OpenSMTPD makes mail server configuration easy


Mail Delivery

A line in smtpd.conf allows email to leave the separate MTA for :

accept from local for any relay

From now on, OpenSMTPD relays email via the mail server responsible for the respective receiving domain. However, if you do not have a fixed IP address, you will probably not like this mechanism: Most email recipients use blacklists to block senders with dynamic IPs. The best case scenario is that the email ends up in the recipient's spam folder.

A mail server hosted by your provider can offer a solution – an SMTP smart host, as Sendmail calls it, which can also be accomplished easily using OpenSMTPD:

accept from local for any relay via secure+auth:// auth <authtable>

Placeholders can of course also be used here. Another table follows the same pattern for using SMTP Auth to authenticate against the server:

provider Username:Password

The provider is the placeholder in the accept rule. The Username and Password follow in plain text [3], which is unfortunate from a security perspective: Administrators should choose passwords that they do not use anywhere else for authenticating against the relay server. You will also want to design the configuration file rights so that as few people as necessary can read them.

On the LAN

If your mail server has to serve a large number of clients, you will typically want to release all local IPs for external sending. This can be accomplished either using tables, as before [3], or directly:

accept from source for any relay

Relaying can also be varied on the basis of the sender address if multiple email addresses need to be managed via the local server. Placeholders can of course be used here. In Listing 4, would thus send all email messages whose sender addresses contain via the server. However, you will want to restrict the source IP field to avoid creating a partially open relay.

Listing 4

Relaying with Multiple Addresses

accept from source sender '' for any relay via tls+auth://
accept from source sender '' for any relay via tls+auth://

A Modicum of Protection

OpenSMTPD aims to provide more security than its competitors. One action designed to achieve this is encrypting the email queue on the disk:

queue encryption key [Key]

OpenSSL generates the required 16-byte key with:

openssl rand -hex 16

Of course, a plain text key in a configuration file that can be read by root is not the ideal solution security-wise. Any attacker who has escalated their privileges to root can read it. However, the key makes random sniffing by curious users more difficult and provides protection if the file permissions are not set up correctly. The queue can also be compressed using

queue compression

which also adds to the level of security provided by encryption security – as long as the key is protected. Entering

max-message-size 20M

then helps with email that is too large.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus