Blame
Date:
Wed Feb 1 05:00:29 2023 UTC
Message:
Daily backup
01
2023-01-22
jrmu
version=pmwiki-2.2.130 ordered=1 urlencoded=1
02
2023-01-22
jrmu
agent=w3m/0.5.3+git20190105
03
2023-01-22
jrmu
author=jrmu
04
2023-01-22
jrmu
charset=UTF-8
05
2023-01-22
jrmu
csum=
06
2023-01-22
jrmu
ctime=1597284304
07
2023-01-22
jrmu
host=125.224.16.135
08
2023-01-22
jrmu
name=Openbsd.Opensmtpd
09
2023-01-22
jrmu
rev=27
10
2023-01-22
jrmu
targets=Opensmtpd.Configure,Openbsd.Dovecot,Openbsd.Dkimproxy,Openbsd.Mailopenproxy
11
2023-01-22
jrmu
text=(:redirect opensmtpd.configure:)%0aNote: This old page is kept for historical purposes. Please consult the [[opensmtpd/configure|new guide]] for an up-to-date version.%0a%0aHere is how I set up my independent mail server. It is based on the old (now deleted) [[https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14|OpenSMTPd FAQ]].%0a%0a!! Install%0a%0aMake sure to install opensmtpd-extras:%0a%0a[@%0a$ doas pkg_add opensmtpd-extras%0a@]%0a%0a!! Configuration%0a%0aIn my /etc/mail/smtpd.conf:%0a%0a[@%0a# PKI for TLS%0apki mail.ircnow.org cert "/etc/ssl/ircnow.org.fullchain.pem"%0apki mail.ircnow.org key "/etc/ssl/private/ircnow.org.key"%0a%0a# tables setup%0atable aliases file:/etc/mail/aliases%0atable domains file:/etc/mail/domains%0atable passwd passwd:/etc/mail/passwd%0atable virtuals file:/etc/mail/virtuals%0atable hosts file:/etc/mail/hosts%0atable spammers file:/etc/mail/spammers%0a%0a# Blocks junk mail%0afilter check_rdns phase connect match !rdns junk%0afilter check_fcrdns phase connect match !fcrdns junk%0afilter check_spammers phase connect match src %3cspammers> junk%0a%0a# listeners%0aipv4 = "192.168.1.1"%0aipv6 = "2001:db8::"%0a%0a# listeners%0alisten on lo0 mask-src%0alisten on lo0 port 10028 tag DKIM mask-src%0alisten on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv4 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv6 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%0aaction "lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual %3cvirtuals>%0aaction "relay" relay%0aaction "relay_dkim" relay host smtp://127.0.0.1:10027%0a%0a# If mail is for any of our domains, pass it to dovecot%0amatch from any for domain %3cdomains> action "lmtp"%0a%0a# If mail is tagged with DKIM, relay it out%0amatch tag DKIM for any action "relay"%0a%0a# If mail comes from known good hosts or has been authenticated, relay it to dkimproxy_out%0amatch from src %3chosts> for any action "relay_dkim"%0amatch auth from any for any action "relay_dkim"%0a@]%0a%0aA single user vmail will receive mail for all virtual users:%0a%0a[@%0a$ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a@]%0a%0aThe /etc/passwd file will contain a line similar to this:%0a%0a[@%0avmail:*:1000:1000:Virtual Mail:/var/vmail:/sbin/nologin%0a@]%0a%0a/var/vmail is used to store virtual users' maildir folders. It will be managed by dovecot, which receives mail via LMTP.%0a%0a!! Adding users%0a%0aAt the bottom of /etc/mail/aliases, add these lines:%0a%0a[@%0avmail: /dev/null%0aroot: admin@ircnow.org%0ajrmu: jrmu@ircnow.org%0ausername: username@ircnow.org%0a@]%0a%0aAdd one line for each user.%0a%0aCreate a new file /etc/mail/virtuals and add these lines:%0a%0a[@%0aadmin@ircnow.org vmail%0ajrmu@ircnow.org vmail%0ausername@ircnow.org vmail%0a@]%0a%0aA whitelist of known good senders goes into /etc/mail/hosts:%0a%0a[@%0alocalhost%0a192.168.1.1%0a2001:db8::%0a@]%0a%0aFor /etc/mail/spammers, create a blank file.%0a%0aThe mail sender's hostname goes in /etc/mail/mailname:%0a%0a[@%0amail.ircnow.org%0a@]%0a%0aThe list of domains you send mail for go in /etc/mail/domains:%0a%0a[@%0aircnow.org%0amail.ircnow.org%0a@]%0a%0aIn /etc/mail/passwd, we have a list of colon-separated user credentials:%0a%0a[@%0aadmin@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0ajrmu@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0ausername@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0a@]%0a%0a'''WARNING''': Some special characters like $, when used in passwords, will cause issue with opensmtpd. To be safe, you may want to use alphanumeric characters only for your password.%0a%0aMake sure to set the proper permissions:%0a%0a[@%0a$ doas chown -R _smtpd:_dovecot /etc/mail/%0a$ doas chmod o-rx /etc/mail/%0a@]%0a%0a!! Spammers%0a%0aIn /etc/mail/spammers, we have IP addresses separated by newlines.%0a%0a!! IMAP and POP3 via dovecot; mail signing via dkimproxy%0a%0aTake a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[dkimproxy|dkimproxy]] setup for mail signing.%0a%0aThere are some additional steps for how to add a new user here:%0a%0aBased on: https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14%0a%0aTo get hashes:%0a%0a[@%0a$ smtpctl encrypt%0a@]%0a%0a!! Troubleshooting%0a%0aSometimes OpenSMTPD may end up in an inconsistent state. This can happen due to a misconfiguration. One symptom is you see this error:%0a%0asmtpd[]: pony express: smtpd: socket: Too many open files%0a%0aTo fix this, you can delete all the temporary files inside OpenSMTPD. '''WARNING''': this will delete any messages in the queue:%0a%0a[@%0a$ doas rcctl stop smtpd%0a$ doas rm -r /var/spool/smtpd/queue/*%0a$ doas rm -r /var/spool/smtpd/offline/*%0a@]%0a%0aAt times, opensmtpd may be unable to connect because outgoing packets are being filtered. For example, suppose you are trying to send a letter to yahoo, but you get errors similar to following, showing a connection timeout:%0a%0a[@%0asmtpd[]: smtp-out: Enabling route [] %3c-> 67.195.204.77 (mtaproxy1.free.mail.vip.bf1.yahoo.com)%0asmtpd[]: smtp-out: Enabling route [] %3c-> 67.195.228.106 (mtaproxy2.free.mail.vip.gq1.yahoo.com)%0asmtpd[]: mta error reason=Connection timeout%0asmtpd[]: smtp-out: Disabling route [] %3c-> 104.47.55.33 (104.47.55.33) for 15s%0a@]%0a%0aAn easy way to test if your packets are being filtered is:%0a%0a[@%0a$ dig -t mx yahoo.com%0a;; ANSWER SECTION:%0ayahoo.com. 395 IN MX 1 mta6.am0.yahoodns.net.%0ayahoo.com. 395 IN MX 1 mta5.am0.yahoodns.net.%0ayahoo.com. 395 IN MX 1 mta7.am0.yahoodns.net.%0a$ nc mta5.am0.yahoodns.net 25%0a@]%0a%0aIf you get no response, then outgoing packets to port 25 are being blocked (often due to firewalls by your VPS provider to block spam). If mail is working, you should see a 220 reply:%0a%0a[@%0a$ nc mta5.am0.yahoodns.net 25%0a220 mtaproxy511.free.mail.ne1.yahoo.com ESMTP ready%0a@]%0a%0aIt is also possible that TLS is being dropped by the firewall. You can test using openssl:%0a%0a[@%0a$ openssl s_client -starttls smtp -connect mta5.am0.yahoodns.net:25%0aCONNECTED(00000003)%0adepth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA%0averify return:1%0adepth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA%0averify return:1%0adepth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.am0.yahoodns.net%0a...%0a250 STARTTLS%0a@]%0a%0aYou should see the entire SSL cert plus 250 STARTTLS reply. If you see the response hang at any point (eg, it returns CONNECTED(00000003) and nothing else), then TLS on port 25 is being filtered.%0a%0aIf you see this warning message in /var/log/maillog:%0a%0a[@%0aDec 6 03:44:17 smtpd[]: info: OpenSMTPD 6.7.0 starting %0aDec 6 03:44:17 smtpd[]: pony express: smtpd: socket: Too many open files %0aDec 6 03:44:17 smtpd[]: warn: lost child: pony express exited abnormally %0a@]%0a%0aThis is due to having too many IP addresses that opensmtpd tries to bind to. This happens when you have a rule that says @@listen on egress@@:%0a%0alisten on egress port 25 tls pki fruit.ircnow.org mask-src filter { check_rdns check_fcrdns }%0alisten on egress port 587 tls-require pki fruit.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns }%0a%0aThese two lines mean that opensmtpd will listen to '''all''' available ip address, including the hundreds of IPv6 addresses you may have in /etc/hostname.vio0 and @@ifconfig vio0@@. To fix this, you must specify the IP addresses you want to listen to:%0a%0a[@%0a# listeners%0aipv4 = "192.168.1.1"%0aipv6 = "2001:db8::"%0a%0a...%0a%0a# listeners%0alisten on lo0 mask-src%0alisten on lo0 port 10028 tag DKIM mask-src%0alisten on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv4 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0alisten on $ipv6 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a@]%0a%0a!!! Open Mail Relay%0a%0aIf all your email is being marked as spam, check @@/var/log/maillog@@ . If you see a message like the following:%0a%0aJan 8 11:00:29 smtpd[39035]: 83bd6b3b1669649f mta delivery evpid=a8d16cd2144222fa from=%3cspammer@example.com> to=%3cvictim@example.com> rcpt=%3c-> source="192.168.0.1" relay="10.0.0.1 (10.0.0.1)" delay=16h2s result="TempFail" stat="451 4.7.650 The mail server [192.168.0.1] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.example.com (S843)"%0a%0aThen your server is being exploited as an [[openbsd/mailopenproxy|open mail relay]]! Please follow the guide to fix it.%0a
12
2023-01-22
jrmu
time=1624414910
13
2023-01-22
jrmu
author:1624414910=jrmu
14
2023-01-22
jrmu
diff:1624414910:1622985096:=1d0%0a%3c (:redirect opensmtpd.configure:)%0a
15
2023-01-22
jrmu
host:1624414910=125.224.16.135
16
2023-01-22
jrmu
author:1622985096=jrmu
17
2023-01-22
jrmu
diff:1622985096:1612797363:=1,2d0%0a%3c Note: This old page is kept for historical purposes. Please consult the [[opensmtpd/configure|new guide]] for an up-to-date version.%0a%3c %0a249c247%0a%3c Then your server is being exploited as an [[openbsd/mailopenproxy|open mail relay]]! Please follow the guide to fix it.%0a---%0a> Then your server is being exploited as an [[openbsd/mailopenproxy|open mail relay]]! Please follow the guide to fix it.%0a\ No newline at end of file%0a
18
2023-01-22
jrmu
host:1622985096=38.81.163.143
19
2023-01-22
jrmu
author:1612797363=jrmu
20
2023-01-22
jrmu
diff:1612797363:1611800546:=131c131%0a%3c $ doas chown -R _smtpd:_dovecot /etc/mail/%0a---%0a> $ doas chown -R root:_dovecot /etc/mail/%0a
21
2023-01-22
jrmu
host:1612797363=198.251.81.119
22
2023-01-22
jrmu
author:1611800546=jrmu
23
2023-01-22
jrmu
diff:1611800546:1611800108:=131c131,133%0a%3c $ doas chown -R root:_dovecot /etc/mail/%0a---%0a> $ doas usermod -G vmail _smtpd%0a> $ doas usermod -G vmail _dovecot%0a> $ doas chown -R root:vmail /etc/mail/%0a
24
2023-01-22
jrmu
host:1611800546=125.231.24.226
25
2023-01-22
jrmu
author:1611800108=jrmu
26
2023-01-22
jrmu
diff:1611800108:1611582833:=131,133c131,134%0a%3c $ doas usermod -G vmail _smtpd%0a%3c $ doas usermod -G vmail _dovecot%0a%3c $ doas chown -R root:vmail /etc/mail/%0a---%0a> $ doas groupadd mail%0a> $ doas usermod -G mail _smtpd%0a> $ doas usermod -G mail _dovecot%0a> $ doas chown -R root:mail /etc/mail/%0a
27
2023-01-22
jrmu
host:1611800108=125.231.24.226
28
2023-01-22
jrmu
author:1611582833=jrmu
29
2023-01-22
jrmu
diff:1611582833:1611582526:=134,135c134,137%0a%3c $ doas chown -R root:mail /etc/mail/%0a%3c $ doas chmod o-rx /etc/mail/%0a---%0a> $ doas chown :mail /etc/mail/passwd%0a> $ doas chmod o-rx /etc/mail/passwd%0a> $ ls -lha /etc/mail/passwd%0a> -rw-r----- 1 root mail 737B Oct 20 16:16 passwd%0a
30
2023-01-22
jrmu
host:1611582833=125.231.20.163
31
2023-01-22
jrmu
author:1611582526=jrmu
32
2023-01-22
jrmu
diff:1611582526:1611496108:=131,134c131,133%0a%3c $ doas groupadd mail%0a%3c $ doas usermod -G mail _smtpd%0a%3c $ doas usermod -G mail _dovecot%0a%3c $ doas chown :mail /etc/mail/passwd%0a---%0a> $ doas usermod -G daemon _smtpd%0a> $ doas usermod -G daemon _dovecot%0a> $ doas chown :daemon /etc/mail/passwd%0a137c136%0a%3c -rw-r----- 1 root mail 737B Oct 20 16:16 passwd%0a---%0a> -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a
33
2023-01-22
jrmu
host:1611582526=125.231.20.163
34
2023-01-22
jrmu
author:1611496108=jrmu
35
2023-01-22
jrmu
diff:1611496108:1610204226:=131,132d130%0a%3c $ doas usermod -G daemon _smtpd%0a%3c $ doas usermod -G daemon _dovecot%0a
36
2023-01-22
jrmu
host:1611496108=125.231.20.163
37
2023-01-22
jrmu
author:1610204226=jrmu
38
2023-01-22
jrmu
diff:1610204226:1609937630:=241,249c241%0a%3c @]%0a%3c %0a%3c !!! Open Mail Relay%0a%3c %0a%3c If all your email is being marked as spam, check @@/var/log/maillog@@ . If you see a message like the following:%0a%3c %0a%3c Jan 8 11:00:29 smtpd[39035]: 83bd6b3b1669649f mta delivery evpid=a8d16cd2144222fa from=%3cspammer@example.com> to=%3cvictim@example.com> rcpt=%3c-> source="192.168.0.1" relay="10.0.0.1 (10.0.0.1)" delay=16h2s result="TempFail" stat="451 4.7.650 The mail server [192.168.0.1] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.example.com (S843)"%0a%3c %0a%3c Then your server is being exploited as an [[openbsd/mailopenproxy|open mail relay]]! Please follow the guide to fix it.%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a
39
2023-01-22
jrmu
host:1610204226=125.224.19.86
40
2023-01-22
jrmu
author:1609937630=jrmu
41
2023-01-22
jrmu
diff:1609937630:1609861461:=131d130%0a%3c $ doas chown :daemon /etc/mail/passwd%0a134c133%0a%3c -rw-r----- 1 root daemon 737B Oct 20 16:16 passwd%0a---%0a> -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a
42
2023-01-22
jrmu
host:1609937630=125.231.63.134
43
2023-01-22
jrmu
author:1609861461=jrmu
44
2023-01-22
jrmu
diff:1609861461:1607872077:=127,134d126%0a%3c %0a%3c Make sure to set the proper permissions:%0a%3c %0a%3c [@%0a%3c $ doas chmod o-rx /etc/mail/passwd%0a%3c $ ls -lha /etc/mail/passwd%0a%3c -rw-r----- 1 root wheel 737B Oct 20 16:16 passwd%0a%3c @]%0a
45
2023-01-22
jrmu
host:1609861461=125.231.63.134
46
2023-01-22
jrmu
author:1607872077=miniontoby
47
2023-01-22
jrmu
csum:1607872077=dkimproxy link fixed
48
2023-01-22
jrmu
diff:1607872077:1607438471:=134c134%0a%3c Take a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[dkimproxy|dkimproxy]] setup for mail signing.%0a---%0a> Take a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a
49
2023-01-22
jrmu
host:1607872077=145.132.146.30
50
2023-01-22
jrmu
author:1607438471=jrmu
51
2023-01-22
jrmu
diff:1607438471:1607249640:=216c216%0a%3c These two lines mean that opensmtpd will listen to '''all''' available ip address, including the hundreds of IPv6 addresses you may have in /etc/hostname.vio0 and @@ifconfig vio0@@. To fix this, you must specify the IP addresses you want to listen to:%0a---%0a> These two lines mean that opensmtpd will listen to '''all''' available ip address, including the hundreds of IPv6 addresses you may have in /etc/hostname.vio0 and @@ifconfig vio0@@@. To fix this, you must specify the IP addresses you want to listen to:%0a
52
2023-01-22
jrmu
host:1607438471=198.251.81.119
53
2023-01-22
jrmu
author:1607249640=jrmu
54
2023-01-22
jrmu
diff:1607249640:1606197330:=201,232c201%0a%3c You should see the entire SSL cert plus 250 STARTTLS reply. If you see the response hang at any point (eg, it returns CONNECTED(00000003) and nothing else), then TLS on port 25 is being filtered.%0a%3c %0a%3c If you see this warning message in /var/log/maillog:%0a%3c %0a%3c [@%0a%3c Dec 6 03:44:17 smtpd[]: info: OpenSMTPD 6.7.0 starting %0a%3c Dec 6 03:44:17 smtpd[]: pony express: smtpd: socket: Too many open files %0a%3c Dec 6 03:44:17 smtpd[]: warn: lost child: pony express exited abnormally %0a%3c @]%0a%3c %0a%3c This is due to having too many IP addresses that opensmtpd tries to bind to. This happens when you have a rule that says @@listen on egress@@:%0a%3c %0a%3c listen on egress port 25 tls pki fruit.ircnow.org mask-src filter { check_rdns check_fcrdns }%0a%3c listen on egress port 587 tls-require pki fruit.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns }%0a%3c %0a%3c These two lines mean that opensmtpd will listen to '''all''' available ip address, including the hundreds of IPv6 addresses you may have in /etc/hostname.vio0 and @@ifconfig vio0@@@. To fix this, you must specify the IP addresses you want to listen to:%0a%3c %0a%3c [@%0a%3c # listeners%0a%3c ipv4 = "192.168.1.1"%0a%3c ipv6 = "2001:db8::"%0a%3c %0a%3c ...%0a%3c %0a%3c # listeners%0a%3c listen on lo0 mask-src%0a%3c listen on lo0 port 10028 tag DKIM mask-src%0a%3c listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv4 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv6 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c @]%0a\ No newline at end of file%0a---%0a> You should see the entire SSL cert plus 250 STARTTLS reply. If you see the response hang at any point (eg, it returns CONNECTED(00000003) and nothing else), then TLS on port 25 is being filtered.%0a\ No newline at end of file%0a
55
2023-01-22
jrmu
host:1607249640=38.81.163.7
56
2023-01-22
jrmu
author:1606197330=jrmu
57
2023-01-22
jrmu
diff:1606197330:1603804474:=40,41c40,41%0a%3c listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a---%0a> listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src { check_rdns check_fcrdns } hostname ircnow.org%0a> listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src { check_rdns check_fcrdns } hostname ircnow.org%0a
58
2023-01-22
jrmu
host:1606197330=198.251.81.119
59
2023-01-22
jrmu
author:1603804474=jrmu
60
2023-01-22
jrmu
diff:1603804474:1602945139:=34,37d33%0a%3c ipv4 = "192.168.1.1"%0a%3c ipv6 = "2001:db8::"%0a%3c %0a%3c # listeners%0a40,43c36,37%0a%3c listen on $ipv4 port 25 tls pki mail.ircnow.org mask-src { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv6 port 25 tls pki mail.ircnow.org mask-src { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv4 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c listen on $ipv6 port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a---%0a> listen on egress port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns check_spammers } hostname ircnow.org%0a> listen on egress port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a
61
2023-01-22
jrmu
host:1603804474=125.231.28.105
62
2023-01-22
jrmu
author:1602945139=jrmu
63
2023-01-22
jrmu
diff:1602945139:1602330906:=119,120d118%0a%3c %0a%3c '''WARNING''': Some special characters like $, when used in passwords, will cause issue with opensmtpd. To be safe, you may want to use alphanumeric characters only for your password.%0a
64
2023-01-22
jrmu
host:1602945139=125.231.17.204
65
2023-01-22
jrmu
author:1602330906=jrmu
66
2023-01-22
jrmu
diff:1602330906:1599709894:=150,193c150%0a%3c @]%0a%3c %0a%3c At times, opensmtpd may be unable to connect because outgoing packets are being filtered. For example, suppose you are trying to send a letter to yahoo, but you get errors similar to following, showing a connection timeout:%0a%3c %0a%3c [@%0a%3c smtpd[]: smtp-out: Enabling route [] %3c-> 67.195.204.77 (mtaproxy1.free.mail.vip.bf1.yahoo.com)%0a%3c smtpd[]: smtp-out: Enabling route [] %3c-> 67.195.228.106 (mtaproxy2.free.mail.vip.gq1.yahoo.com)%0a%3c smtpd[]: mta error reason=Connection timeout%0a%3c smtpd[]: smtp-out: Disabling route [] %3c-> 104.47.55.33 (104.47.55.33) for 15s%0a%3c @]%0a%3c %0a%3c An easy way to test if your packets are being filtered is:%0a%3c %0a%3c [@%0a%3c $ dig -t mx yahoo.com%0a%3c ;; ANSWER SECTION:%0a%3c yahoo.com. 395 IN MX 1 mta6.am0.yahoodns.net.%0a%3c yahoo.com. 395 IN MX 1 mta5.am0.yahoodns.net.%0a%3c yahoo.com. 395 IN MX 1 mta7.am0.yahoodns.net.%0a%3c $ nc mta5.am0.yahoodns.net 25%0a%3c @]%0a%3c %0a%3c If you get no response, then outgoing packets to port 25 are being blocked (often due to firewalls by your VPS provider to block spam). If mail is working, you should see a 220 reply:%0a%3c %0a%3c [@%0a%3c $ nc mta5.am0.yahoodns.net 25%0a%3c 220 mtaproxy511.free.mail.ne1.yahoo.com ESMTP ready%0a%3c @]%0a%3c %0a%3c It is also possible that TLS is being dropped by the firewall. You can test using openssl:%0a%3c %0a%3c [@%0a%3c $ openssl s_client -starttls smtp -connect mta5.am0.yahoodns.net:25%0a%3c CONNECTED(00000003)%0a%3c depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA%0a%3c verify return:1%0a%3c depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA%0a%3c verify return:1%0a%3c depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.am0.yahoodns.net%0a%3c ...%0a%3c 250 STARTTLS%0a%3c @]%0a%3c %0a%3c You should see the entire SSL cert plus 250 STARTTLS reply. If you see the response hang at any point (eg, it returns CONNECTED(00000003) and nothing else), then TLS on port 25 is being filtered.%0a\ No newline at end of file%0a---%0a> @]%0a\ No newline at end of file%0a
67
2023-01-22
jrmu
host:1602330906=38.81.163.143
68
2023-01-22
jrmu
author:1599709894=locustlord
69
2023-01-22
jrmu
diff:1599709894:1599709481:=26d25%0a%3c table spammers file:/etc/mail/spammers%0a
70
2023-01-22
jrmu
host:1599709894=70.69.142.62
71
2023-01-22
jrmu
author:1599709481=locustlord
72
2023-01-22
jrmu
diff:1599709481:1598939135:=95,96d94%0a%3c %0a%3c For /etc/mail/spammers, create a blank file.%0a
73
2023-01-22
jrmu
host:1599709481=70.69.142.62
74
2023-01-22
jrmu
author:1598939135=jrmu
75
2023-01-22
jrmu
diff:1598939135:1598765301:=133,146d132%0a%3c @]%0a%3c %0a%3c !! Troubleshooting%0a%3c %0a%3c Sometimes OpenSMTPD may end up in an inconsistent state. This can happen due to a misconfiguration. One symptom is you see this error:%0a%3c %0a%3c smtpd[]: pony express: smtpd: socket: Too many open files%0a%3c %0a%3c To fix this, you can delete all the temporary files inside OpenSMTPD. '''WARNING''': this will delete any messages in the queue:%0a%3c %0a%3c [@%0a%3c $ doas rcctl stop smtpd%0a%3c $ doas rm -r /var/spool/smtpd/queue/*%0a%3c $ doas rm -r /var/spool/smtpd/offline/*%0a
76
2023-01-22
jrmu
host:1598939135=38.81.163.143
77
2023-01-22
jrmu
author:1598765301=jrmu
78
2023-01-22
jrmu
diff:1598765301:1598218302:=123,133c123%0a%3c Take a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a%3c %0a%3c There are some additional steps for how to add a new user here:%0a%3c %0a%3c Based on: https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14%0a%3c %0a%3c To get hashes:%0a%3c %0a%3c [@%0a%3c $ smtpctl encrypt%0a%3c @]%0a\ No newline at end of file%0a---%0a> Take a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a\ No newline at end of file%0a
79
2023-01-22
jrmu
host:1598765301=38.81.163.143
80
2023-01-22
jrmu
author:1598218302=gry
81
2023-01-22
jrmu
csum:1598218302=added heading
82
2023-01-22
jrmu
diff:1598218302:1598174119:=3,4c3,4%0a%3c !! Install%0a%3c %0a---%0a> !! Install and configuration%0a> %0a10,11d9%0a%3c %0a%3c !! Configuration%0a
83
2023-01-22
jrmu
host:1598218302=203.129.25.247
84
2023-01-22
jrmu
author:1598174119=gry
85
2023-01-22
jrmu
csum:1598174119=added headings
86
2023-01-22
jrmu
diff:1598174119:1598079727:=3,4d2%0a%3c !! Install and configuration%0a%3c %0a65,66d62%0a%3c !! Adding users%0a%3c %0a115,116d110%0a%3c !! Spammers%0a%3c %0a119,121c113%0a%3c !! IMAP and POP3 via dovecot; mail signing via dkimproxy%0a%3c %0a%3c Take a look at the sample [[openbsd.dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a\ No newline at end of file%0a---%0a> Take a look at the sample [[openbsd:mail:dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a\ No newline at end of file%0a
87
2023-01-22
jrmu
host:1598174119=203.129.25.247
88
2023-01-22
jrmu
author:1598079727=jrmu
89
2023-01-22
jrmu
diff:1598079727:1597915784:=110,111d109%0a%3c %0a%3c In /etc/mail/spammers, we have IP addresses separated by newlines.%0a
90
2023-01-22
jrmu
host:1598079727=38.81.163.143
91
2023-01-22
jrmu
author:1597915784=gry
92
2023-01-22
jrmu
csum:1597915784=format
93
2023-01-22
jrmu
diff:1597915784:1597284304:=5c5%0a%3c [@%0a---%0a> %3ccode>%0a7,8c7,8%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a11c11%0a%3c [@%0a---%0a> %3ccode>%0a47,48c47,48%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a51c51%0a%3c [@%0a---%0a> %3ccode>%0a53,54c53,54%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a57c57%0a%3c [@%0a---%0a> %3ccode>%0a59,60c59,60%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a65c65%0a%3c [@%0a---%0a> %3ccode>%0a70,71c70,71%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a76c76%0a%3c [@%0a---%0a> %3ccode>%0a80,81c80,81%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a84c84%0a%3c [@%0a---%0a> %3ccode>%0a88,89c88,89%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a92c92%0a%3c [@%0a---%0a> %3ccode>%0a94,95c94,95%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a98c98%0a%3c [@%0a---%0a> %3ccode>%0a101,102c101,102%0a%3c @]%0a%3c %0a---%0a> %3c/code>%0a> %0a105c105%0a%3c [@%0a---%0a> %3ccode>%0a109c109%0a%3c @]%0a---%0a> %3c/code>%0a
94
2023-01-22
jrmu
host:1597915784=203.129.25.247
95
2023-01-22
jrmu
author:1597284304=jrmu
96
2023-01-22
jrmu
diff:1597284304:1597284304:=1,111d0%0a%3c Here is how I set up my independent mail server. It is based on the old (now deleted) [[https://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/www/opensmtpd/faq/Attic/example1.html?rev=1.14|OpenSMTPd FAQ]].%0a%3c %0a%3c Make sure to install opensmtpd-extras:%0a%3c %0a%3c %3ccode>%0a%3c $ doas pkg_add opensmtpd-extras%0a%3c %3c/code>%0a%3c %0a%3c In my /etc/mail/smtpd.conf:%0a%3c %0a%3c %3ccode>%0a%3c # PKI for TLS%0a%3c pki mail.ircnow.org cert "/etc/ssl/ircnow.org.fullchain.pem"%0a%3c pki mail.ircnow.org key "/etc/ssl/private/ircnow.org.key"%0a%3c %0a%3c # tables setup%0a%3c table aliases file:/etc/mail/aliases%0a%3c table domains file:/etc/mail/domains%0a%3c table passwd passwd:/etc/mail/passwd%0a%3c table virtuals file:/etc/mail/virtuals%0a%3c table hosts file:/etc/mail/hosts%0a%3c %0a%3c # Blocks junk mail%0a%3c filter check_rdns phase connect match !rdns junk%0a%3c filter check_fcrdns phase connect match !fcrdns junk%0a%3c filter check_spammers phase connect match src %3cspammers> junk%0a%3c %0a%3c # listeners%0a%3c listen on lo0 mask-src%0a%3c listen on lo0 port 10028 tag DKIM mask-src%0a%3c listen on egress port 25 tls pki mail.ircnow.org mask-src filter { check_rdns check_fcrdns check_spammers } hostname ircnow.org%0a%3c listen on egress port 587 tls-require pki mail.ircnow.org auth %3cpasswd> mask-src filter { check_rdns check_fcrdns } hostname ircnow.org%0a%3c %0a%3c action "lmtp" lmtp "/var/dovecot/lmtp" rcpt-to virtual %3cvirtuals>%0a%3c action "relay" relay%0a%3c action "relay_dkim" relay host smtp://127.0.0.1:10027%0a%3c %0a%3c # If mail is for any of our domains, pass it to dovecot%0a%3c match from any for domain %3cdomains> action "lmtp"%0a%3c %0a%3c # If mail is tagged with DKIM, relay it out%0a%3c match tag DKIM for any action "relay"%0a%3c %0a%3c # If mail comes from known good hosts or has been authenticated, relay it to dkimproxy_out%0a%3c match from src %3chosts> for any action "relay_dkim"%0a%3c match auth from any for any action "relay_dkim"%0a%3c %3c/code>%0a%3c %0a%3c A single user vmail will receive mail for all virtual users:%0a%3c %0a%3c %3ccode>%0a%3c $ doas useradd -m -g =uid -c "Virtual Mail" -d /var/vmail -s /sbin/nologin vmail%0a%3c %3c/code>%0a%3c %0a%3c The /etc/passwd file will contain a line similar to this:%0a%3c %0a%3c %3ccode>%0a%3c vmail:*:1000:1000:Virtual Mail:/var/vmail:/sbin/nologin%0a%3c %3c/code>%0a%3c %0a%3c /var/vmail is used to store virtual users' maildir folders. It will be managed by dovecot, which receives mail via LMTP.%0a%3c %0a%3c At the bottom of /etc/mail/aliases, add these lines:%0a%3c %0a%3c %3ccode>%0a%3c vmail: /dev/null%0a%3c root: admin@ircnow.org%0a%3c jrmu: jrmu@ircnow.org%0a%3c username: username@ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c Add one line for each user.%0a%3c %0a%3c Create a new file /etc/mail/virtuals and add these lines:%0a%3c %0a%3c %3ccode>%0a%3c admin@ircnow.org vmail%0a%3c jrmu@ircnow.org vmail%0a%3c username@ircnow.org vmail%0a%3c %3c/code>%0a%3c %0a%3c A whitelist of known good senders goes into /etc/mail/hosts:%0a%3c %0a%3c %3ccode>%0a%3c localhost%0a%3c 192.168.1.1%0a%3c 2001:db8::%0a%3c %3c/code>%0a%3c %0a%3c The mail sender's hostname goes in /etc/mail/mailname:%0a%3c %0a%3c %3ccode>%0a%3c mail.ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c The list of domains you send mail for go in /etc/mail/domains:%0a%3c %0a%3c %3ccode>%0a%3c ircnow.org%0a%3c mail.ircnow.org%0a%3c %3c/code>%0a%3c %0a%3c In /etc/mail/passwd, we have a list of colon-separated user credentials:%0a%3c %0a%3c %3ccode>%0a%3c admin@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0a%3c jrmu@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0a%3c username@ircnow.org:$2b$10$h5itbhzs73T4jsHAj9YX6Tf63yRatAquGBxoCX67wyekhCH4ZqioD6lKh::::::userdb_quota_rule=*:storage=1G%0a%3c %3c/code>%0a%3c %0a%3c Take a look at the sample [[openbsd:mail:dovecot|dovecot]] setup for IMAP and POP3, and the sample [[openbsd:mail:dkimproxy|dkimproxy]] setup for mail signing.%0a\ No newline at end of file%0a
97
2023-01-22
jrmu
host:1597284304=38.81.163.143
IRCNow