Quick look at OpenSMTPD on OpenBSD 5.1

  2012-06-18      1168 words, 6 minutes

• mail
• openbsd
• opensmtpd
• smtp
• smtpd
• smtps

I want to have a look at a replacement for my Postfix/Dovecot/OpenLDAP mail server using the OpenSMTPd implementation. Not that it doesn’t work ; in fact I don’t get that much mail and everything works like a charm. I just want to see if I can use as much all-inclusive OpenBSD 5.1 daemons.

Setup basic smtpd configuration

First of all, let’s tell the SMTP daemon that we want to accept every mail for our tumfatig.net domain. I don’t want to mess with configuration on updates so I’ll be using basic directions in smtpd.conf and complex one in smtpd.conf.local:

  # vi /etc/mail/smtpd.conf
  listen on lo0
  map "aliases" { source db "/etc/mail/aliases.db" }
  include "/etc/mail/smtpd.conf.local"
  
  # vi /etc/mail/smtpd.conf.local
  lan_if = "vic0"
  lan_net = "192.168.0.0/24"
  listen on $lan_if
  accept from all for domain "tumfatig.net" deliver to mbox
  accept from local for all relay
  accept from $lan_net for all relay

Then stop and disable Sendmail:

  # /etc/rc.d/sendmail stop
  # vi /etc/mailer.conf
  sendmail        /usr/sbin/smtpctl
  send-mail       /usr/sbin/smtpctl
  mailq           /usr/sbin/smtpctl
  makemap         /usr/libexec/smtpd/makemap
  newaliases      /usr/libexec/smtpd/makemap
  
  # newaliases
  
  # vi /etc/rc.conf.local
  (...)
  sendmail_flags=NO
  smtpd_flags=""

You can now start OpenSMTPd, either with the rc.d script or in debug mode from the console, using `smtpd -d`. From there, you can send e-mail to the external world and any mail for the configured domain will be saved locally. Note that only users known to the system, from the etc/passwd, can receive mail, yet.

Switch to Virtual Domains configuration

I do host several domains. Either as a primary or secondary MX.

From the previous chapter, we’ve seen that smtpd stores the mail with the system user. In a case of virtual domains and users, we use a single users that will store every mail. That particular user will also be used by the POP3/IMAP server to read and manage the mail.

Create the virtual user and set proper permissions on storage:

  # groupadd -g 2000 vmail
  # useradd -m -u 2000 -g vmail -d /home/vmail -s /sbin/nologin vmail
  # mkdir -p /home/vmail/{carnat.net,tumfatig.net}
  # chown vmail:vmail /home/vmail/{carnat.net,tumfatig.net}

Modify OpenSMTPd’s configuration to use virtual domain:

  # vi /etc/mail/smtpd.conf.local
  (...)
  map "vdomains" { source db "/etc/mail/vdomains.db" }
  accept for virtual "vdomains" deliver to maildir "/home/vmail/%d/%a/"

Fill-in the domains information:

  # vi /etc/mail/vdomains
  tumfatig.net accept
  carnat.net accept
  jca@tumfatig.net vmail
  joel@carnat.net vmail
  
  # makemap /etc/mail/vdomains

Send emails to the defined users and watch the logs to see them delivered. Note that if you add an entry like “@domain user” in the vdomain file, you’ll get mail for any users on that particular domain.

Virtual aliases can be populated with entries like:

  # cat /etc/mail/vdomains
  (...)
  carnat.net              accept
  joel@carnat.net         vmail
  root@carnat.net         joel@carnat.net
  abuse@carnat.net        root@carnat.net
  hostmaster@carnat.net   root@carnat.net
  postmaster@carnat.net   root@carnat.net
  webmaster@carnat.net    root@carnat.net
  (...)

The 5 last entries will act as virtual aliases, forwarded to the destination email and “recursively rendered”.

Configure authenticated relay

Before setting up authentication, one should configure encryption. Either install the certificate from some external provider or configure a self-signed one:

  # mkdir /etc/mail/certs
  # cd /etc/mail/certs
  # openssl genrsa -out openbsd.tumfatig.net.key 4096
  # openssl req -new -x509 -key openbsd.tumfatig.net.key \
    -out openbsd.tumfatig.net.crt -days 3650
  # chmod 0600 openbsd.tumfatig.net.*
  # vi /etc/mail/smtpd.conf.local
  (...)
  listen on $lan_if smtps certificate "openbsd.tumfatig.net" enable auth

To be able to use that SMTP to relay mail from anywhere, create a map for users to authenticate:

  # touch /etc/mail/secrets
  # chown root:_smtpd /etc/mail/secrets
  # chmod 0640 /etc/mail/secrets
  # echo "openbsd.tumfatig.net jca:secret" > /etc/mail/secrets
  # makemap /etc/mail/secrets
  # vi /etc/mail/smtpd.conf.local
  (...)
  map "secrets" { source db "/etc/mail/secrets.db" }
  accept from all for all relay via localhost smtps auth "secrets"

What else?

There are two or three more features that I was looking for and that aren’t available yet.

Secondary MX

I have a deal with a friend for whom I run a secondary MX. Configuring the secondary MX feature is quite easy:

  # vi /etc/mail/smtpd.conf.local
  (...)
  map "v2mx" { source db "/etc/mail/v2mx.db" }
  accept from all for virtual "v2mx" relay
  
  # vi /etc/mail/v2mx
  more.tld accept
  
  # makemap /etc/mail/v2mx

From there, OpenSMTPD will act as a secondary MX relaying mail for the configured domains, using DNS resolution. The missing feature I need was recipient filtering. Indeed, I know the valid accounts for the domain I relay. And it would be nice to accept mail for valid users and return “450 - Try again later” for invalid users ; 450 rather than “550 - Unknown user” to not ease directory harvesting.

Such feature is in the pipe and should “happen soon”. I’ll have a look back when OBSD 5.2 comes out.

LDAP integration

Storing information in a shared LDAP directory is really nice as you can share authentication (and more) with many software ; like share the SMTP mailboxes, SMTPs authenticated users, IMAP users, …

I’m waiting for LDAP because I already use it. But storage using a database would be OK too.

Anyway, AFAIK, it is not available yet.

Virtual users

The virtual users configuration as I described it here is not “correct”. If you only have 1 user per domain, you can manage to have it working. But since you have 2 users on a particular domain, both will have their mail stored in the vmail account I created ; which is obviously not what you want.

As I understood it, the only way to deal with users is to create system users ; in /etc/passwd. They don’t have to be able to log in ; they just need a home, to store email, and a password, for authenticated smtp.

Monitoring features

There is a smtpctl show stats that will give you information about what happens on your smtp daemon. But this is more about what is happening, in terms of session and errors, than about mail counters. I was expecting things like pfctl from which you can stats “received mail”, “rejected mail”, …

The log file has some information about received and sent mail but I found them a bit hard to read when it comes to tracing the exact path of email delivery. It is obviously a matter of getting unused to the postfix way of logging and learn the OpenSMTPD way. So just learn it child.

Final thoughts

All-in-all, OpenSMTPD seems ready to deliver email in production. Using it with spamd will obvisouly make a good relay server, in and out. If you don’t care using system users to managed your email services, OpenSMTPD is ready too for it.

The only missing feature is, from my point of view, options to interface with a remote directory to manage users and domains. You can deal without it if you’re a UNIX GuRu or if you have a small number of users but, as far as I’m concerned, OpenSMTPD won’t make it in “the Enterprise” until it can get part of it’s configuration from a remote repository.

Talking about configuration, syntax is still evolving. I’ve already been taught that ‘{}’ have been dropped in -CURRENT. So expect some more changes regarding syntax ; and as soon as 5.1-CURRENT.

Source

• smtpd.conf Manual Page
• OpenBSD SMTPd, 2009-12-01
• OpenBSD-misc archive
• Using OpenBSD’s OpenSMTPd for Email