OpenSMTPD and Dovecot on OpenBSD 5.7
Those are my notes about configuring OpenSMTPD 5.4.4 and Dovecot 2.2.15 on OpenBSD 5.7. I’ve setup virtual domains and users. In this simple configuration, the virtual users are matched with local users for mail delivery. SMTP submission is authenticated and passwords for all mail services are stored in usual system files. Of course, mail reception is protected by spamd. Here are the directions.
Register the system users
The available email addresses will be delivered to system users. Add a bunch of them and set the password for SMTP submission and IMAP authentication the usual way.
# useradd -m -u 1000 -g nogroup -s /sbin/nologin user1 # useradd -m -u 1001 -g nogroup -s /sbin/nologin user2 # passwd user1 # passwd user2
Reference virtual domains and users
Basic email aliases are stored in /etc/mail/aliases. Email addresses for real users and extra aliases are referenced in a dedicated file.
# cat > /etc/mail/vusers email@example.com user1 firstname.lastname@example.org user1 email@example.com user1 firstname.lastname@example.org user1
Email domains are stored in a dedicated file. Even though server’s FQDN contains one of the virtual domain, it seems to be required to reference it in the virtual domains file.
# cat > /etc/mail/vdomains carnat.net tumfatig.net
Install SSL certificate
Public certificate used in TLS connexion can be installed in the usual SSL directory. The private key was generated years ago with OpenSSL. So far, there doesn’t seem to be any issue with the LibreSSL implementation from this OpenBSD instance.
# install -o root -g wheel -m 0644 gandi.crt /etc/ssl/gandi.crt # install -o root -g wheel -m 0600 gandi.key /etc/ssl/private/gandi.key
To ease upgrades, I like to comment the default configuration file and include an external one.
# egrep -v '^$|^#' /etc/mail/smtpd.conf include "/etc/mail/smtpd.conf.local"
I’ve setup clear connection on loopback. The public SMTP connexion can go unencrypted or can be used via TLS. The public SMTP submission must be encrypted and authenticated to be used.
The configuration for aliases, virtual domains and users are done with file reference.
I only accept public delivery for my virtual domains and users. Only local and authenticated connection can relay to the external world.
# cat /etc/mail/smtpd.conf.local # OpenSMTPD configuration # pki www.tumfatig.net certificate "/etc/ssl/gandi.crt" pki www.tumfatig.net key "/etc/ssl/private/gandi.key" listen on lo0 listen on egress tls pki www.tumfatig.net auth-optional listen on egress port submission tls-require pki www.tumfatig.net auth table aliases db:/etc/mail/aliases.db table vusers file:/etc/mail/vusers table vdomains file:/etc/mail/vdomains accept for local alias deliver to maildir accept from any for domain virtual deliver to maildir accept from local for any relay
The server doesn’t have a name that is known from the Internet ; the one configured in the TLS certificate. To have those match, there’s a tweak to apply via a configuration file.
# cat /etc/mail/mailname www.tumfatig.net
The OpenSMTPD can now be started and tested.
# rcctl enable smtpd # /etc/rc.d/smtpd restart smtpd(ok) smtpd(ok)
Protect your mail daemon
I like to use spamd to drop dummy spammers activity. It requires configuring PF to redirect SMTP connexions to spamd and setting an optional white-list.
# cat /etc/pf.conf (...) # rules for spamd(8) table persist table persist file "/etc/mail/nospamd" table persist file "/etc/mail/nospamd_spf" pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd pass in on egress proto tcp from to any port smtp pass in on egress proto tcp from to any port smtp pass in log on egress proto tcp from to any port smtp pass out log on egress proto tcp to any port smtp # touch /etc/mail/nospamd # pfctl -f /etc/pf.conf
Finally, spamd and spamlogd can be configured to be launched automatically.
# rcctl enable spamd # rcctl set spamd flags -G 5:4:864 -h www.tumfatig.net # rcctl enable spamlogd # /etc/rc.d/spamd start # /etc/rc.d/spamlogd start
Read your email via IMAP
I’m using Dovecot to provide IMAP access to emails. As I’m using local users for SMTP submission, those credentials are used to authenticate with Dovecot.
# pkg_add dovecot # diff /usr/local/share/examples/dovecot/example-config/dovecot.conf \ /etc/dovecot/dovecot.conf 24c24 < #protocols = imap pop3 lmtp --- > protocols = imap # diff /usr/local/share/examples/dovecot/example-config/conf.d/10-ssl.conf \ /etc/dovecot/conf.d/10-ssl.conf 6c6 < #ssl = yes --- > ssl = yes 12,13c12,13 < ssl_cert = ssl_cert = ssl_key =
The final step is to install and configure Mutt.
# pkg_add mutt # vim ~/.muttrc set spoolfile="imaps://user1:email@example.com/INBOX" set folder="imaps://www.tumfatig.net/INBOX" set record="=Sent" set postponed="=Drafts" set realname="Joel Carnat" set from="firstname.lastname@example.org" set use_from=yes set use_envelope_from=yes set edit_headers=yes
This is nearly what I want. The only issue is that SOGo requires LDAP or SQL users reference. Hence, I can’t use this configuration as-is. Still got to dig on using virtual users/domains in LDAP/SQL with OpenSMTPD. Next time, hopefully.
That’s all folks!