The default smtpd.conf file which ships with OpenBSD listens on the
loopback network interface (lo0) and allows for mail from users and
daemons on the local machine, as well as permitting email to remote
servers. Some more complex configurations are given below.
This first example is similar to the default configuration, but all
outgoing mail is forwarded to a remote SMTP server. A secrets file
is needed to specify a username and password:
# touch /etc/mail/secrets
# chmod 640 /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets
# echo "bob username:password" > /etc/mail/secrets
smtpd.conf would look like this:
table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets
listen on lo0
action "local_mail" mbox alias <aliases>
action "outbound" relay host smtp+tls://bob@smtp.example.com \
auth <secrets>
match from local for local action "local_mail"
match from local for any action "outbound"
In this second example, the aim is to permit mail delivery and
relaying only for users that can authenticate (using their normal
login credentials). An RSA certificate must be provided to prove
the server's identity. The mail server listens on all interfaces
the default routes point to. Mail with a local destination is sent
to an external MDA. First, the RSA certificate is created:
# openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
# openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
-out /etc/ssl/mail.example.com.crt -days 365
# chmod 600 /etc/ssl/mail.example.com.crt
# chmod 600 /etc/ssl/private/mail.example.com.key
In the example above, a certificate valid for one year was created.
The configuration file would look like this:
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
table aliases file:/etc/mail/aliases
listen on lo0
listen on egress tls pki mail.example.com auth
action mda_with_aliases mda "/path/to/mda -f -" alias <aliases>
action mda_without_aliases mda "/path/to/mda -f -"
action "outbound" relay
match for local action mda_with_aliases
match from any for domain example.com action mda_without_aliases
match for any action "outbound"
match auth from any for any action "outbound"
For sites that wish to sign messages using DKIM, the following
example uses opensmtpd-filter-dkimsign for DKIM signing:
table aliases file:/etc/mail/aliases
filter "dkimsign" proc-exec "filter-dkimsign -d <domain> -s <selector> \
-k /etc/mail/dkim/private.key" user _dkimsign group _dkimsign
listen on socket filter "dkimsign"
listen on lo0 filter "dkimsign"
action "local_mail" mbox alias <aliases>
action "outbound" relay
match for local action "local_mail"
match for any action "outbound"
Alternatively, the opensmtpd-filter-rspamd package may be used to
provide integration with rspamd, a third-party daemon which
provides multiple antispam features as well as DKIM signing. As
well as configuring rspamd itself, it requires use of the proc-exec
keyword:
filter "rspamd" proc-exec "filter-rspamd"
Sites that accept non-local messages may be able to cut down on the
volume of spam received by rejecting forged messages that claim to
be from the local domain. The following example uses a list table
other-relays to specify the IP addresses of relays that may
legitimately originate mail with the owner's domain as the sender.
table aliases file:/etc/mail/aliases
table other-relays file:/etc/mail/other-relays
listen on lo0
listen on egress
action "local_mail" mbox alias <aliases>
action "outbound" relay
match for local action "local_mail"
match for any action "outbound"
match !from src <other-relays> mail-from "@example.com" for any \
reject
match from any for domain example.com action "local_mail"
