Niall's Weblog

As many readers may be aware, the venerable Sendmail has been the default mail daemon in OpenBSD for years. This is largely because it is the only reasonable BSD-licensed mail server around. Personally, I have never trusted Sendmail enough to use it on any of my hosts – despite the fact that it has been audited by the OpenBSD team. It has a Byzantine configuration which I could never figure out, and perhaps more importantly has a terrible security record, owing at least partly to its monolithic single-process design. So I’ve always used either Qmail or more recently Postfix. Both Qmail and Postfix have a multi-process design with clean points of separation and privilege. This approach greatly reduces the possible attack surface for privilege escalation.

Qmail, Postfix

Postfix

Postfix is a free and open source mail transfer agent (MTA), a computer program for the routing and delivery of email. It is intended as…

more »

License: IBM Public License

Get one for any topic!

Qmail has a very strange license which prevents it even being in the OpenBSD ports system. Postfix is not BSD-licensed, and so cannot be included in the base system. This means that running Postfix can be a little bit of extra work, since you have to deal with installing and upgrading packages.

Wouldn’t it be nice if there was a modern, simple, secure SMTP daemon in base? Now there is. New in OpenBSD 4.6 is the latest secure SMTP daemon on the block, OpenSMTPd.

Turning on OpenSMTPd

Sendmail is still the default MTA in base. You must follow these instructions to enable OpenSMTPd on your system:

smtpd is not enabled by default. In order to use it as the system mailer, ensure the mail queue is empty, then stop sendmail(8):

# pkill sendmail

Modify the current mailwrapper(8) settings by editing /etc/mailer.conf:

sendmail /usr/sbin/smtpctl
send-mail /usr/sbin/smtpctl
mailq /usr/sbin/smtpctl
makemap /usr/libexec/smtpd/makemap
newaliases /usr/libexec/smtpd/makemap

Rebuild the aliases database, and enable the daemon:

# newaliases
# echo “sendmail_flags=NO” >> /etc/rc.conf.local
# echo “smtpd_flags=” >> /etc/rc.conf.local
# smtpd

Note that while debugging your setup, you might find running smtpd in verbose foreground mode via `smtpd -dv’ useful.

OpenSMTPd configuration

I’m very impressed at how simple and clean the OpenSMTPd configuration is. Check out the docs here. There are some more docs and example configs at Calomel.org.

It still took me a little while to figure out a few things, so I thought I’d post my configurations to help others.

Using OpenSMTPd as a Backup MX

I’ve been using Postfix as a backup MX for unworkable.org. I decided to try OpenSMTPd in this role instead.

listen on lo0
listen on bnx0
 
map "aliases" { source db "/etc/mail/aliases.db" }
 
accept from all for local deliver to mbox
accept for all relay
 
accept from all for domain "unworkable.org" relay

The configuration is pretty straight forward once you are aware that the default ‘from’ is ‘local’ – that is why its necessary to add `accept from all’ to accept mail from the outside world.

Relaying mail to another SMTP server for delivery (nullmailer) with SSL

I use Mutt as my MUA. Mutt assumes you have a local MTA to deliver mail. This means you need to use something like nullmailer or msmtp. Until now. My ISP (sonic.net) doesn’t let me use port 25, so I have to relay to their SMTP server to send mail,

listen on lo0
 
map aliases { source db "/etc/mail/aliases.db" }
map secrets { source db "/etc/mail/secrets.db" }
 
accept for local deliver to maildir
accept for all relay via smtp.sonic.net ssl enable auth

The /etc/mail/secrets.db file is generated from a map, /etc/mail/secrets. This file includes your username and password – check out the smtpd.conf manual page for details.