/ OpenBSD

OpenSMTPD under OpenBSD with SSL/VirtualUsers/Dovecot

This article is the translation of my previous paper in French.

During the 2013 AsiaBSDCon, the team of OpenBSD presented its mail solution named OpenSMTPD.
Developped by the OpenBSD team, we find the so much appreciated philosophy of its developpers : security, simplicity / clarity and advanced features.


Security :

The daemon runs unprivileged and within a chroot : /var/empty including SSL management, automatic disconnection of hanging clients, incoming connexions limitations, etc.

Simplicity :

The configuration syntax used is Packet Filter like and « user-friendly ». You'll see for yourself soon.

Advanced features :

  • Management of many mail transport protocols :
  • mbox
  • maildir
  • mda
  • lmtp (we're gonna test it !)
  • statistics via smtpctl
  • management of virtual users
  • SQL management
  • scheduler
  • relay
  • etc.

Ok let's go !

Basic configuration :

OpenSMTPD is installed by default, we can immediately start with a simple configuration.

# vi /etc/mail/smtpd.conf 

listen on lo0 
listen on em0 

table aliases file:/etc/mail/aliases 

accept from any for domain "cagedmonster.net" alias <aliases> deliver to mbox 
accept for local alias <aliases> deliver to mbox 

accept from local for any relay

We listen on our interfaces, we specify the path of our aliases file so we can manage redirections.
Mails will be delivered for the domain cagedmonster.net to mbox (the local users mailbox), same for the aliases.
Finally, we accept to relay local mails exclusively.

We can now enable smtpd at system startup and start the daemon.

# rcctl enable smtpd && rcctl start smtpd

Advanced configuration including TLS :

You can use SSL with :

  1. A self-signed certificate (which will not be trusted).
  2. A certificate generated by a trusted authority. LetsEncrypt uses Certbot to generated your certificate. You can check this page for further informations.

Let's focus on the first.

Generation of the certificate :

# openssl genrsa -out /etc/ssl/private/server.key 

Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)

# openssl req -new -x509 -key /etc/ssl/private/server.key -out /etc/ssl/server.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []:FR
State or Province Name (full name) []:SomeWhere
Locality Name (eg, city) []:Deauville
Organization Name (eg, company) []:CagedMonster
Organizational Unit Name (eg, section) []:CGM
Common Name (eg, fully qualified host name) []:mail.cagedmonster.net
Email Address []:lina@cagedmonster.net

We fix the permissions :

# chmod 600 /etc/ssl/server.crt && chmod 600 /etc/ssl/private/server.key

We edit the config file :

# vi /etc/mail/smtpd.conf 

pki mail.cagedmonster.net certificate "/etc/ssl/server.crt"
pki mail.cagedmonster.net key "/etc/ssl/private/server.key"

listen on lo0 
listen on em0 port 25 tls pki mail.cagedmonster.net

table aliases file:/etc/mail/aliases 

accept from any for domain "cagedmonster.net" alias <aliases> deliver to mbox 
accept for local alias <aliases> deliver to mbox 

accept from local for any relay 

# rcctl restart smtpd

We have a mail server with SSL, it's time to configure our IMAP server, Dovecot, and manage the creation of virtual users.

Dovecot setup, and creation of Virtual Users :

We will use the package system of OpenBSD, so please check the configuration of your /etc/pkg.conf file.

Installation :

# pkg_add dovecot

Enable the service at system startup :

# rcctl enable dovecot

Setup the Virtual Users structure :

# useradd -g =uid -c "Virtual Users" -d /var/virtmail -s /sbin/nologin virtmail 
# mkdir /var/virtmail 
# chown virtmail:virtmail /var/virtmail

Adding the passwd table for smtpd :

# pkg_add opensmtpd-extras

Modification of the OpenSMTPD configuration :

# vi /etc/mail/smtpd.conf 

pki mail.cagedmonster.net certificate "/etc/ssl/server.crt" 
pki mail.cagedmonster.net key "/etc/ssl/private/server.key" 

table aliases file:/etc/mail/aliases 
table passwd passwd:/etc/mail/passwd
table virtuals file:/etc/mail/virtuals

listen on lo0 listen on em0 port 25 tls pki mail.cagedmonster.net 
listen on em0 port 587 tls-require pki mail.cagedmonster.net auth <passwd>

accept from local for local alias <aliases> deliver to lmtp "/var/dovecot/lmtp" rcpt-to
accept from any for domain "cagedmonster.net" virtual <virtuals> deliver to lmtp "/var/dovecot/lmtp" rcpt-to
accept from local for any relay

Here, we declare the files used for our Virtual Accounts, we include SSL, and we configure mails delivery via the Dovecot lmtp socket.

Let's see what our files look like :

# vi /etc/mail/aliases

    virtmail: /dev/null 
    www: lina 
    webmaster: lina 
    root: lina 
    abuse: lina 
    lina: lina@cagedmonster.net

# vi /etc/mail/passwd

We'll create our user lina@cagedmonster.net and set its password.

# smtpctl encrypt my-personnal-password 

An example for a 10GB quota :


# vi /etc/mail/virtuals

lina@cagedmonster.net          virtmail

Dovecot Configuration:


# vi /etc/dovecot/conf.d/10-ssl.conf 
ssl_cert = </etc/ssl/server.crt 
ssl_key = </etc/ssl/private/server.key


# vi /etc/dovecot/dovecot.conf 

protocols = lmtp imap 

passdb { 
        args = scheme=blf-crypt /etc/mail/passwd 
        driver = passwd-file 
       userdb { 
               args = uid=virtmail 
               driver = static 


# vi /etc/dovecot/conf.d/10-mail.conf

mail_location = mbox:/var/virtmail/%d/%n


Make sure that the value of openfiles-cur in /etc/login.conf is equal or superior of 1000 !

# vi /etc/login.conf
daemon:\ :openfiles-cur=1000:\ 

# cap_mkdb /etc/login.conf

Sarting Dovecot :

# rcctl start dovecot

Need help ?



« I know everyone I've been everywhere I know everything Because I'm everybody » Ether - Nothingface

Read More