Part 1 : OpenSMTPD

[wesley974]

Let's start to configure OpenSMTPD!

[wesley974]

Reading the OpenSMTPD Faq, we need to create a system user named vmail to handle multiple domains.

[wesley974]

Reading the OpenSMTPD Faq, we need to create a system user named vmail to handle multiple domains.

[mhekeler]

Should we create some code?
Here on github? Fork and create pull request?

[mhekeler]

Should we create some code?
Here on github? Fork and create pull request?

[wesley974]

We can discuss together and share here the following:

• prerequisites
• requirements
• all the steps to configure OpenSMTPD
• make some tests
• write a script

And then suggest a pull request.

[wesley974]

We can discuss together and share here the following:

• prerequisites
• requirements
• all the steps to configure OpenSMTPD
• make some tests
• write a script

And then suggest a pull request.

[mhekeler]

Because we configure the virtual users in /etc/mail/passwd we need to create only one single system user: vmail.
All virtual deliveries occur under the same user: vmail
This user don´t login, so we give him /sbin/nologin vmail as login shell

So we have to create it like in the FAQ:
# useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

I would check for existance first and only run useradd if it not exists:
# getent passwd vmail || useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

[mhekeler]

Because we configure the virtual users in /etc/mail/passwd we need to create only one single system user: vmail.
All virtual deliveries occur under the same user: vmail
This user don´t login, so we give him /sbin/nologin vmail as login shell

So we have to create it like in the FAQ:
# useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

I would check for existance first and only run useradd if it not exists:
# getent passwd vmail || useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

[mhekeler]

I think that new created files should not accessible by others, so maybe we need to give the vmail user a umask 007.
So it makes sense to create a loginclass for the vmail user in /etc/login.conf:

# loginclass for vmail
#
vmail:\
        :umask=007:\
        ...

But before create a loginclass it´s better to check if it already exists:
getcap -f /etc/login.conf vmail

and create the user with useradd´s L flag:
# getent passwd vmail || useradd -L vmail -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

[mhekeler]

I think that new created files should not accessible by others, so maybe we need to give the vmail user a umask 007.
So it makes sense to create a loginclass for the vmail user in /etc/login.conf:

# loginclass for vmail
#
vmail:\
        :umask=007:\
        ...

But before create a loginclass it´s better to check if it already exists:
getcap -f /etc/login.conf vmail

and create the user with useradd´s L flag:
# getent passwd vmail || useradd -L vmail -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail

[mhekeler]

But before create a loginclass it´s better to check if it already exists:

But wait... maybe someone uses a hashed database and then we need to rehash /etc/login.conf with # cap_mkdb /etc/login.conf after creation of the new loginclass.
So we need to check if there exists a hashed database first: if [ -r /etc/login.conf.db ]; then ....

[mhekeler]

But before create a loginclass it´s better to check if it already exists:

But wait... maybe someone uses a hashed database and then we need to rehash /etc/login.conf with # cap_mkdb /etc/login.conf after creation of the new loginclass.
So we need to check if there exists a hashed database first: if [ -r /etc/login.conf.db ]; then ....

[wesley974]

Regarding the prerequisites, you ll need:

• at least a registered domain name with these DNS records set: MX, SPF, DMARC, CAA and DKIM

[wesley974]

Regarding the prerequisites, you ll need:

• at least a registered domain name with these DNS records set: MX, SPF, DMARC, CAA and DKIM

[wesley974]

The requirements :

• A vmail user to handle the virtual domains and users
• Install the package opensmtpd-extras to be able to authenticate virtual users with a passwd file
• Configuration file for OpenSMTPD: /etc/mail/smtpd.conf
• Let's Encrypt certificate for SSL/TLS
• Manage the aliases table using the file: /etc/mail/aliases
• Manage the domains table using the file: /etc/mail/domains
• Manage the passwd table using the file: /etc/mail/passwd
• Manage the virtuals table using the file: /etc/mail/virtuals
• Manage the blacklist table using the file: /etc/mail/blacklist

Let's configure all of this, make some tests, and finally write a script opensmtpd located in a folder scripts, configuration file will come into a folder named conf.

[wesley974]

The requirements :

• A vmail user to handle the virtual domains and users
• Install the package opensmtpd-extras to be able to authenticate virtual users with a passwd file
• Configuration file for OpenSMTPD: /etc/mail/smtpd.conf
• Let's Encrypt certificate for SSL/TLS
• Manage the aliases table using the file: /etc/mail/aliases
• Manage the domains table using the file: /etc/mail/domains
• Manage the passwd table using the file: /etc/mail/passwd
• Manage the virtuals table using the file: /etc/mail/virtuals
• Manage the blacklist table using the file: /etc/mail/blacklist

Let's configure all of this, make some tests, and finally write a script opensmtpd located in a folder scripts, configuration file will come into a folder named conf.

[mhekeler]

at least a registered domain name with these DNS records set: MX, SPF, DMARC, CAA and DKIM

For a mailserver a MX and an A record is needed
MX -> FQDN
A -> maps the name to an ip

for proper smtp one should setup an PTR record additionally

SPF, DMARC, CAA and DKIM records are optionally (nice to have)

[mhekeler]

at least a registered domain name with these DNS records set: MX, SPF, DMARC, CAA and DKIM

For a mailserver a MX and an A record is needed
MX -> FQDN
A -> maps the name to an ip

for proper smtp one should setup an PTR record additionally

SPF, DMARC, CAA and DKIM records are optionally (nice to have)

[aminb]

While MX and A records are the bare minimum for a mailserver, I'd say PTR, SPF, and DKIM are very much essential these days if you want to have reliable delivery to insert big corp name mail users.

[aminb]

While MX and A records are the bare minimum for a mailserver, I'd say PTR, SPF, and DKIM are very much essential these days if you want to have reliable delivery to insert big corp name mail users.

[wesley974]

Clearly you need all of these dns records.

[wesley974]

Clearly you need all of these dns records.

[mhekeler]

I wouldn´t argue against setting al of them for a real world mailserver.
I wanted to document that SPF, DMARC, DKIM and PTR are not required to act as a mailserver.
But definitely we need them :-/

[mhekeler]

I wouldn´t argue against setting al of them for a real world mailserver.
I wanted to document that SPF, DMARC, DKIM and PTR are not required to act as a mailserver.
But definitely we need them :-/

[wesley974]

You need to be familiar with these terms :

Name	Description	Port (tcp)
SMTP	Simple Mail Transfert Protocol	25
SMTP	Mail Submission port	587
MTA	Mail Transfert Agent (OpenSMTPD)
MUA	Mail User Agent (Outlook, Thunderbird ... )
MDA	Mail Delivery Agent (Dovecot)
Mbox	mail storage format
Maildir	mail storage format
POP3	mail access protocol (Post Office Protocol)	110
POP3S	mail access protocol (Post Office Protocol over SSL/TLS)	995
IMAP	mail access protocol (Internet Mail Access Protocol)	143
IMAPS	mail access protocol (Internet Mail Access Protocol over SSL/TLS)	993

[wesley974]

You need to be familiar with these terms :

Name	Description	Port (tcp)
SMTP	Simple Mail Transfert Protocol	25
SMTP	Mail Submission port	587
MTA	Mail Transfert Agent (OpenSMTPD)
MUA	Mail User Agent (Outlook, Thunderbird ... )
MDA	Mail Delivery Agent (Dovecot)
Mbox	mail storage format
Maildir	mail storage format
POP3	mail access protocol (Post Office Protocol)	110
POP3S	mail access protocol (Post Office Protocol over SSL/TLS)	995
IMAP	mail access protocol (Internet Mail Access Protocol)	143
IMAPS	mail access protocol (Internet Mail Access Protocol over SSL/TLS)	993

[wesley974]

The main script will be named deploy.
./bin/deploy without parameters will install all the box.
In case of maintenance, It will be possible to reinstall each module like:

./bin/deploy opensmtpd
./bin/deploy letsencrypt
./bin/deploy dovecot
...

with an option -d for debug

./bin/deploy -d
./bin/deploy -d opensmtpd

[wesley974]

The main script will be named deploy.
./bin/deploy without parameters will install all the box.
In case of maintenance, It will be possible to reinstall each module like:

./bin/deploy opensmtpd
./bin/deploy letsencrypt
./bin/deploy dovecot
...

with an option -d for debug

./bin/deploy -d
./bin/deploy -d opensmtpd

[wesley974]

I just pushed bin/deploy and lib/opensmtpd ; work in progress.
Just run ./bin/deploy or ./bin/deploy -d

[wesley974]

I just pushed bin/deploy and lib/opensmtpd ; work in progress.
Just run ./bin/deploy or ./bin/deploy -d

[wesley974]

Installer is now ready.

#!/bin/ksh

# exit immediately if a command exits with a non-zero status
set -e

# set OpenBSD version supported without the dot
readonly VER=63

# handle errors
err()
{
  echo "${1}" >&2 && return "${2:-1}"
}

# install all libraries (opensmtpd, dovecot ...)
install_all()
{
  for i in ./lib/* ; do
    . "$i"
    "${i#*/*/}"_lib
  done
}

usage()
{
  err "Usage: ${0##*/} [-d] [library]"
}

# you need 'root' user for this script!
(($(id -u) != 0)) && err "${0##*/}: need root privileges"

# are you using the good release ?
(($(uname -r | tr -d .) != VER)) && err "${0##*/}: this release is not supported"

# the syntax
while getopts :d opt; do
  case ${opt} in
# Debug mode when -d is present
  d) set -x && readonly DEBUG=1;;
  *) usage;;
  esac
done

# we remove an option
shift $((OPTIND - 1))

# only one library allowed, or empty library
(($# > 1)) && usage

# if no library mentioned we install all, otherwise, we just install the library present in $1
if [[ -z $1 ]]; then
  install_all
else
  # does this library exist ?
  [[ ! -f ./lib/$1 ]] && err "${0##*/}: this library doesn't exist"
  # install the unique library
  . ./lib/$1
  $1_lib
fi

You can use it like this : ./bin/deploy [-d] [library]

Let's focus now on the OpenSMTPD part !

[wesley974]

Installer is now ready.

#!/bin/ksh

# exit immediately if a command exits with a non-zero status
set -e

# set OpenBSD version supported without the dot
readonly VER=63

# handle errors
err()
{
  echo "${1}" >&2 && return "${2:-1}"
}

# install all libraries (opensmtpd, dovecot ...)
install_all()
{
  for i in ./lib/* ; do
    . "$i"
    "${i#*/*/}"_lib
  done
}

usage()
{
  err "Usage: ${0##*/} [-d] [library]"
}

# you need 'root' user for this script!
(($(id -u) != 0)) && err "${0##*/}: need root privileges"

# are you using the good release ?
(($(uname -r | tr -d .) != VER)) && err "${0##*/}: this release is not supported"

# the syntax
while getopts :d opt; do
  case ${opt} in
# Debug mode when -d is present
  d) set -x && readonly DEBUG=1;;
  *) usage;;
  esac
done

# we remove an option
shift $((OPTIND - 1))

# only one library allowed, or empty library
(($# > 1)) && usage

# if no library mentioned we install all, otherwise, we just install the library present in $1
if [[ -z $1 ]]; then
  install_all
else
  # does this library exist ?
  [[ ! -f ./lib/$1 ]] && err "${0##*/}: this library doesn't exist"
  # install the unique library
  . ./lib/$1
  $1_lib
fi

You can use it like this : ./bin/deploy [-d] [library]

Let's focus now on the OpenSMTPD part !

[stevelord]

Is there a specific reason for linking python 2.7 to python instead of python 3 in lib/opensmtpd? Also, is this a requirement for OpenSMTPd, or would this be better served elsewhere? (Just thinking about avoiding the presence of magic)

[stevelord]

Is there a specific reason for linking python 2.7 to python instead of python 3 in lib/opensmtpd? Also, is this a requirement for OpenSMTPd, or would this be better served elsewhere? (Just thinking about avoiding the presence of magic)

[wesley974]

I added the linking just for best practice.

[wesley974]

I added the linking just for best practice.

[stevelord]

If it's not used it might be better to leave it out. You don't know if someone's going to run python 2 or python 3 only scripts and get compatibility issues.

If a particular python is used we could specify python 3 in the shebang line.

[stevelord]

If it's not used it might be better to leave it out. You don't know if someone's going to run python 2 or python 3 only scripts and get compatibility issues.

If a particular python is used we could specify python 3 in the shebang line.

[wesley974]

We are going to start at the beginning.
A first simple configuration of smtpd.conf to handle local mail :

# Tables
table aliases file:/etc/mail/aliases

# Accept only internal mail
listen on lo0 hostname localhost

# Deliver to local mbox
accept for local alias <aliases> deliver to mbox

# Accept to send anywhere
accept from local for any relay

To test :

# Send to local and check you get it
mail -s test01 root
hello
.
mail
# You ll receive this message, root has a .forward* (if you have added a user at installation)

# Send to external address
mail -s test02 your_email_address
hello
.

[wesley974]

We are going to start at the beginning.
A first simple configuration of smtpd.conf to handle local mail :

# Tables
table aliases file:/etc/mail/aliases

# Accept only internal mail
listen on lo0 hostname localhost

# Deliver to local mbox
accept for local alias <aliases> deliver to mbox

# Accept to send anywhere
accept from local for any relay

To test :

# Send to local and check you get it
mail -s test01 root
hello
.
mail
# You ll receive this message, root has a .forward* (if you have added a user at installation)

# Send to external address
mail -s test02 your_email_address
hello
.

[wesley974]

Do you think we need that ?

queue compression
         Enable transparent compression of envelopes and messages.  The
         only supported algorithm at the moment is gzip.  Envelopes and
         messages may be inspected using the smtpctl(8) or gzcat(1)
         utilities.

 queue encryption [key key]
         Enable transparent encryption of envelopes and messages.  key
         must be a 16-byte random key in hexadecimal representation.  It
         can be obtained using the openssl(1) utility as follow:

$ openssl rand -hex 16

[wesley974]

Do you think we need that ?

queue compression
         Enable transparent compression of envelopes and messages.  The
         only supported algorithm at the moment is gzip.  Envelopes and
         messages may be inspected using the smtpctl(8) or gzcat(1)
         utilities.

 queue encryption [key key]
         Enable transparent encryption of envelopes and messages.  key
         must be a 16-byte random key in hexadecimal representation.  It
         can be obtained using the openssl(1) utility as follow:

$ openssl rand -hex 16

[deksar]

Compression&encryption always good to use, imho. Safety (y)

[deksar]

Compression&encryption always good to use, imho. Safety (y)

[mhekeler]

Although I basically agree with @deksar I would say that in this sutuation we don´t need to encrypt the queue.
Encrypting (and also compression) will add an extra layer of complexity (but of course also an extra layer of security).
I won´t argue against encryption here but I am not sure if encrypting the queue is a benefit ?!?

[mhekeler]

Although I basically agree with @deksar I would say that in this sutuation we don´t need to encrypt the queue.
Encrypting (and also compression) will add an extra layer of complexity (but of course also an extra layer of security).
I won´t argue against encryption here but I am not sure if encrypting the queue is a benefit ?!?

[stevelord]

If it works, lets use queue compression and encryption, but if it interferes with debugging problems, perhaps look to add that when we know the complete setup is working?

[stevelord]

If it works, lets use queue compression and encryption, but if it interferes with debugging problems, perhaps look to add that when we know the complete setup is working?

[wesley974]

I think final user will be able to add this (queue compression & encryption) manually.

[wesley974]

I think final user will be able to add this (queue compression & encryption) manually.

[wesley974]

Some useful commands :

# Check your smtpd.conf
smtpd -n

# Get the stats
doas smtpctl show stats

# View the queue
doas smtpctl show queue # or mailq

# Get details on a specific message in the queue
doas smtpctl show message 025a5c7b6cc771cc

# Force the queue distribution
doas smtpctl schedule all

# Remove all messages in the queue
doas smtpctl remove all

[wesley974]

Some useful commands :

# Check your smtpd.conf
smtpd -n

# Get the stats
doas smtpctl show stats

# View the queue
doas smtpctl show queue # or mailq

# Get details on a specific message in the queue
doas smtpctl show message 025a5c7b6cc771cc

# Force the queue distribution
doas smtpctl schedule all

# Remove all messages in the queue
doas smtpctl remove all