emails. As I’m using local users for SMTP submission, those credentials are used to authenticate with Dovecot.
# pkg_add dovecot
# diff /usr/local/share/examples/dovecot/example-config/dovecot.conf \
/etc/dovecot/dovecot.conf
24c24
< #protocols = imap pop3 lmtp
---
> protocols = imap
# diff /usr/local/share/examples/dovecot/example-config/conf.d/10-ssl.conf \
/etc/dovecot/conf.d/10-ssl.conf
6c6
< #ssl = yes
---
> ssl = yes
12,13c12,13
< ssl_cert = ssl_cert = ssl_key =
The final step is to install and configure Mutt.
# pkg_add mutt
# vim ~/.muttrc
set spoolfile="imaps://user1:pass1@www.tumfatig.net/INBOX"
set folder="imaps://www.tumfatig.net/INBOX"
set record="=Sent"
set postponed="=Drafts"
set realname="Joel Carnat"
set from="joel@carnat.net"
set use_from=yes
set use_envelope_from=yes
set edit_headers=yes
This is nearly what I want. The only issue is that SOGo requires LDAP or SQL users reference. Hence, I can’t use this configuration as-is. Still got to dig on using virtual users/domains in LDAP/SQL with OpenSMTPD. Next time, hopefully.
That’s all folks!