Upgrade to OpenSMTPD 6.4.0
423 words, 2 minutes
It’s no secret that configuration for OpenSMTPD changed a lot with version 6.4.0. Despite the fact that changes were announced long time ago and that many configuration examples have popped-up, my particular usage wasn’t covered(1). Namely: using OpenSMTPD with Dovecot and Rspamd as chained MTA.
Thanks to gilles@, I quickly ended up with a fully working configuration. But as I didn’t find such example before migrating, I thought it would be helpful to write about.
My OpenSMTPD instance accepts email for my local users only. Before the mail is delivered, it is passed through Rspamd that tags it as spam or ham. Then Rspamd passes the mail to Dovecot that delivers it in the proper place ; Inbox for ham and Junk from spam. The initial 6.0.3 configuration file looked like this:
queue compression
queue encryption key 00000000000000000000000000000000
pki tumfatig.net certificate "/etc/ssl/tumfatig.net.fullchain.pem"
pki tumfatig.net key "/etc/ssl/private/tumfatig.net.key"
table vdomains { tumfatig.net, carnat.net }
table vusers file:/etc/mail/vusers
listen on lo0
listen on egress tls pki tumfatig.net auth-optional
listen on egress port submission tls-require pki tumfatig.net auth
accept from any for domain <vdomains> virtual <vusers> \
deliver to mda "/usr/local/bin/rspamc --mime \
--exec \"/usr/local/libexec/dovecot/dovecot-lda \
-c /etc/dovecot/tumfatig.conf -d %{user.username}\""
accept from local for any relay
Migrating from 6.0.3 to 6.4.0 should have “only” be a matter of splitting directives and create actions and matches. That nearly worked. Except that when emails were accepted, I got the following kind of error:
2018-10-25T14:00:12.489Z cherie smtpd[44528]: 0000000000000000 mda delivery \
evpid=ba7a3a789b651c94 from=<> to=<test@tumfatig.net> \
rcpt=<great@tumfatig.net> user=joe delay=0s result=PermFail stat=Error \
("mail.mda: mail.mda: only one command is supported")
If I dropped Rspamd and only used Dovecot, that would work. Gilles@ said “You
need to use an MDA wrapper (to chain Rspamd and Dovecot)”. In the man page, one
should look for “wrapper” in the action section and to the “mda wrapper”
defintion.
In the end, here’s what the configuration file looks like:
queue compression
queue encryption 00000000000000000000000000000000
pki tumfatig.net cert "/etc/ssl/tumfatig.net.fullchain.pem"
pki tumfatig.net key "/etc/ssl/private/tumfatig.net.key"
table vdomains { tumfatig.net, carnat.net }
table vusers file:/etc/mail/vusers
listen on lo0
listen on egress tls pki tumfatig.net auth-optional
listen on egress port submission tls-require pki tumfatig.net auth
mda wrapper antispam "/usr/local/bin/rspamc --mime --exec '%{mda}'"
action "deliver" mda "/usr/local/libexec/dovecot/dovecot-lda \
-c /etc/dovecot/tumfatig.conf -d %{user.username}" \
virtual <vusers> wrapper antispam
action "relay" relay
match from any for domain <vdomains> action "deliver"
match from any for any auth action "relay"
match from local for any action "relay"
So far, everything seem to be working. Hope this helps.
(1) Maybe I just couldn’t find the existing example… :)