Quick look at OpenSMTPD on OpenBSD 5.1
I want to have a look at a replacement for my Postfix/Dovecot/OpenLDAP mail server using the OpenSMTPd implementation. Not that it doesn’t work ; in fact I don’t get that much mail and everything works like a charm. I just want to see if I can use as much all-inclusive OpenBSD 5.1 daemons.
Setup basic smtpd configuration
First of all, let’s tell the SMTP daemon that we want to accept every mail for
our tumfatig.net
domain. I don’t want to mess with configuration on updates
so I’ll be using basic directions in smtpd.conf
and complex one in
smtpd.conf.local
:
# vi /etc/mail/smtpd.conf
listen on lo0
map "aliases" { source db "/etc/mail/aliases.db" }
include "/etc/mail/smtpd.conf.local"
# vi /etc/mail/smtpd.conf.local
lan_if = "vic0"
lan_net = "192.168.0.0/24"
listen on $lan_if
accept from all for domain "tumfatig.net" deliver to mbox
accept from local for all relay
accept from $lan_net for all relay
Then stop and disable Sendmail:
# /etc/rc.d/sendmail stop
# vi /etc/mailer.conf
sendmail /usr/sbin/smtpctl
send-mail /usr/sbin/smtpctl
mailq /usr/sbin/smtpctl
makemap /usr/libexec/smtpd/makemap
newaliases /usr/libexec/smtpd/makemap
# newaliases
# vi /etc/rc.conf.local
(...)
sendmail_flags=NO
smtpd_flags=""
You can now start OpenSMTPd, either with the rc.d
script or in debug mode
from the console, using `smtpd -d
`. From there, you can send e-mail to the
external world and any mail for the configured domain will be saved locally.
Note that only users known to the system, from the etc/passwd
, can receive
mail, yet.
Switch to Virtual Domains configuration
I do host several domains. Either as a primary or secondary MX.
From the previous chapter, we’ve seen that smtpd
stores the mail with the
system user. In a case of virtual domains and users, we use a single users that
will store every mail. That particular user will also be used by the POP3/IMAP
server to read and manage the mail.
Create the virtual user and set proper permissions on storage:
# groupadd -g 2000 vmail
# useradd -m -u 2000 -g vmail -d /home/vmail -s /sbin/nologin vmail
# mkdir -p /home/vmail/{carnat.net,tumfatig.net}
# chown vmail:vmail /home/vmail/{carnat.net,tumfatig.net}
Modify OpenSMTPd’s configuration to use virtual domain:
# vi /etc/mail/smtpd.conf.local
(...)
map "vdomains" { source db "/etc/mail/vdomains.db" }
accept for virtual "vdomains" deliver to maildir "/home/vmail/%d/%a/"
Fill-in the domains information:
# vi /etc/mail/vdomains
tumfatig.net accept
carnat.net accept
jca@tumfatig.net vmail
joel@carnat.net vmail
# makemap /etc/mail/vdomains
Send emails to the defined users and watch the logs to see them delivered. Note
that if you add an entry like “@domain user
” in the vdomain file, you’ll get
mail for any users on that particular domain.
Virtual aliases can be populated with entries like:
# cat /etc/mail/vdomains
(...)
carnat.net accept
joel@carnat.net vmail
root@carnat.net joel@carnat.net
abuse@carnat.net root@carnat.net
hostmaster@carnat.net root@carnat.net
postmaster@carnat.net root@carnat.net
webmaster@carnat.net root@carnat.net
(...)
The 5 last entries will act as virtual aliases, forwarded to the destination email and “recursively rendered”.
Configure authenticated relay
Before setting up authentication, one should configure encryption. Either install the certificate from some external provider or configure a self-signed one:
# mkdir /etc/mail/certs
# cd /etc/mail/certs
# openssl genrsa -out openbsd.tumfatig.net.key 4096
# openssl req -new -x509 -key openbsd.tumfatig.net.key \
-out openbsd.tumfatig.net.crt -days 3650
# chmod 0600 openbsd.tumfatig.net.*
# vi /etc/mail/smtpd.conf.local
(...)
listen on $lan_if smtps certificate "openbsd.tumfatig.net" enable auth
To be able to use that SMTP to relay mail from anywhere, create a map for users to authenticate:
# touch /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets
# chmod 0640 /etc/mail/secrets
# echo "openbsd.tumfatig.net jca:secret" > /etc/mail/secrets
# makemap /etc/mail/secrets
# vi /etc/mail/smtpd.conf.local
(...)
map "secrets" { source db "/etc/mail/secrets.db" }
accept from all for all relay via localhost smtps auth "secrets"
What else?
There are two or three more features that I was looking for and that aren’t available yet.
Secondary MX
I have a deal with a friend for whom I run a secondary MX. Configuring the secondary MX feature is quite easy:
# vi /etc/mail/smtpd.conf.local
(...)
map "v2mx" { source db "/etc/mail/v2mx.db" }
accept from all for virtual "v2mx" relay
# vi /etc/mail/v2mx
more.tld accept
# makemap /etc/mail/v2mx
From there, OpenSMTPD will act as a secondary MX relaying mail for the configured domains, using DNS resolution. The missing feature I need was recipient filtering. Indeed, I know the valid accounts for the domain I relay. And it would be nice to accept mail for valid users and return “450 - Try again later” for invalid users ; 450 rather than “550 - Unknown user” to not ease directory harvesting.
Such feature is in the pipe and should “happen soon”. I’ll have a look back when OBSD 5.2 comes out.
LDAP integration
Storing information in a shared LDAP directory is really nice as you can share authentication (and more) with many software ; like share the SMTP mailboxes, SMTPs authenticated users, IMAP users, …
I’m waiting for LDAP because I already use it. But storage using a database would be OK too.
Anyway, AFAIK, it is not available yet.
Virtual users
The virtual users configuration as I described it here is not “correct”. If you
only have 1 user per domain, you can manage to have it working. But since you
have 2 users on a particular domain, both will have their mail stored in the
vmail
account I created ; which is obviously not what you want.
As I understood it, the only way to deal with users is to create system users ;
in /etc/passwd
. They don’t have to be able to log in ; they just need a home,
to store email, and a password, for authenticated smtp.
Monitoring features
There is a smtpctl show stats
that will give you information about what
happens on your smtp daemon. But this is more about what is happening, in terms
of session and errors, than about mail counters. I was expecting things like
pfctl from which you can stats “received mail”, “rejected mail”, …
The log file has some information about received and sent mail but I found them a bit hard to read when it comes to tracing the exact path of email delivery. It is obviously a matter of getting unused to the postfix way of logging and learn the OpenSMTPD way. So just learn it child.
Final thoughts
All-in-all, OpenSMTPD seems ready to deliver email in production. Using it with spamd will obvisouly make a good relay server, in and out. If you don’t care using system users to managed your email services, OpenSMTPD is ready too for it.
The only missing feature is, from my point of view, options to interface with a remote directory to manage users and domains. You can deal without it if you’re a UNIX GuRu or if you have a small number of users but, as far as I’m concerned, OpenSMTPD won’t make it in “the Enterprise” until it can get part of it’s configuration from a remote repository.
Talking about configuration, syntax is still evolving. I’ve already been taught that ‘{}’ have been dropped in -CURRENT. So expect some more changes regarding syntax ; and as soon as 5.1-CURRENT.