OpenSMTPD Installation and Configuration Guide

Author

Reads 6.7K

Various tangled wires connected to system near black metal cases in server room
Credit: pexels.com, Various tangled wires connected to system near black metal cases in server room

OpenSMTPD is a free and open-source mail transfer agent (MTA) that's gaining popularity due to its simplicity and security features. It's a great alternative to other popular MTAs.

To get started with OpenSMTPD, you'll first need to install it on your system. On most Linux distributions, you can do this by running the command `sudo apt-get install opensmtpd`.

Once installed, you can configure OpenSMTPD using its configuration file, usually located at `/etc/smtpd.conf`. This file contains various options and settings that control the behavior of the MTA.

OpenSMTPD uses a simple and intuitive configuration syntax, making it easy to set up and manage.

Installation

To install OpenSMTPD, you can use a container image available at the repo's packages page.

You'll also need to install dependencies, which include pkgconf or pkg-config, libevent, and libressl or OpenSSL. If you're not building from a release tarball, you'll also need autoconf, automake, bison or byacc, and libtool.

Some distributions have different packages for the same library, so be sure to use the -dev or -devel package, such as libevent-dev or libevent-devel, if you're going to build OpenSMTPD yourself.

Install Via Container

Colorful cargo containers on ship near pier
Credit: pexels.com, Colorful cargo containers on ship near pier

If you're looking for an efficient way to install a system, consider using a container. Container images are available at the repo's packages page for easy access.

You can find the necessary container images on the repo's packages page, which makes the installation process smoother.

Install Dependencies

To install OpenSMTPD, you'll first need to get its dependencies in order. This includes pkgconf or pkg-config, libevent, and libressl or OpenSSL.

These dependencies are the building blocks of OpenSMTPD, and they're used to create the framework for the mail server.

You'll also need autoconf, automake, bison or byacc, and libtool if you're building from the git repository or a release tarball. This is because these tools are required for the build process.

The good news is that OpenSMTPD expects the latest versions of all dependencies by default, so you don't need to worry about updating them.

Just remember to use the -dev or -devel package for each library, such as libevent-dev or libevent-devel, if you're building OpenSMTPD yourself. This ensures you get the correct dependencies for your system.

Here are the dependencies you'll need to install:

  • pkgconf or pkg-config
  • libevent
  • libressl or OpenSSL
  • autoconf
  • automake
  • bison or byacc
  • libtool

Install

Detailed view of Ethernet and VGA ports on a server highlighting connectivity features.
Credit: pexels.com, Detailed view of Ethernet and VGA ports on a server highlighting connectivity features.

To install OpenSMTPd, you can choose to install it via a container image available at the repo's packages page.

You'll also need to install dependencies, which include pkgconf or pkg-config, libevent, and libressl or OpenSSL.

Here are the specific dependencies you'll need to install:

  • pkgconf or pkg-config
  • libevent
  • libressl or OpenSSL

Additionally, if you're not building from a release tarball, you'll also need to install autoconf, automake, bison or byacc, and libtool.

By default, OpenSMTPd expects the latest versions of all dependencies, unless otherwise noted.

Some distributions may have different packages for the same library, so be sure to use the -dev or -devel package when building OpenSMTPd yourself.

User Management

User management is a crucial aspect of OpenSMTPD. To operate, OpenSMTPD requires at least one user, by default _smtpd.

Using two users instead of one will increase security by a large factor. This is because having two users, by default _smtpd and _smtpq, provides an added layer of protection.

The default users are _smtpd and _smtpq. If you want to use the default users, you're good to go.

However, if you want to override the default users, you can use the configure script's options: --with-user-smtpd, --with-user-queue, and --with-group-queue.

It's worth noting that using two users instead of one will increase security, so it's a good idea to stick with the default users.

Mail Server Configuration

Credit: youtube.com, OpenSMTPD - FLOSS Weekly 543

To configure your OpenSMTPD mail server, you'll need to generate a self-signed certificate. This involves creating a private key with 600 permissions, as any other permission will likely prevent smtpd from starting.

Make sure to export the required variables, then use them to generate the certificate, which should be set to an absurdly high number of years.

Once you have your key and certificate, configure smtpd.conf to specify the location of these files, and set the server to listen on both the loopback device and the virtual network device, requiring TLS.

Simple Maildir Configuration

To set up a simple Maildir configuration, start by ensuring local mail is working by starting smtpd.service. This will allow cron mails to function properly.

The default configuration of OpenSMTPD is to do local retrieval and delivery of mail to Maildir, and also relay outgoing mail. See smtpd.conf(5) for more information.

You can also configure OpenSMTPD to send local email locally, without going through a relay, by adding two lines to /etc/smtpd/smtpd.conf. These lines will send local emails locally and use a relay to send emails outside of localhost.

For another approach, see: Comparison of Mail Servers

Credit: youtube.com, Mail Server Setup

Here are the two lines you need to add:

  • send local email locally, without going through a relay (useful for cron & at mail notifications)
  • use a relay to send a mail outside of localhost

Replace smtp.example.net with your ISP mail server, or another server of your choice. You can also invoke procmail to send all local emails through a relay.

To deliver incoming mail to each user using the Maildir format, add the following lines to your /etc/mail/smtpd.conf file:

The last few lines deliver all of the incoming mail to each user using the Maildir format. I also use expansion mapping, so mail directed to the root user is directed to me, i.e. joseph.

Here's a more detailed example of the configuration:

  • The server will listen on both the loopback device and the virtual network device, though it will require TLS.
  • I don’t want to set the verify option because I don’t want to require a valid certificate from a certificate authority or manage my own.

This configuration will allow you to send and receive emails using the Maildir format.

Prepare DNS Records

To prepare DNS records for DKIM, create a TXT record with the domain name selector._domainkey.domainname, for example, selector1._domainkey.mydomain.example.

DKIM uses two different keys, Ed25519 and RSA, which require separate DNS records. The Ed25519 key uses selector1._domainkey.domain.example, while the RSA key uses selector2._domainkey.domain.example.

You'll need to update your DNS records using these values.

Configure DkimSign

Credit: youtube.com, Mail server DNS records - setup and configuration explained

To enable DKIM signing on your mail server, you need to define the filters in /etc/smtpd/smtpd.conf.

You'll also need to add the filter chain to all listen directives.

Replace mydomain.example with your actual domain name in the configuration.

Make sure to use the correct selector names, which should match your DNS records.

Use selector1 and selector2 as examples, but replace them with your actual _domainkey selectors.

Security

OpenSMTPD's security features are designed to protect your system from unauthorized access. It uses a combination of authentication and authorization mechanisms to ensure that only legitimate mail servers can connect to your system.

The software has a built-in feature called "listen" which allows you to specify which network interfaces and addresses OpenSMTPD should listen on, and which ones it should not. This provides an additional layer of security by limiting the exposure of your system to potential attacks.

By default, OpenSMTPD does not allow anonymous connections, which helps to prevent spam and other malicious activities.

Dkim

Credit: youtube.com, How DKIM SPF & DMARC Work to Prevent Email Spoofing

DKIM is a great way to add an extra layer of security to your email communications.

To use DKIM, you'll need to install opensmtpd-filter-dkimsign, which supports both RSA and Ed25519 keys.

It's worth noting that while RFC 8463 requires verifiers to support Ed25519, not all of them do, so it's a good idea to use both Ed25519 and RSA keys.

Create a directory for storing the keys, and then use OpenSSL to generate private keys.

Change the file permissions so that filter-dkimsign can access the keys, which runs with the smtpd user and group permissions.

Port Authentication

Port authentication is a crucial step in ensuring the security of your email communications. You can connect to the submission port using the openssl s_client command.

To connect via port 465 (implicit TLS), use the command: $ openssl s_client -host mx.domain.example -port 465. This command will establish a secure connection to the email server.

When using port 587 (STARTTLS), you'll need to specify the -starttls smtp option: $ openssl s_client -host mx.domain.example -port 587 -starttls smtp.

Once connected, you'll need to enter the EHLO command followed by your hostname, and then the AUTH PLAIN command. This will prompt the server to respond with a 334 response, which will include a base64 string that you'll need to paste in.

A unique perspective: Email Migration

Fetch Certificates

Credit: youtube.com, SSL Certificate Explained

To fetch a valid TLS certificate, you'll need to use Let's Encrypt's certbot. This will get us certificates and keys in /usr/local/etc/letsencrypt/live/mail.example.com/.

Certbot will use the HTTP-01 challenge, so make sure port 80 on the host system's IP forwards to your mail server jail. If you've followed the guide so far, you already have set this up in your host's /etc/pf.conf.

You'll need to apply proper permissions to the certificates and keys, otherwise OpenSMTPd will refuse to start. This means the files in /usr/local/etc/letsencrypt/live/mail.example.com/ require specific permissions.

A different take: Courier Mail Server

Debugging and Testing

If you're having problems with mail delivery, try stopping the smtpd.service and launching the daemon manually with the "do not daemonize" and "verbose output" options. Then watch the console for errors.

Console debugging is a great way to troubleshoot issues, and it's surprisingly simple. Just stop the smtpd.service and launch the daemon manually.

You'll see error messages on the console that will give you a clear idea of what's going on. This is especially helpful when you're trying to figure out why mail delivery is failing.

To test your mail server, send a test mail and look for the "Message accepted for delivery" message. You should also see a corresponding log entry in your mail server logs.

If this caught your attention, see: Message Transfer Agent

Console Debugging

Credit: youtube.com, How to Use a Debugger - Debugger Tutorial

Debugging and testing are crucial steps in the development process. They help identify and fix errors, ensuring your system or application runs smoothly.

To debug mail delivery issues, try stopping the smtpd.service and launching the daemon manually with specific options. This can be a game-changer in troubleshooting problems.

Stopping the smtpd.service can be done to isolate the issue. By stopping the service, you can prevent it from interfering with other processes.

Launching the daemon manually with the "do not daemonize" and "verbose output" options can provide valuable insights. This allows you to see exactly what's happening and where the error is occurring.

Watching the console for errors is essential when debugging. Pay attention to any messages or warnings that may indicate the source of the problem.

Send Test Mail

Sending a test mail is a great way to verify that your mail server is working correctly. You'll see a message like "250 2.0.0 cce6fb89 Message accepted for delivery" when it's successful.

Credit: youtube.com, How Mailtrap Email Testing Works - Getting Started Guide

To send a test mail, simply use your mail server's functionality and check your mail server logs for the result. You should see a message similar to "Message accepted for delivery".

It's also a good idea to test sending an email with invalid credentials to ensure that your mail server handles this scenario correctly. This will give you peace of mind knowing that your mail server is secure.

Once you've sent a test mail, you can check your mail server logs to see the result. This will help you troubleshoot any issues that may arise in the future.

Requirements and Setup

OpenSMTPD is a free and open-source mail transfer agent that's relatively easy to set up. To get started, you'll need to install it on your system.

You can install OpenSMTPD on most Unix-like systems, including FreeBSD, NetBSD, and Linux. The installation process is straightforward and can be completed using the package manager or by compiling the source code.

To configure OpenSMTPD, you'll need to edit the configuration file located at /etc/mail/smtpd.conf. This file contains all the necessary settings for the mail server, including the IP addresses that OpenSMTPD will listen on and the authentication mechanisms it will use.

Setup Historical Interface

Computer server in data center room
Credit: pexels.com, Computer server in data center room

To accommodate systems that require historical interfaces, the smtpctl utility can operate in compatibility mode if called with the historical name.

On mailwrapper-enabled systems, you'll need to edit /etc/mailer.conf and add specific lines to achieve this. The exact lines to add aren't specified, but it's implied that this is the preferred method.

Systems that don't provide mailwrapper require a different approach, where you need to set the appropriate symbolic links. Unfortunately, the OpenSMTPD project leaves this up to the package maintainers to handle.

You'll need to check with your package maintainers to see how they've set up the links for their packages. This can be a bit of a challenge, but it's a necessary step for some systems.

Requirements

To set up a mail server, you'll need a freshly installed FreeBSD 13.0-RELEASE. Although it's recommended, it will probably work with newer versions as well.

Make sure to host your mail server on a server or cloud provider, as hosting at home can lead to IP reputation issues. This can cause problems for your mail server.

You'll also need to ensure that the IP address you use is not blacklisted, which can block emails from being sent.

Prepare Host & Jail

Computer server in data center room
Credit: pexels.com, Computer server in data center room

To prepare the host system and jail, you need to split up your services into different jails for easier maintenance. This involves setting up jails using ezjail and creating an internal network for the jails.

Create a jail for the mail server, using the FQDN for your mail server as the jail hostname. You'll also need to adjust the /etc/pf.conf on the host system to forward mail traffic and HTTP for the Let's Encrypt HTTP challenge.

Make sure to replace the IP and outbound network device in the pf.conf file with your own settings - for example, I used vtnet0. Restart pf to ensure proper network connectivity from within the jail.

Don't forget to disable sendmail on both the host system and in the jail, as it binds to ports needed for mail setup. Add the necessary records to /etc/rc.conf to disable sendmail on the host system.

Patricia Dach

Junior Copy Editor

Patricia Dach is a meticulous and detail-oriented Copy Editor with a passion for refining written content. With a keen eye for grammar and syntax, she ensures that articles are polished and error-free. Her expertise spans a range of topics, from technology to lifestyle, and she is well-versed in various style guides.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.