• View
• Edit
• History
• Print

Open Smtpd

1- $ doas pkg_add opensmtpd-extras opensmtpd-filter-dkimsign dovecot
2- doas nano /etc/mail/smtpd.conf

# PKI for TLS
pki domain-name cert "/etc/ssl/domain-name.fullchain.pem"
pki domain-name key "/etc/ssl/private/domain-name.org.key"

# tables setup
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd passwd:/etc/mail/passwd table virtuals file:/etc/mail/virtuals
table hosts file:/etc/mail/hosts
table users file:/etc/mail/users

Dealing with Spam
# Blocks junk mail
filter check_rdns phase connect match !rdns junk
filter check_fcrdns phase connect match !fcrdns junk
filter "dkimsign" proc-exec "filter-dkimsign -d almajd.host.ircnow.org -s mail -k /etc/mail/dkim/private.key" user _smtpd group _smtpd

# macros
ipv4 = "38.87.162.30"
ipv6 = "2602:fccf:1:1030::"
check = "pki domain-name mask-src filter { check_rdns check_fcrdns } hostname domain-name"
authcheck = "pki domain-name auth <passwd> mask-src senders <users> filter { check_rdns check_fcrdns dkimsign } hostname domain-name"

# listeners
listen on socket filter "dkimsign"
listen on lo0 filter "dkimsign"
listen on $ipv4 port 25 tls $check
listen on $ipv6 port 25 tls $check
listen on $ipv4 port 465 tls-require $authcheck
listen on $ipv6 port 465 tls-require $authcheck
listen on $ipv4 port 587 tls-require $authcheck
listen on $ipv6 port 587 tls-require $authcheck

# rules
action "lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
action "relay" relay

match from any for domain <domains> action "lmtp"
match from src <hosts> for any action "relay"
match auth from any for any action "relay"

3- doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail
4- doas nano /etc/mail/aliases :
add these lines:
vmail: /dev/null
root: admin@domain-name
almajd: almajd@domain-name
support: support@domain-name

5- You'll also need to create one line for each user in /etc/mail/users:
doas nano /etc/mail/users
admin@domain-name: admin@domain-name
almajd@domain-name: almajd@domain-name
support@domain-name: support@domain-name

6- A whitelist of known good senders goes into /etc/mail/hosts:
doas nano /etc/mail/hosts
127.0.0.1
::1
38.87.162.30
2602:fccf:1:1030::

7- In /etc/mail/mailname, put in the name you want to use for your mail server:
doas nano /etc/mail/mailname
almajd.host.ircnow.org

8- doas nano /etc/mail/domains
domain-name
mail.domain-name

9- doas nano /etc/mail/passwd

admin@domain-name:<encrypted password>::::::userdb_quota_rule=*:storage=1G
almajd@domain-name:<encrypted password>::::::userdb_quota_rule=*:storage=1G
support@domain-name:<encrypted password>::::::userdb_quota_rule=*:storage=1G

The second field is the password hash. To generate a hash, you can run encrypt:
$ encrypt
Type your password, then press enter. Type ctrl+d to quit.

10- File Permissions:
doas chown -R _smtpd:_dovecot /etc/mail/
doas chmod o-rx /etc/mail/

11- doas nano /etc/mail/virtuals
doas cat /etc/mail/virtuals | nc paste.ircnow.org 7777

admin@domain-name vmail
Almajd@domain-name vmail
support@domain-name vmail

12- doas nano /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/domain-name.fullchain.pem
ssl_key = </etc/ssl/private/domain-name.key

13- doas chmod go-rx /etc/ssl/private/domain-name.key
14- doas acme-client -Fv domain-name
15-
doas ln -s /etc/ssl/domain-name.fullchain.pem /etc/ssl/domain-name:443.crt
doas ln -s /etc/ssl/private/domain-name.key /etc/ssl/private/domain-name:443.key
16- doas rcctl restart smtpd

<jrmu> run it in debug mode
<jrmu> $ doas smtpd -d