1SMTPD.CONF(5) File Formats Manual SMTPD.CONF(5)
2
3
4
6 smtpd.conf - Simple Mail Transfer Protocol daemon configuration file
7
9 smtpd.conf is the configuration file for the mail daemon smtpd(8).
10
11 The current line can be extended over multiple lines using a backslash
12 (Sq \.) Comments can be put anywhere in the file using a hash mark (Sq
13 #,) and extend to the end of the current line. Care should be taken
14 when commenting out multi-line text: the comment is effective until the
15 end of the entire block.
16
17 Argument names not beginning with a letter, digit, or underscore must
18 be quoted. Arguments containing whitespace should be surrounded by
19 double quotes (".)
20
21 Macros can be defined that will later be expanded in context. Macro
22 names must start with a letter, digit, or underscore, and may contain
23 any of those characters. Macro names may not be reserved words (for
24 example listen, accept, port). Macros are not expanded inside quotes.
25
26 For example:
27 lan_addr = "192.168.0.1"
28 listen on $lan_addr
29 listen on $lan_addr tls auth
30
31 Additional configuration files can be included with the
32 include
33 keyword, for example:
34 include "/etc/opensmtpd/smtpd.conf.local"
35
36 The syntax of
37 smtpd.conf
38 is described below.
39
40 accept | reject
41 smtpd(8)
42 accepts and rejects messages
43 based on information gathered during the SMTP session.
44
45 For each message processed by the daemon,
46 the rules are evaluated in sequential order,
47 from first to last.
48 The first matching rule decides what action is taken.
49 If no rule matches the message,
50 the default action is to reject the message.
51 An exclamation mark may be specified to perform a reverse match.
52
53 Following the accept/reject
54 decision comes the matching of optional session related properties:
55
56 [ !]
57 authenticated
58 If specified, the rule will only be matched if the client session was
59 authenticated either by requesting authentication over the network or
60 because the message was submitted over the local enqueuer.
61
62 tagged
63 [ !]
64 tag
65 If specified, the rule will only be matched if the client session was tagged with
66 tag.
67
68 After that the client's IP address rule is specified:
69
70 from any
71 Make the rule match regardless of the IP of connecting client.
72
73 from [ !]
74 local
75 The rule matches only locally originating connections.
76 This is the default,
77 and may be omitted.
78
79 from [ !]
80 source
81 Pf < table >
82 The rule matches if the connection is made from a client whose address
83 is declared in the table
84 table.
85
86 In addition, finer access control may be achieved on the sender if desired:
87
88 sender
89 [ !]
90 Pf < senders >
91 If specified, the rule will only be matched if the sender email address
92 is found in the table
93 senders.
94 The table may contain complete email addresses or apply to an entire
95 domain if prefixed with
96 Sq @.
97
98 Next comes the selection based on the domain the message is sent to:
99
100 for any [ alias < aliases >]
101 Make the rule match regardless of the domain it is sent to.
102 If specified, the table
103 aliases
104 is used for looking up alternative destinations for all addresses.
105
106 for any virtual < vmap >
107 Make the rule match regardless of the domain it is sent to.
108 The
109 vmap
110 table will be used as the virtual domain mapping.
111
112 for [ !]
113 domain
114 domain
115 [ alias < aliases >]
116 This rule applies to mail destined for the specified
117 domain.
118 This parameter supports the
119 Sq *
120 wildcard,
121 so that a single rule for all sub-domains can be used, for example:
122 accept for domain "*.example.com" deliver to mbox
123
124 If specified, the table
125 aliases
126 is used for looking up alternative destinations for addresses in this
127 domain.
128
129 for [ !]
130 domain
131 Pf < domains >
132 [ alias < aliases >]
133 This rule applies to mail destined to domains which are part of the table
134 domains.
135
136 If specified, the table
137 aliases
138 is used for looking up alternative destinations for addresses in these
139 domains.
140
141 for [ !]
142 domain
143 domain
144 virtual < users >
145 This rule applies to mail destined for the specified virtual
146 domain.
147 This parameter supports the
148 Sq *
149 wildcard,
150 so that a single rule for all sub-domains can be used, for example:
151 accept for domain "*.example.com" \
152 virtual <users> deliver to mbox
153
154 The table
155 users
156 holds a key-value mapping of virtual to system users.
157 For an example of how to configure the
158 users
159 table, see
160 table(5).
161
162 for [ !]
163 domain
164 Pf < domains > virtual < users >
165 This rule applies to mail destined for the virtual domains specified
166 in the table
167 domains.
168
169 The table
170 users
171 holds a key-value mapping of virtual to system users.
172 For an example of how to configure the
173 users
174 table, see
175 table(5).
176
177 for [ !]
178 local
179 [ alias < aliases >]
180 This rule applies to mail destined to
181 ``localhost''
182 and to the default server name
183 (the
184 FILES
185 entry for
186 /etc/opensmtpd/mailname
187 details how the server name is determined).
188 This is the default,
189 and may be omitted.
190
191 If specified, the table
192 aliases
193 is used for looking up alternative destinations for addresses in these
194 domains.
195
196 for [ !]
197 local
198 virtual < vmap >
199 This rule applies to mail destined to
200 ``localhost''
201 and to the default server name.
202 The
203 vmap
204 table will be used as the virtual domain mapping.
205
206 Further access control may be achieved on specific recipients if desired:
207
208 recipient
209 [ !]
210 Pf < recipients >
211 If specified, the rule will only be matched if the recipient email address
212 is found in the table
213 recipients.
214 The table may contain complete email addresses or apply to an entire
215 domain if prefixed with
216 Sq @.
217
218 If the method of delivery is local, a user database may be
219 specified to override the system database:
220
221 [ userbase < table >]
222 Look up users in the table
223 table
224 instead of performing system lookups using the
225 getpwnam(3)
226 function.
227
228 You can also accept mail just to have it forwarded elsewhere:
229
230 forward-only
231 Mail is accepted for local recipients ONLY if it is redirected to an
232 external address via an alias or a ~/.forward file.
233
234 Example:
235 accept for domain opensmtpd.org forward-only
236
237 Finally, the method of delivery is specified:
238
239 deliver to lmtp
240 [host: port | socket]
241 [ rcpt-to]
242 [ as user]
243 Mail is delivered to
244 host: port,
245 or to the
246 Ux
247 socket
248 over LMTP with the privileges of the specified
249 user.
250
251 Optionally,
252 rcpt-to
253 might be specified to use the recipient email address (after expansion) instead
254 of the local user in the LMTP session as RCPT TO.
255
256 deliver to maildir [path]
257 Mail is added to a maildir.
258 Its location,
259 path,
260 may contain format specifiers that are expanded before use
261 (see .B FORMAT SPECIFIERS .)
262 If
263 path
264 is not provided, then
265 ~/Maildir
266 is assumed.
267
268 deliver to mbox
269 Mail is delivered to the local user's system mailbox in
270 /var/mail.
271
272 deliver to mda program [ as user]
273 Mail is piped to the specified
274 program,
275 which is run with the privileges of the specified
276 user
277 or the user the message is destined to.
278 This parameter may use conversion specifiers that are expanded before use
279 (see .B FORMAT SPECIFIERS .)
280
281 Bk -words
282 relay
283 [ backup [mx]]
284 [ as address]
285 [ source < source >]
286 [ hostname name]
287 [ hostnames < names >]
288 [ pki pkiname]
289 [ tls [ verify]]
290 Ek
291
292 Mail is relayed.
293 The routing decision is based on the DNS system.
294
295 If the
296 backup
297 parameter is specified, the current server will act as a backup server
298 for the target domain.
299 Accepted mails are only relayed through servers with a lower preference
300 value in the MX record for the domain than the one specified in
301 mx.
302 If
303 mx
304 is not specified, the default server name will be assumed.
305
306 If the
307 as
308 parameter is specified,
309 smtpd(8)
310 will rewrite the sender advertised
311 in the SMTP session.
312 address
313 may be a user, a domain prefixed with
314 Sq @,
315 or an email address, causing
316 smtpd(8)
317 to rewrite the user-part, the domain-part, or the entire address, respectively.
318
319 If the
320 source
321 parameter is specified,
322 smtpd(8)
323 will explicitly bind to an address found in the table referenced by
324 source
325 when connecting to the relay.
326 If the table contains more than one address, they are picked in turn each
327 time a new connection is opened.
328
329 By default, when connecting to a remote server,
330 smtpd(8)
331 advertises its default server name.
332 A
333 hostname
334 parameter may be specified to advertise the alternate hostname
335 name.
336 If the
337 source
338 parameter is used, the
339 hostnames
340 parameter may be specified to advertise a hostname based on
341 the source address.
342 Table
343 names
344 contains a mapping of IP addresses to hostnames and
345 smtpd(8)
346 will automatically select the name that matches its source address
347 when connected to the remote server.
348 The
349 hostname
350 and
351 hostnames
352 parameters are mutually exclusive.
353
354 When relaying, STARTTLS is always attempted if available on remote host and
355 smtpd(8)
356 will try to present a certificate matching the outgoing hostname if one is
357 registered in the pki.
358 If
359 pki
360 is specified, the certificate registered for
361 pkiname
362 is used instead.
363
364 If
365 tls
366 is specified,
367 smtpd(8)
368 will refuse to relay unless the remote host provides STARTTLS.
369 If
370 tls verify
371 is specified,
372 smtpd(8)
373 will refuse to relay unless the remote host provides STARTTLS and the
374 certificate it presented has been verified.
375
376 Note that the
377 tls
378 and
379 tls verify
380 options should only be used in private networks
381 as they will prevent proper relaying on the Internet.
382
383 relay via
384 host
385 [ auth < auth >]
386 [ as address]
387 [ source < source >]
388 [ hostname name]
389 [ hostnames < names >]
390 [ pki pkiname]
391 [ verify]
392
393 Mail is relayed through the specified
394 host
395 expressed as a URL.
396 For example:
397 smtp://mx1.example.org # use SMTP
398 smtp://mx1.example.org:4321 # use SMTP \
399 # with port 4321
400 lmtp://localhost:2026 # use LMTP \
401 # with port 2026
402
403 The communication channel may be secured using one of the secure
404 schemas.
405 For example:
406 tls://mx1.example.org # use TLS
407 smtps://mx1.example.org # use SMTPS
408 secure://mx1.example.org # try SMTPS and \
409 # fallback to TLS
410
411 In addition, credentials for authenticated relaying may be provided
412 when using a secure schema.
413 For example:
414 tls+auth://label@mx.example.org # over TLS
415 smtps+auth://label@mx.example.org # over SMTPS
416 secure+auth://label@mx.example.org # over either \
417 # SMTPS or TLS
418
419 If a pki entry exists for the outgoing hostname, or one is provided
420 with
421 pkiname,
422 the associated certificate will be sent to the remote server.
423
424 If an SMTPAUTH session with
425 host
426 is desired, the
427 auth
428 parameter is used to specify the
429 auth
430 table that holds the credentials.
431 Credentials will be looked up using the label provided in the URL.
432
433 If the
434 as
435 parameter is specified,
436 smtpd(8)
437 will rewrite the sender advertised
438 in the SMTP session.
439 address
440 may be a user, a domain prefixed with
441 Sq @,
442 or an email address, causing
443 smtpd(8)
444 to rewrite the user-part, the domain-part, or the entire address, respectively.
445
446 If the
447 source
448 parameter is specified,
449 smtpd(8)
450 will explicitly bind to an address found in the table referenced by
451 Pf < source >
452 when connecting to the relay.
453 If the table contains more than one address, they are picked in turn each
454 time a new connection is opened.
455
456 By default, when connecting to a remote server,
457 smtpd(8)
458 advertises its default server name.
459 A
460 hostname
461 parameter may be specified to advertise the alternate hostname
462 name.
463 If the
464 source
465 parameter is used, the
466 hostnames
467 parameter may be specified to advertise a hostname based on
468 the source address.
469 Table
470 names
471 contains a mapping of IP addresses to hostnames and
472 smtpd(8)
473 will automatically select the name that matches its source address
474 when connected to the remote server.
475 The
476 hostname
477 and
478 hostnames
479 parameters are mutually exclusive.
480
481 If
482 verify
483 is specified,
484 smtpd(8)
485 will refuse to relay unless the remote host provides STARTTLS and the
486 certificate it presented has been verified.
487 The relay URL must specify TLS for this option to be valid.
488
489 Additional per-rule adjustments are available:
490
491 expire
492 Sm off
493 n
494 {s | m | h | d}
495 Sm on
496 Specify how long a message that matched this rule can stay in the queue.
497
498 bounce-warn
499 Sm off
500 n
501 {s | m | h | d}
502 [,
503 Sm on
504 ...
505 ]
506 Specify the delays for which temporary failure reports must be generated
507 when messages are stuck in the queue.
508 For example:
509 bounce-warn 1h, 6h, 2d
510
511 will generate a failure report when an envelope is in the queue for more
512 than one hour, six hours and two days.
513 The default is 4h.
514
515 ca hostname certificate cafile
516 Associate a custom CA certificate located in
517 cafile
518 with
519 hostname.
520
521 ciphers cipher-list
522 Specify an alternate list of ciphers to use when establishing TLS sessions.
523 It is highly recommended to avoid making use of this option unless there
524 is a good understanding of the implications.
525
526 When not specified, only ciphers considered safe are chosen.
527
528 expire
529 Sm off
530 n
531 {s | m | h | d}
532 Sm on
533 Specify how long a message can stay in the queue.
534 The default value is 4d.
535 For example:
536 expire 4d # expire after 4 days
537 expire 10h # expire after 10 hours
538
539 limit session
540 {max-rcpt | max-mails}
541 num
542 Instruct
543 smtpd(8)
544 to accept a maximum number of recipients or emails at once
545 in the receiving queue.
546 Defaults are 100 for
547 max-mails
548 and 1000 for
549 max-rcpt.
550
551 limit mta
552 [ for domain domain]
553 family
554 Instruct
555 smtpd(8)
556 to only use the specified address
557 family
558 for outgoing connections.
559 Accepted values are
560 inet4
561 and
562 inet6.
563 If a
564 domain
565 is specified, the restriction only applies when connecting
566 to MXs for this domain.
567
568 limit scheduler max-inflight num
569 Suspend the scheduling of envelopes for deliver/relay until the number
570 of inflight envelopes falls below
571 num.
572 Changing the default value might degrade performance.
573
574 Bk -words
575 listen on interface
576 [family]
577 [ port port]
578 [ tls | tls-require | tls-require verify | smtps]
579 [ pki pkiname]
580 [ ca caname]
581 [ auth | auth-optional [< authtable >]]
582 [ tag tag]
583 [ hostname hostname]
584 [ hostnames < names >]
585 [ senders < users >[masquerade]]
586 [ mask-source]
587 [ received-auth]
588 [ no-dsn]
589 Ek
590 Specify an
591 interface
592 and optional
593 port
594 to listen on for incoming connections.
595 An interface group, an IP address or a domain name may
596 be used in place of
597 interface.
598 The
599 family
600 parameter can be used to listen only on specific address family.
601 Accepted values are
602 inet4
603 and
604 inet6.
605
606 Secured connections are provided either using STARTTLS
607 ( tls,)
608 by default on port 25,
609 or SMTPS
610 ( smtps,)
611 by default on port 465.
612 tls-require
613 may be used to force clients to establish a secure connection
614 before being allowed to start an SMTP transaction.
615
616 If
617 tls-require verify
618 is specified, the client must provide a valid certificate to be
619 able to establish an SMTP session.
620
621 Host certificates may be used for these connections,
622 and must be previously declared using the pki directive.
623 If
624 pki
625 is specified,
626 a certificate matching
627 name
628 is searched for.
629 Moreover, a previously declared
630 ca
631 directive may be specified to use a custom CA certificate.
632
633 If the
634 auth
635 parameter is used,
636 then a client may only start an SMTP transaction after a
637 successful authentication.
638 Any remote sender that passed SMTPAUTH is treated as if
639 it was the server's local user that was sending the mail.
640 This means that filter rules using
641 from local
642 will be matched.
643 If
644 auth-optional
645 is specified, then SMTPAUTH is not required to establish an
646 SMTP transaction.
647 This is only useful to let a listener accept incoming mail from
648 untrusted senders and outgoing mail from authenticated users in
649 situations where it is not possible to listen on the submission
650 port.
651
652 Both
653 auth
654 and
655 auth-optional
656 accept an optional table as a parameter.
657 When provided, credentials are looked up in this table.
658 The credentials format is described in
659 table(5).
660
661 If the
662 tag
663 parameter is used, then clients connecting to the listener will be
664 tagged
665 tag.
666
667 If the
668 hostname
669 parameter is used, then it will be used in the greeting banner
670 instead of the default server name.
671
672 The
673 hostnames
674 parameter overrides the server name for specific addresses.
675 Table
676 names
677 contains a mapping of IP addresses to hostnames and
678 smtpd(8)
679 will use the hostname that matches the address on which the connection arrives
680 if it is found in the mapping.
681
682 If the
683 senders
684 parameter is used, then
685 smtpd(8)
686 will look up a mapping of username to email addresses to see whether
687 the authenticated user is allowed to submit mail
688 as the sender that was provided in the SMTP session.
689 In addition, if the
690 masquerade
691 option is provided,
692 the From header will be rewritten
693 to match the sender provided in the SMTP session.
694
695 If the
696 mask-source
697 parameter is used, then the listener will skip the
698 from
699 part when prepending the
700 ``Received''
701 header.
702
703 If the
704 received-auth
705 parameter is used, the
706 ``Received''
707 header will display if the session was authenticated and by which local user.
708
709 If the
710 no-dsn
711 parameter is used, DSN (Delivery Status Notification) extension will not
712 be enabled.
713
714 listen on socket
715 [ mask-source]
716 Modify behaviour for the listener which handles messages
717 submitted through the local enqueuer,
718 such as the
719 mail(1)
720 utility.
721 Clients connecting in this manner are tagged with the "local"
722 tag.
723
724 Parameters available are:
725
726 mask-source
727 Skip the
728 from
729 part when prepending the
730 ``Received''
731 header.
732
733 max-message-size n
734 Specify a maximum message size of
735 n
736 bytes.
737 The argument may contain a multiplier, as documented in
738 scan_scaled(3).
739 The default maximum message size is 35MB if none is specified.
740
741 pki hostname certificate certfile
742 Associate the certificate located in
743 certfile
744 with
745 hostname.
746
747 If a fallback certificate or SNI is wanted, the
748 Sq *
749 wildcard may be used as
750 hostname.
751
752 A certificate chain may be created by appending one or many certificates,
753 including a Certificate Authority certificate,
754 to
755 certfile.
756
757 Creation of certificates is documented in
758 starttls(8).
759
760 pki hostname key keyfile
761 Associate the key located in
762 keyfile
763 with
764 hostname.
765
766 pki hostname dhe params
767 Specify the DHE parameters to use for DHE cipher suites with
768 hostname.
769 Valid parameter values are none, legacy and auto.
770 For legacy a fixed key length of 1024 bits is used, whereas for auto the key
771 length is determined automatically.
772 The default is none, which disables DHE cipher suites.
773
774 queue compression
775 Enable transparent compression of envelopes and messages.
776 The only supported algorithm at the moment is gzip.
777 Envelopes and messages may be inspected using the
778 smtpctl(8)
779 or
780 gzcat(1)
781 utilities.
782
783 queue encryption [key key]
784 Enable transparent encryption of envelopes and messages.
785 key
786 must be a 16-byte random key in hexadecimal representation.
787 It can be obtained using the
788 openssl(1)
789 utility as follow:
790 $ openssl rand -hex 16
791
792 If the
793 key
794 parameter is not specified, it is read with
795 getpass(3)
796 at startup.
797 If
798 key
799 is
800 stdin,
801 then it is read from the standard input at startup.
802
803 The only supported algorithm is AES-256 in GCM mode.
804 Envelopes and messages may be inspected using the
805 smtpctl(8)
806 utility.
807
808 Queue encryption can be used with queue compression and will always
809 perform compression before encryption.
810
811 subaddressing-delimiter delimiter
812 Redefine the subaddressing delimiter from the default
813 Sq +
814 to
815 delimiter.
816
817 Any printable character valid in an email address is allowed,
818 except spaces and
819 Sq @.
820
821 The first character in the user-part of an email address that matches
822 delimiter
823 is considered to be the subaddressing delimiter.
824
825 table name [type:] config
826 Tables are used to provide additional configuration information for
827 smtpd(8)
828 in the form of lists or key-value mappings.
829 The format of the entries depends on what the table is used for.
830 Refer to
831 table(5)
832 for the exhaustive documentation.
833
834 The table is identified using table name
835 name;
836 the name itself is arbitrarily chosen.
837
838 type
839 specifies the table backend,
840 and should be one of the following:
841
842 db Information is stored in a file created using
843 makemap(8).
844
845 file Information is stored in a plain text file using the
846 same format as used to generate
847 makemap(8)
848 mappings.
849 This is the default.
850
851 config
852 specifies a configuration file for the table data.
853 It must be an absolute path to a file for the
854 ``file''
855 and
856 ``db''
857 table types.
858
859 table name {value [, ...]}
860 Tables containing list of static values may be declared
861 using an inlined notation.
862
863 The table is identified using table name
864 name;
865 the name itself is arbitrarily chosen.
866
867 The table must contain at least one value and may declare many values as a
868 list of comma-separated strings.
869
870 table name {key=value [, ...]}
871 Tables containing static key-value mappings may be declared
872 using an inlined notation.
873
874 The table is identified using table name
875 name;
876 the name itself is arbitrarily chosen.
877
878 The table must contain at least one key-value mapping and may declare
879 many mappings as a list of comma-separated
880 key=value
881 descriptions.
882
883 FORMAT SPECIFIERS
884 Some configuration directives support expansion of their parameters at
885 runtime. Such directives (for example
886 deliver to maildir,
887 deliver to mda) may use format specifiers which will be expanded
888 before delivery or relaying. The following formats are currently sup‐
889 ported:
890
891 %{sender} Ta sender email address
892
893 %{sender.user} Ta user part of the sender email address
894
895 %{sender.domain} Ta domain part of the sender email address
896
897 %{rcpt} Ta recipient email address
898
899 %{rcpt.user} Ta user part of the recipient email address
900
901 %{rcpt.domain} Ta domain part of the recipient email address
902
903 %{dest} Ta recipient email address after expansion
904
905 %{dest.user} Ta user part after expansion
906
907 %{dest.domain} Ta domain part after expansion
908
909 %{user.username} Ta local user
910
911 %{user.directory} Ta home directory of the local user
912
913 Expansion formats also support partial expansion using the optional
914 bracket notations with substring offset. For example, with recipient
915 domain ``example.org :''
916
917 %{rcpt.domain[0]} Ta expands to ``e''
918
919 %{rcpt.domain[1]} Ta expands to ``x''
920
921 %{rcpt.domain[8:]} Ta expands to ``org''
922
923 %{rcpt.domain[-3:]} Ta expands to ``org''
924
925 %{rcpt.domain[0:6]} Ta expands to ``example''
926
927 %{rcpt.domain[0:-4]} Ta expands to ``example''
928
929 In addition, modifiers may be applied to the token. For example, with
930 recipient ``User+Tag@Example.org :''
931
932 %{rcpt:lowercase} Ta expands to ``user+tag@example.org''
933
934 %{rcpt:uppercase} Ta expands to ``USER+TAG@EXAMPLE.ORG''
935
936 %{rcpt:strip} Ta expands to ``User@Example.org''
937
938 %{rcpt:lowercase|strip} Ta expands to ``user@example.org''
939
940 For security concerns, expanded values are sanitized and potentially
941 dangerous characters are replaced with Sq :. In situations where they
942 are desirable, the ``raw'' modifier may be applied. For example, with
943 recipient ``user+t?g@example.org :''
944
945 %{rcpt} Ta expands to ``user+t:g@example.org''
946
947 %{rcpt:raw} Ta expands to ``user+t?g@example.org''
948
950 /etc/opensmtpd/smtpd.conf
951 Default smtpd(8) configuration file.
952
953 /etc/opensmtpd/mailname
954 If this file exists, the first line is used as the server
955 name. Otherwise, the server name is derived from the local
956 hostname returned by gethostname(3), either directly if it
957 is a fully qualified domain name, or by retrieving the
958 associated canonical name through getaddrinfo(3).
959
960 /var/spool/smtpd/
961 Spool directories for mail during processing.
962
964 The default smtpd.conf file listens on the loopback network interface
965 (lo0), and allows for mail from users and daemons on the local machine,
966 as well as permitting email to remote servers. Some more complex con‐
967 figurations are given below.
968
969 This first example is the same as the default configuration, but all
970 outgoing mail is forwarded to a remote SMTP server. A secrets file is
971 needed to specify a username and password:
972 # touch /etc/opensmtpd/secrets
973 # chmod 640 /etc/opensmtpd/secrets
974 # chown root:_smtpd /etc/opensmtpd/secrets
975 # echo "label username:password" > /etc/opensmtpd/secrets
976
977 smtpd.conf
978 would look like this:
979 table aliases file:/etc/opensmtpd/aliases
980 table secrets file:/etc/opensmtpd/secrets
981 listen on lo0
982 accept for local alias <aliases> deliver to mbox
983 accept for any relay via tls+auth://label@smtp.example.com \
984 auth <secrets>
985
986 In this second example,
987 the aim is to permit mail relaying for any user that can authenticate
988 using their normal login credentials.
989 An RSA certificate must be provided to prove the server's identity.
990 The mail server listens on all interfaces the default route(s) point to.
991 Mail with a local destination should be sent to an external mda.
992 First, the RSA certificate is created:
993 # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
994 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
995 -out /etc/ssl/mail.example.com.crt -days 365
996 # chmod 600 /etc/ssl/mail.example.com.crt
997 # chmod 600 /etc/ssl/private/mail.example.com.key
998
999 In the example above,
1000 a certificate valid for one year was created.
1001 The configuration file would look like this:
1002 pki mail.example.com certificate "/etc/ssl/mail.example.com.crt"
1003 pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
1004 table aliases file:/etc/opensmtpd/aliases
1005 listen on lo0
1006 listen on egress tls pki mail.example.com auth
1007 accept for local alias <aliases> deliver to mda "/path/to/mda -f -"
1008 accept from any for domain example.com \
1009 deliver to mda "/path/to/mda -f -"
1010 accept for any relay
1011
1012 For sites that wish to sign messages using DKIM, the
1013 dkimproxy
1014 package may be used as a filter.
1015 The following example is the same as the default configuration,
1016 but all outgoing mail is passed to dkimproxy_out on port 10027
1017 for signing.
1018 The signed messages are received on port 10028 and tagged for relaying.
1019 table aliases file:/etc/opensmtpd/aliases
1020 listen on lo0
1021 listen on lo0 port 10028 tag DKIM
1022 accept for local alias <aliases> deliver to mbox
1023 accept tagged DKIM for any relay
1024 accept from local for any relay via smtp://127.0.0.1:10027
1025
1026 Sites that accept non-local messages may be able to cut down on the
1027 volume of spam received by rejecting forged messages that claim
1028 to be from the local domain.
1029 The table
1030 other-relays
1031 can be used to specify the IP addresses of relays that may legitimately
1032 originate mail with your domain as the sender.
1033 table aliases file:/etc/opensmtpd/aliases
1034 table other-relays file:/etc/opensmtpd/other-relays
1035 listen on lo0
1036 listen on egress
1037 accept for local alias <aliases> deliver to mbox
1038 accept from local for any relay
1039 reject from ! source <other-relays> sender "@example.com" for any
1040 accept from any for domain example.com \
1041 alias <aliases> deliver to mbox
1042
1044 mailer.conf(5), table(5), makemap(8), smtpd(8)
1045
1047 smtpd(8) first appeared in OpenBSD 4.6.
1048
1049
1050
1051 $Mdocdate: July 11 2017 $ SMTPD.CONF(5)