OpenSMTPD

Posted on Fri 02 October 2015 in english

Several months ago I have converted my mail server from Postfix to OpenBSD's OpenSMTPD. When you want to know the basics I suggest you read William Orr's article first.

Related articles

In the last couple of weeks it's trendy to blog about OpenSMTPD:

Dovecot

We need a MDA for which I've chosen Dovecot. As it's not installed by default on OpenBSD (whereas OpenSMTPD is) let's install it:

# pkg_add dovecot

Dovecot has the problem that it needs more open file descriptors than a normal daemon on OpenBSD is allowed to. When you don't change the limits its startup will fail. Therefore configure an explicit login class 'dovecot' in /etc/login.conf:

dovecot:\
        :ignorenologin:\
        :openfiles-cur=1024:\
        :openfiles-max=2048:\
        :tc=default:

To make sure that the database is in sync with the plain file, run cap_mkdb /etc/login.conf after you've changed the file. (Thanks to the original article I figured out how to start Dovecot).

/etc/dovecot/dovecot.conf Allow imap and lmtp for local mail transports (put mails into user's maildir):

protocols = imap lmtp
listen = *

/etc/dovecot/conf.d/10-auth.conf Disable plaintext authentication, but OK via SSL:

disable_plaintext_auth = yes
auth_mechanism = plain

/etc/dovecot/conf.d/10-mail.conf We want maildir to store our mails instead of that nasty, old mbox format:

mail_location = maildir:/home/%u/Maildir

For more possibilities have a look at the config file - it's well commented.

/etc/dovecot/conf.d/10-ssl.conf Configure the SSL certs. If you have created your own certs change the location here:

ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
ssl_protocols = !SSLv3 !SSLv2
ssl_cipher_list =
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_prefer_server_ciphers = yes

I've changed the SSL cipher settings according to the tips from the BetterCrypto project.

To get OpenSMTPD and Dovecot starting automatically at boot add the following lines to your /etc/rc.conf.local:

smtpd_flags=""
pkg_scripts=dovecot

As Dovecot isn't part of base, you have to add it via pkg_scripts (see 'man 8 rc.conf' for details).

OpenSMTPD

/etc/mail/smtpd.conf looks like this:

pki mail.pascalschmid.de certificate '/etc/ssl/dovecot/mail.pascalschmid.de.crt'
pki mail.pascalschmid.de key '/etc/ssl/dovecot/mail.pascalschmid.de.key'

table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table vusers  file:/etc/mail/virtusertable
table secrets passwd:/etc/mail/secrets

listen on lo0
listen on re0 port 25 tls pki mail.pascalschmid.de
listen on re0 port 587 tls-require pki mail.pascalschmid.de auth <secrets> hostname mail.pascalschmid.de

accept from any for domain <domains> virtual <vusers> deliver to maildir
accept for local alias <aliases> deliver to maildir
accept from local for any relay

What does it do? First we name the SSL key and cert file, then we tell OpenSMTPD which files include the users, domains and passwords it should accept. The third block configures the network interfaces and ports the daemon should listen on. We'll change the last block, so I don't explain it... For more information on the possible values for your smtpd.conf see the official man page or the mentioned articles above.

To see which accept rule will be applied see OpenSMTPD's Github wiki.

To start the services run:

# /etc/rc.d/smtpd start
# /etc/rc.d/dovecot start

Sieve

When you want to filter your mails into (sub-)folders before they hit your mailclient, install Sieve:

pkg_add dovecot-pigeonhole

You get some more config files in /etc/dovecot/conf.d. To enable Sieve update your dovecot.conf:

protocols: imap lmtp sieve

In /etc/dovecot/conf.d/20-lmtp.conf:

mail_plugins = $mail_plugins sieve

To this point your Sieve config is correct, but still isn't working. That is because OpenSMTPD handles the mail files - not Dovecot. You have to set Dovecot as your local MTA - see: Your MTA is not using Dovecot LDA or LMTP.

To do this:

accept from local for local alias <aliases> deliver to lmtp "/var/dovecot/lmtp"
accept from local for local deliver to lmtp "/var/dovecot/lmtp"
accept from any for domain <domains> virtual <vusers> deliver to lmtp "/var/run/dovecot/lmtp"

We've changed the line from "to maildir" to "to lmtp /var/dovecot/lmtp", so Dovecot takes care of our fresh mails.

I noticed these error lines in my log:

Jan  6 19:13:44 server dovecot: lmtp(21421, guybrush): Error: User guybrush doesn't have home dir set, disabling duplicate database
Jan  6 19:13:44 server dovecot: lmtp(21421, guybrush): Error: b7v0BdglrFStUwAAFfhiyA: sieve: sieve script file path ~/.dovecot.sieve is relative to home directory, but home directory is not available.

Set the correct value in /etc/dovecot/conf.d/10-mail.conf:

mail_home = /var/vmail/%d/%n