(:redirect opensmtpd.configure:)

Note: This old page is kept for historical purposes. Please consult the [new guide](/opensmtpd/configure) for an up-to-date version.

Here is how I set up my independent mail server. It is based on the old (now deleted) [OpenSMTPd FAQ](https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14).

## Install

Make sure to install opensmtpd-extras:

    $ doas pkg_add opensmtpd-extras


## Configuration

In my /etc/mail/smtpd.conf:

    # PKI for TLS
    pki mail.ircnow.org cert "/etc/ssl/ircnow.org.fullchain.pem"
    pki mail.ircnow.org key "/etc/ssl/private/ircnow.org.key"
    # tables setup
    table aliases file:/etc/mail/aliases
    table domains file:/etc/mail/domains
    table passwd passwd:/etc/mail/passwd
    table virtuals file:/etc/mail/virtuals
    table hosts file:/etc/mail/hosts
    table spammers file:/etc/mail/spammers
    # Blocks junk mail
    filter check_rdns phase connect match !rdns junk
    filter check_fcrdns phase connect match !fcrdns junk
    filter check_spammers phase connect match src <spammers> junk
    # listeners
    ipv4 = "192.168.1.1"
    ipv6 = "2001:db8::"
    # listeners
    listen on lo0 mask-src
    listen on lo0 port 10028 tag DKIM mask-src
    listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv4 port 587 tls-require pki mail.ircnow.org auth <passwd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv6 port 587 tls-require pki mail.ircnow.org auth <passwd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    action "lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
    action "relay" relay
    action "relay_dkim" relay host smtp://127.0.0.1:10027
    # If mail is for any of our domains, pass it to dovecot
    match from any for domain <domains> action "lmtp"
    # If mail is tagged with DKIM, relay it out
    match tag DKIM for any action "relay"
    # If mail comes from known good hosts or has been authenticated, relay it to dkimproxy_out
    match from src <hosts> for any action "relay_dkim"
    match auth from any for any action "relay_dkim"


A single user vmail will receive mail for all virtual users:

    $ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail


The /etc/passwd file will contain a line similar to this:

    vmail:*:1000:1000:Virtual Mail:/var/vmail:/sbin/nologin


/var/vmail is used to store virtual users' maildir folders. It will be managed by dovecot, which receives mail via LMTP.

## Adding users

At the bottom of /etc/mail/aliases, add these lines:

    vmail:    /dev/null
    root:   admin@ircnow.org
    jrmu:   jrmu@ircnow.org
    username:   username@ircnow.org


Add one line for each user.

Create a new file /etc/mail/virtuals and add these lines:

    admin@ircnow.org        vmail
    jrmu@ircnow.org      vmail
    username@ircnow.org     vmail


A whitelist of known good senders goes into /etc/mail/hosts:

    localhost
    192.168.1.1
    2001:db8::


For /etc/mail/spammers, create a blank file.

The mail sender's hostname goes in /etc/mail/mailname:

    mail.ircnow.org


The list of domains you send mail for go in /etc/mail/domains:

    ircnow.org
    mail.ircnow.org


In /etc/mail/passwd, we have a list of colon-separated user credentials:

    admin@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G
    jrmu@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G
    username@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G


**WARNING**: Some special characters like $, when used in passwords, will cause issue with opensmtpd. To be safe, you may want to use alphanumeric characters only for your password.

Make sure to set the proper permissions:

    $ doas chown -R _smtpd:_dovecot /etc/mail/
    $ doas chmod o-rx /etc/mail/


## Spammers

In /etc/mail/spammers, we have IP addresses separated by newlines.

## IMAP and POP3 via dovecot; mail signing via dkimproxy

Take a look at the sample [dovecot](/openbsd/dovecot) setup for IMAP and POP3, and the sample [dkimproxy](/dkimproxy) setup for mail signing.

There are some additional steps for how to add a new user here:

Based on: https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14

To get hashes:

    $ smtpctl encrypt


## Troubleshooting

Sometimes OpenSMTPD may end up in an inconsistent state. This can happen due to a misconfiguration. One symptom is you see this error:

smtpd[]: pony express: smtpd: socket: Too many open files

To fix this, you can delete all the temporary files inside OpenSMTPD. **WARNING**: this will delete any messages in the queue:

    $ doas rcctl stop smtpd
    $ doas rm -r /var/spool/smtpd/queue/*
    $ doas rm -r /var/spool/smtpd/offline/*


At times, opensmtpd may be unable to connect because outgoing packets are being filtered. For example, suppose you are trying to send a letter to yahoo, but you get errors similar to following, showing a connection timeout:

    smtpd[]: smtp-out: Enabling route [] <-> 67.195.204.77 (mtaproxy1.free.mail.vip.bf1.yahoo.com)
    smtpd[]: smtp-out: Enabling route [] <-> 67.195.228.106 (mtaproxy2.free.mail.vip.gq1.yahoo.com)
    smtpd[]: mta error reason=Connection timeout
    smtpd[]: smtp-out: Disabling route [] <-> 104.47.55.33 (104.47.55.33) for 15s


An easy way to test if your packets are being filtered is:

    $ dig -t mx yahoo.com
    ;; ANSWER SECTION:
    yahoo.com.              395     IN      MX      1 mta6.am0.yahoodns.net.
    yahoo.com.              395     IN      MX      1 mta5.am0.yahoodns.net.
    yahoo.com.              395     IN      MX      1 mta7.am0.yahoodns.net.
    $ nc mta5.am0.yahoodns.net 25


If you get no response, then outgoing packets to port 25 are being blocked (often due to firewalls by your VPS provider to block spam). If mail is working, you should see a 220 reply:

    $ nc mta5.am0.yahoodns.net 25
    220 mtaproxy511.free.mail.ne1.yahoo.com ESMTP ready


It is also possible that TLS is being dropped by the firewall. You can test using openssl:

    $ openssl s_client -starttls smtp -connect mta5.am0.yahoodns.net:25
    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
    verify return:1
    depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.am0.yahoodns.net
    ...
    250 STARTTLS


You should see the entire SSL cert plus 250 STARTTLS reply. If you see the response hang at any point (eg, it returns CONNECTED(00000003) and nothing else), then TLS on port 25 is being filtered.

If you see this warning message in /var/log/maillog:

    Dec  6 03:44:17 smtpd[]: info: OpenSMTPD 6.7.0 starting                                 
    Dec  6 03:44:17 smtpd[]: pony express: smtpd: socket: Too many open files               
    Dec  6 03:44:17 smtpd[]: warn: lost child: pony express exited abnormally               


This is due to having too many IP addresses that opensmtpd tries to bind to. This happens when you have a rule that says `listen on egress`:

listen on egress port 25 tls pki fruit.ircnow.org mask-src filter { check_rdns check_fcrdns }

listen on egress port 587 tls-require pki fruit.ircnow.org auth <passwd> mask-src filter { check_rdns check_fcrdns }

These two lines mean that opensmtpd will listen to **all** available ip address, including the hundreds of IPv6 addresses you may have in /etc/hostname.vio0 and `ifconfig vio0`. To fix this, you must specify the IP addresses you want to listen to:

    # listeners
    ipv4 = "192.168.1.1"
    ipv6 = "2001:db8::"
    ...
    # listeners
    listen on lo0 mask-src
    listen on lo0 port 10028 tag DKIM mask-src
    listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv4 port 587 tls-require pki mail.ircnow.org auth <passwd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org
    listen on $ipv6 port 587 tls-require pki mail.ircnow.org auth <passwd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org


### Open Mail Relay

If all your email is being marked as spam, check `/var/log/maillog` . If you see a message like the following:

Jan  8 11:00:29 smtpd[39035]: 83bd6b3b1669649f mta delivery evpid=a8d16cd2144222fa from=<spammer@example.com> to=<victim@example.com> rcpt=<-> source="192.168.0.1" relay="10.0.0.1 (10.0.0.1)" delay=16h2s result="TempFail" stat="451 4.7.650 The mail server [192.168.0.1] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.example.com (S843)"

Then your server is being exploited as an [open mail relay](/openbsd/mailopenproxy)# Please follow the guide to fix it.