OpenSMTPD and Dovecot on OpenBSD 5.7

    

Those are my notes about configuring OpenSMTPD 5.4.4 and Dovecot 2.2.15 on OpenBSD 5.7. I’ve setup virtual domains and users. In this simple configuration, the virtual users are matched with local users for mail delivery. SMTP submission is authenticated and passwords for all mail services are stored in usual system files. Of course, mail reception is protected by spamd. Here are the directions.

Register the system users

The available email addresses will be delivered to system users. Add a bunch of them and set the password for SMTP submission and IMAP authentication the usual way.

# useradd -m -u 1000 -g nogroup -s /sbin/nologin user1
# useradd -m -u 1001 -g nogroup -s /sbin/nologin user2 
# passwd user1
# passwd user2

Reference virtual domains and users

Basic email aliases are stored in /etc/mail/aliases. Email addresses for real users and extra aliases are referenced in a dedicated file.

# cat > /etc/mail/vusers
contact@carnat.net user1
contact@tumfatig.net user1
joel@carnat.net user1
jca@tumfatig.net user1

Email domains are stored in a dedicated file. Even though server’s FQDN contains one of the virtual domain, it seems to be required to reference it in the virtual domains file.

# cat > /etc/mail/vdomains
carnat.net
tumfatig.net

Install SSL certificate

Public certificate used in TLS connexion can be installed in the usual SSL directory. The private key was generated years ago with OpenSSL. So far, there doesn’t seem to be any issue with the LibreSSL implementation from this OpenBSD instance.

# install -o root -g wheel -m 0644 gandi.crt /etc/ssl/gandi.crt
# install -o root -g wheel -m 0600 gandi.key /etc/ssl/private/gandi.key

Configure OpenSMTPD

To ease upgrades, I like to comment the default configuration file and include an external one.

# egrep -v '^$|^#' /etc/mail/smtpd.conf 
include "/etc/mail/smtpd.conf.local"

I’ve setup clear connection on loopback. The public SMTP connexion can go unencrypted or can be used via TLS. The public SMTP submission must be encrypted and authenticated to be used.

The configuration for aliases, virtual domains and users are done with file reference.

I only accept public delivery for my virtual domains and users. Only local and authenticated connection can relay to the external world.

# cat /etc/mail/smtpd.conf.local
# OpenSMTPD configuration
#
pki www.tumfatig.net certificate "/etc/ssl/gandi.crt"
pki www.tumfatig.net key "/etc/ssl/private/gandi.key"

listen on lo0
listen on egress tls pki www.tumfatig.net auth-optional
listen on egress port submission tls-require pki www.tumfatig.net auth

table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

accept for local alias  deliver to maildir

accept from any for domain  virtual  deliver to maildir
accept from local for any relay

The server doesn’t have a name that is known from the Internet ; the one configured in the TLS certificate. To have those match, there’s a tweak to apply via a configuration file.

# cat /etc/mail/mailname
www.tumfatig.net

The OpenSMTPD can now be started and tested.

# rcctl enable smtpd
# /etc/rc.d/smtpd restart 
smtpd(ok)
smtpd(ok)

Protect your mail daemon

I like to use spamd to drop dummy spammers activity. It requires configuring PF to redirect SMTP connexions to spamd and setting an optional white-list.

# cat /etc/pf.conf
(...)
# rules for spamd(8)
table  persist
table  persist file "/etc/mail/nospamd"
table  persist file "/etc/mail/nospamd_spf"

pass in on egress proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd
pass in on egress proto tcp from  to any port smtp
pass in on egress proto tcp from  to any port smtp
pass in log on egress proto tcp from  to any port smtp
pass out log on egress proto tcp to any port smtp

# touch /etc/mail/nospamd
# pfctl -f /etc/pf.conf

Finally, spamd and spamlogd can be configured to be launched automatically.

# rcctl enable spamd
# rcctl set spamd flags -G 5:4:864 -h www.tumfatig.net
# rcctl enable spamlogd
# /etc/rc.d/spamd start
# /etc/rc.d/spamlogd start

Read your email via IMAP

I’m using Dovecot to provide IMAP access to emails. As I’m using local users for SMTP submission, those credentials are used to authenticate with Dovecot.

# pkg_add dovecot

# diff /usr/local/share/examples/dovecot/example-config/dovecot.conf \
       /etc/dovecot/dovecot.conf
24c24
< #protocols = imap pop3 lmtp
---
> protocols = imap

# diff /usr/local/share/examples/dovecot/example-config/conf.d/10-ssl.conf \
       /etc/dovecot/conf.d/10-ssl.conf
6c6
< #ssl = yes
---
> ssl = yes
12,13c12,13
< ssl_cert =  ssl_cert =  ssl_key =

The final step is to install and configure Mutt.

# pkg_add mutt

# vim ~/.muttrc
set spoolfile="imaps://user1:pass1@www.tumfatig.net/INBOX"
set folder="imaps://www.tumfatig.net/INBOX"
set record="=Sent"
set postponed="=Drafts"

set realname="Joel Carnat"
set from="joel@carnat.net"
set use_from=yes
set use_envelope_from=yes

set edit_headers=yes

This is nearly what I want. The only issue is that SOGo requires LDAP or SQL users reference. Hence, I can’t use this configuration as-is. Still got to dig on using virtual users/domains in LDAP/SQL with OpenSMTPD. Next time, hopefully.

That’s all folks!