1SMTPD.CONF(5) File Formats Manual SMTPD.CONF(5)
2
6 smtpd.conf - Simple Mail Transfer Protocol daemon configuration file
7
9 smtpd.conf is the configuration file for the mail daemon smtpd(8).
10 When mail arrives, each ``RCPT TO:'' command generates a mail envelope.
12 If an envelope matches any of a pre-designated set of criteria (using
13 the
14 match directive), the message is accepted for delivery. A copy of the
15 message, as well as its associated envelopes, is saved in the mail
16 queue and later dispatched according to an associated set of actions
17 (using the
18 action directive). If an envelope does not match any options, it is
19 rejected. The match rules are evaluated sequentially, with the first
20 match winning.
21 The format of the configuration file is fairly flexible. The current
23 line can be extended over multiple lines using a backslash (Sq \.)
24 Comments can be put anywhere in the file using a hash mark (Sq #,) and
25 extend to the end of the current line. Care should be taken when com‐
26 menting out multi-line text: the comment is effective until the end of
27 the entire block. Argument names not beginning with a letter, digit,
28 or underscore, as well as reserved words (such as
29 listen,
30 match, and port), must be quoted. Arguments containing whitespace
31 should be surrounded by double quotes (".)
32 Macros can be defined that are later expanded in context. Macro names
34 must start with a letter, digit, or underscore, and may contain any of
35 those characters, but may not be reserved words. Macros are not
36 expanded inside quotes. For example:
37 lan_addr = "192.168.0.1"
38 listen on $lan_addr
39 listen on $lan_addr tls auth
40 The syntax of
42 smtpd.conf
43 is described below.
44 action name method [options]
46 When the queue runner processes an envelope from the mail queue,
47 it carries out the
48 action
49 name,
50 selected by the
51 match ... action
52 directive when the message was received.
53 The
54 action
55 directive provides configuration data for delivery attempts.
56 Required lookups are performed at the time of each delivery attempt.
57 Consequently, changing an
58 action
59 directive or the files it references and restarting the
60 smtpd(8)
61 daemon causes the changes to take effect for subsequent delivery
62 attempts for the respective dispatcher
63 name,
64 even for messages that were already stuck in the queue
65 prior to the configuration changes.
66 The delivery
68 method
69 parameter may be one of the following:
70 expand-only
72 Only accept the message if a delivery method was specified
73 in an aliases or
74 .forward
75 file.
76 forward-only
78 Only accept the message if the recipient results in a remote address
79 after the processing of aliases or forward file.
80 lmtp destination [rcpt-to]
82 Deliver the message to an LMTP server at
83 destination.
84 The location may be expressed as host:port or as a UNIX socket.
85 Optionally,
87 rcpt-to
88 might be specified to use the
89 recipient email address (after expansion) instead of the
90 local user in the LMTP session as RCPT TO.
91 maildir [pathname [junk]]
93 Deliver the message to the maildir in
94 pathname
95 if specified, or by default to
96 ~/Maildir.
97 The
99 pathname
100 may contain format specifiers that are expanded before use
101 (see .B FORMAT SPECIFIERS .)
102 If the
104 junk
105 argument is provided, the message will be moved to the Junk
106 folder if it contains a positive X-Spam header.
107 mbox Deliver the message to the user's mbox with
109 mail.local(8).
110 mda command
112 Delegate the delivery to a
113 command
114 that receives the message on its standard input.
115 The
117 command
118 may contain format specifiers that are expanded before use
119 (see .B FORMAT SPECIFIERS .)
120 relay Relay the message to another SMTP server.
122 The local delivery methods support additional options:
124 alias Pf < table >
126 Use the mapping
127 table
128 for
129 aliases(5)
130 expansion.
131 ttl Sm off
133 n
134 {s | m | h | d}
135 Sm on
136 Specify how long a message may remain in the queue.
137 user username
139 Specify the
140 username
141 for performing the delivery, to be looked up with
142 getpwnam(3).
143 This is used for virtual hosting where a single username
145 is in charge of handling delivery for all virtual users.
146 This option is not usable with the
148 mbox
149 delivery method.
150 userbase Pf < table >
152 Use the mapping
153 table
154 for user lookups instead of the
155 getpwnam(3)
156 function.
157 The
159 userbase
160 does not apply for the
161 user
162 option.
163 virtual Pf < table >
165 Use the mapping
166 table
167 for virtual expansion.
168 The aliasing table format is described in
169 table(5).
170 wrapper name
172 Use the wrapper specified in
173 mda wrapper.
174 The relay delivery methods also support additional options:
176 backup Operate as a backup mail exchanger delivering messages to any mail exchanger
178 with higher priority.
179 backup mx name
181 Operate as a backup mail exchanger delivering messages to any mail exchanger
182 with higher priority than mail exchanger identified as
183 name.
184 helo heloname
186 Advertise
187 heloname
188 as the hostname to other mail exchangers during the HELO phase.
189 helo-src Pf < table >
191 Use the mapping
192 table
193 to look up a hostname matching the source address,
194 to advertise during the HELO phase.
195 host relay-url
197 Do not perform MX lookups but relay messages to the relay host described by
198 relay-url.
199 The format for
200 relay-url
201 is
202 Sm off
203 [proto :// [label @]]
204 host [: port.]
205 Sm on
206 The following protocols are available:
207 smtp Normal SMTP session with opportunistic STARTTLS
209 (the default).
210 smtp+tls
212 Normal SMTP session with mandatory STARTTLS.
213 smtp+notls
215 Plain text SMTP session without TLS.
216 lmtp LMTP session.
218 port
219 is required.
220 smtps SMTP session with forced TLS on connection, default port is 465.
222 Unless noted,
223 port
224 defaults to 25.
225 The
227 label
228 corresponds to an entry in a credentials table,
229 as documented in
230 table(5).
231 It is used with the
232 ``smtp+tls''
233 and
234 ``smtps''
235 protocols for authentication.
236 Server certificates for those protocols are verified by default.
237 srs When relaying a mail resulting from a forward,
239 use the Sender Rewriting Scheme to rewrite sender address.
240 tls [no-verify]
242 Require TLS to be used when relaying, using mandatory STARTTLS by default.
243 When used with a smarthost, the protocol must not be
244 ``smtp+notls://''.
245 If
246 no-verify
247 is specified, do not require a valid certificate.
248 auth Pf < table >
250 Use the mapping
251 table
252 for connecting to
253 relay-url
254 using credentials.
255 This option is usable only with
256 host
257 option.
258 The credential table format is described in
259 table(5).
260 mail-from mailaddr
262 Use
263 mailaddr
264 as the MAIL FROM address within the SMTP transaction.
265 src address | Pf < address >
267 Use the string or list table
268 address
269 for the source IP address.
270 If the list contains more than one address, all of them are used
271 in such a way that traffic is routed as efficiently as possible.
272 bounce warn-interval delay [, delay ...]
274 Send warning messages to the envelope sender when temporary delivery
275 failures cause a message to remain on the queue for longer than
276 delay.
277 Each
278 delay
279 parameter consists of a positive decimal integer and a unit
280 s, m, h,
281 or
282 d.
283 At most four
284 delay
285 parameters can be specified.
286 The default is
287 Qq bounce warn-interval 4h,
288 sending a single warning after four hours.
289 ca caname cert cafile
291 Associate the Certificate Authority (CA) certificate file
292 cafile
293 with host
294 caname,
295 and use that file as the CA certificate for that host.
296 caname
297 is the server's name,
298 derived from the default hostname
299 or set using either
300 /etc/opensmtpd/mailname
301 or using the
302 hostname
303 directive.
304 filter chain-name chain {filter-name [, ...]}
306 Register a chain of filters named
307 chain-name
308 and consisting of the filters listed from
309 filter-name.
310 Filters part of a filter chain are executed in order of declaration for
311 each phase that they are registered for.
312 A filter chain may be used in place of a filter for any directive but
313 filter chains themselves.
314 filter filter-name phase phase-name match conditions disconnect message
316 Register builtin filter
317 filter-name
318 matching
319 conditions
320 to disconnect session with
321 message.
322 Phase and matching conditions are documented in a specific section,
323 see
324 BUILTIN FILTERING .
325 filter filter-name phase phase-name match conditions junk
327 Register builtin filter
328 filter-name
329 matching
330 conditions
331 to mark a session or a transaction as junk.
332 Phase and matching conditions are documented in a specific section,
333 see
334 BUILTIN FILTERING .
335 filter filter-name phase phase-name match conditions reject message
337 Register builtin filter
338 filter-name
339 matching
340 conditions
341 to reject session with
342 message.
343 Phase and matching conditions are documented in a specific section,
344 see
345 BUILTIN FILTERING .
346 filter filter-name phase phase-name match conditions report message
348 Register builtin filter
349 filter-name
350 matching
351 conditions
352 to report on session with
353 message
354 and proceed with the transaction.
355 Phase and matching conditions are documented in a specific section,
356 see
357 BUILTIN FILTERING .
358 filter filter-name phase phase-name match conditions rewrite value
360 Register builtin filter
361 filter-name
362 matching
363 conditions
364 to rewrite phase parameter with new
365 value.
366 Phase and matching conditions are documented in a specific section,
367 see
368 BUILTIN FILTERING .
369 filter filter-name proc proc-name
371 Register
372 Qq proc
373 filter
374 filter-name
375 backed by the
376 proc-name
377 process.
378 filter filter-name proc-exec command
380 Register and execute
381 Qq proc
382 filter
383 filter-name
384 from
385 command.
386 If
387 command
388 starts with a slash it is executed with an absolute path,
389 else it will be run from
390 ``/usr/local/libexec/smtpd/''.
391 include Qq pathname
393 Replace this directive with the content of the additional configuration
394 file at the absolute
395 pathname.
396 listen on interface [family] [options]
398 Listen on the
399 interface
400 for incoming connections, using the same syntax as for
401 ifconfig(8).
402 The
403 interface
404 parameter may also be an interface group, an IP address, or a domain name.
405 Listening can optionally be restricted to a specific address
406 family,
407 which can be either
408 inet4
409 or
410 inet6.
411 The
413 options
414 are as follows:
415 auth [Pf < authtable >]
417 Support SMTPAUTH: clients may only start SMTP transactions
418 after successful authentication.
419 Users are authenticated against either their own normal login credentials
420 or a credentials table
421 authtable,
422 the format of which is described in
423 table(5).
424 auth-optional [Pf < authtable >]
426 Support SMTPAUTH optionally:
427 clients need not authenticate, but may do so.
428 This allows a
429 listen on
430 directive to both accept incoming mail from untrusted senders
431 and permit outgoing mail from authenticated users
432 (using
433 match auth).
434 It can be used in situations where it is not possible to listen on a separate port
435 (usually the submission port, 587)
436 for users to authenticate.
437 ca caname
439 For secure connections,
440 use the CA certificate associated with
441 caname
442 (declared in a
443 ca
444 directive)
445 as the CA certificate when verifying client certificates.
446 filter name
448 Apply filter
449 name
450 on connections handled by this listener.
451 hostname hostname
453 Use
454 hostname
455 in the greeting banner instead of the default server name.
456 hostnames Pf < names >
458 Override the server name for specific addresses.
459 The
460 names
461 table contains a mapping of IP addresses to hostnames.
462 If the address on which the connection arrives appears in the mapping,
463 the associated hostname is used.
464 mask-src
466 Omit the
467 from
468 part when prepending
469 ``Received''
470 headers.
471 no-dsn Disable the DSN (Delivery Status Notification) extension.
473 pki pkiname
475 For secure connections,
476 use the certificate associated with
477 pkiname
478 (declared in a
479 pki
480 directive)
481 to prove a mail server's identity.
482 port [port]
484 Listen on the given
485 port
486 instead of the default port 25.
487 proxy-v2
489 Support the PROXYv2 protocol,
490 rewriting appropriately source address received from proxy.
491 received-auth
493 In
494 ``Received''
495 headers, report whether the session was authenticated
496 and by which local user.
497 senders Pf < users >[masquerade]
499 Look up the authenticated user in the
500 users
501 mapping table to find the email addresses that user is allowed
502 to submit mail as.
503 In addition, if the
504 masquerade
505 option is provided,
506 the From header is rewritten
507 to match the sender provided in the SMTP session.
508 smtps Support SMTPS, by default on port 465.
510 Mutually exclusive with
511 tls.
512 tag tag
514 Clients connecting to the listener are tagged with the given
515 tag.
516 tls Support STARTTLS, by default on port 25.
518 Mutually exclusive with
519 smtps.
520 tls-require [verify]
522 Like
523 tls,
524 but force clients to establish a secure connection
525 before being allowed to start an SMTP transaction.
526 With the
527 verify
528 option, clients must also provide a valid certificate
529 to establish an SMTP session.
530 listen on socket [mask-src]
532 Listen for incoming SMTP connections on the Unix domain socket
533 /var/run/smtpd.sock.
534 This is done by default, even if the directive is absent.
535 If the
536 mask-src
537 option is specified, printing of the HELO name, hostname, and IP
538 address of the originating host is suppressed in Received: header lines.
539 match options action name
541 If at least one mail envelope matches the
542 options
543 of one
544 match action
545 directive, receive the incoming message, put a copy into each
546 matching envelope, and atomically save the envelopes to the mail
547 spool for later processing by the respective dispatcher
548 name.
549 The following matching options are supported and can all be negated:
551 [ !] for any
553 Specify that session may address any destination.
554 [ !] for local
556 Specify that session may address any local domain.
557 This is the default, and may be omitted.
558 [ !] for domain
560 domain | Pf < domain >
561 Specify that session may address the string or list table
562 domain.
563 [ !] for domain regex
565 domain | Pf < domain >
566 Specify that session may address the regex or regex table
567 domain.
568 [ !] from any
570 Specify that session may originate from any source.
571 [ !] from local
573 Specify that session may only originate from a local IP address,
574 or from the local enqueuer.
575 This is the default, and may be omitted.
576 [ !] from rdns
578 Specify that session may only originate from an IP address that
579 resolves to a reverse DNS.
580 [ !] from rdns
582 hostname | Pf < hostname >
583 Specify that session may only originate from an IP address that
584 resolves to a reverse DNS matching string or list string
585 hostname.
586 [ !] from rdns regex
588 hostname | Pf < hostname >
589 Specify that session may only originate from an IP address that
590 resolves to a reverse DNS matching regex or list regex
591 hostname.
592 [ !] from socket
594 Specify that session may only originate from the local enqueuer.
595 [ !] from src
597 address | Pf < address >
598 Specify that session may only originate from string or list table
599 address
600 which can be a specific address or a subnet expressed in CIDR-notation.
601 [ !] from src regex
603 address | Pf < address >
604 Specify that session may only originate from regex or regex table
605 address
606 which can be a specific address or a subnet expressed in CIDR-notation.
607 In addition, the following transaction options:
609 [ !] auth
611 Matches transactions which have been authenticated.
612 [ !] helo
614 helo-name | Pf < helo-name >
615 Specify that session's HELO / EHLO should match the string or list table
616 helo-name.
617 [ !] helo regex
619 helo-name | Pf < helo-name >
620 Specify that session's HELO / EHLO should match the regex or regex table
621 helo-name.
622 [ !] mail-from
624 sender | Pf < sender >
625 Specify that transactions's MAIL FROM should match the string or list table
626 sender.
627 [ !] mail-from regex
629 sender | Pf < sender >
630 Specify that transactions's MAIL FROM should match the regex or regex table
631 sender.
632 [ !] rcpt-to
634 recipient | Pf < recipient >
635 Specify that transaction's RCPT TO should match the string or list table
636 recipient.
637 [ !] rcpt-to regex
639 recipient | Pf < recipient >
640 Specify that transaction's RCPT TO should match the regex or regex table
641 recipient.
642 [ !] tag tag
644 Matches transactions tagged with the given
645 tag.
646 [ !] tag regex tag
648 Matches transactions tagged with the given
649 tag
650 regex.
651 [ !] tls
653 Specify that transaction should take place in a TLS channel.
654 match options reject
656 Reject the incoming message during the SMTP dialogue.
657 The same
658 options
659 are supported as for the
660 match action
661 directive.
662 mda wrapper name command
664 Associate
665 command
666 with the mail delivery agent wrapper named
667 name.
668 When a local delivery specifies a wrapper, the
669 command
670 associated with the wrapper will be executed instead.
671 The command may contain format specifiers
672 (see .B FORMAT SPECIFIERS .)
673 mta max-deferred number
675 When delivery to a given host is suspended due to temporary failures,
676 cache at most
677 number
678 envelopes for that host such that they can be delivered
679 as soon as another delivery succeeds to that host.
680 The default is 100.
681 pki pkiname cert certfile
683 Associate certificate file
684 certfile
685 with host
686 pkiname,
687 and use that file to prove the identity of the mail server to clients.
688 pkiname
689 is the server's name,
690 derived from the default hostname
691 or set using either
692 /etc/opensmtpd/mailname
693 or using the
694 hostname
695 directive.
696 If a fallback certificate or SNI is wanted, the
697 Sq *
698 wildcard may be used as
699 pkiname.
700 A certificate chain may be created by appending one or many certificates,
702 including a Certificate Authority certificate,
703 to
704 certfile.
705 The creation of certificates is documented in
706 starttls(8).
707 pki pkiname key keyfile
709 Associate the key located in
710 keyfile
711 with host
712 pkiname.
713 pki pkiname dhe params
715 Specify the DHE parameters to use for DHE cipher suites with host
716 pkiname.
717 Valid parameter values are
718 none,
719 legacy,
720 and
721 auto.
722 For
723 legacy,
724 a fixed key length of 1024 bits is used, whereas for
725 auto,
726 the key length is determined automatically.
727 The default is
728 none,
729 which disables DHE cipher suites.
730 proc proc-name command
732 Register an external process named
733 proc-name
734 from
735 command.
736 Such processes may be used to share the same instance between multiple filters.
737 If
738 command
739 starts with a slash it is executed with an absolute path,
740 else it will be run from
741 ``/usr/local/libexec/smtpd/''.
742 queue compression
744 Store queue files in a compressed format.
745 This may be useful to save disk space.
746 queue encryption [key]
748 Encrypt queue files with
749 EVP_aes_256_gcm(3).
750 If no
751 key
752 is specified, it is read with
753 getpass(3).
754 If the string
755 stdin
756 or a single dash
757 (Ql -)
758 is given instead of a
759 key,
760 the key is read from the standard input.
761 queue ttl delay
763 Set the default expiration time for temporarily undeliverable
764 messages, given as a positive decimal integer followed by a unit
765 s, m, h,
766 or
767 d.
768 The default is four days
769 (4d.)
770 smtp ciphers control
772 Set the
773 control
774 string for
775 SSL_CTX_set_cipher_list(3).
776 The default is
777 Qq HIGH:!aNULL:!MD5.
778 smtp limit max-mails count
780 Limit the number of messages to
781 count
782 for each session.
783 The default is 100.
784 smtp limit max-rcpt count
786 Limit the number of recipients to
787 count
788 for each transaction.
789 The default is 1000.
790 smtp max-message-size size
792 Reject messages larger than
793 size,
794 given as a positive number of bytes or as a string to be parsed with
795 scan_scaled(3).
796 The default is
797 Qq 35M.
798 smtp sub-addr-delim character
800 When resolving the local part of a local email address, ignore the ASCII
801 character
802 and all characters following it.
803 The default is
804 Ql +.
805 srs key secret
807 Set the secret key to use for SRS,
808 the Sender Rewriting Scheme.
809 srs key backup secret
811 Set a backup secret key to use as a fallback for SRS.
812 This can be used to implement SRS key rotation.
813 srs ttl delay
815 Set the time-to-live delay for SRS envelopes.
816 After this delay,
817 a bounce reply to the SRS address will be discarded to limit risks of forged addresses.
818 The default is four days
819 (4d.)
820 table name [type:] pathname
822 Tables provide additional configuration information for
823 smtpd(8)
824 in the form of lists or key-value mappings.
825 The format of the entries depends on what the table is used for.
826 Refer to
827 table(5)
828 for the exhaustive documentation.
829 Each table is identified by an arbitrary, unique
831 name.
832 If the
834 type
835 is
836 db,
837 information is stored in a file created with
838 makemap(8);
839 if it is
840 file
841 or omitted, information is stored in a plain text file
842 using the format described in
843 table(5).
844 The
845 pathname
846 to the file must be absolute.
847 table name {value [, ...]}
849 Instead of using a separate file, declare a list table
850 containing the given static
851 value s.
852 The table must contain at least one value and may declare multiple values as a
853 comma-separated (whitespace optional) list.
854 table name {key=value [, ...]}
856 Instead of using a separate file, declare a mapping table
857 containing the given static
858 key -value
859 pairs.
860 The table must contain at least one key-value pair and may declare
861 multiple pairs as a comma-separated (whitespace optional) list.
862 BUILTIN FILTERING
864 In a regular workflow, smtpd(8) may accept or reject a message based
865 only on the content of envelopes. Its decisions are about the handling
866 of the message, not about the handling of an active session.
867 Filtering extends the decision making process by allowing smtpd(8) to
869 stop at each phase of an SMTP session, check that conditions are met,
870 then decide if a session is allowed to move forward.
871 With filtering, a session may be interrupted at any phase before an
873 envelope is complete. A message may also be rejected after being sub‐
874 mitted, disregarding if the envelope was accepted or not.
875 The following phases are currently supported:
877 connect Ta upon connection, before a banner is displayed
879 helo Ta after HELO command is submitted
881 ehlo Ta after EHLO command is submitted
883 mail-from Ta after MAIL FROM command is submitted
885 rcpt-to Ta after RCPT TO command is submitted
887 data Ta after DATA command is submitted
889 commit Ta after message is fully is submitted
891 At each phase, multiple criterias may be checked:
893 fcrdns Ta forward-confirmed reverse DNS is valid
895 rdns Ta session has a reverse DNS
897 rdns Pf < table >Ta session has a reverse DNS in table
899 src Pf < table >Ta source address is in table
901 helo Pf < table >Ta helo name is in table
903 mail-from Pf < table >Ta sender address is in table
905 rcpt-to Pf < table >Ta recipient address is in table
907 All criterias from previous phases are available to subsequent phases,
909 so while the helo criteria is not available before the helo or ehlo
910 phase, the fcrdns criteria is available in all phases.
911 Criterias may all be negated by prefixing them with an exclamation
913 mark:
914 ! fcrdns Ta forward-confirmed reverse DNS is invalid
916 Any criteria using a table may indicate that tables hold regex by pre‐
918 fixing the table name with the keyword regex.
919 helo regex Pf < table >Ta helo name matches a regex in table
921 Finally, four decisions may be taken:
922 disconnect message Ta the session is disconnected with message
924 junk Ta the session or transaction is junked
926 reject message Ta the command is rejected with message
928 rewrite value Ta the command parameter is rewritten with value
930 Decisions that involve a message require that the message be RFC valid,
932 meaning that they should either start with a 4xx or 5xx status code.
933 Descisions can be taken at any phase, however junking can only happen
934 before a message is committed.
935 FORMAT SPECIFIERS
937 Some configuration directives support expansion of their parameters at
938 runtime. Such directives (for example
939 action maildir,
940 action mda) may use format specifiers which are expanded before deliv‐
941 ery or relaying. The following formats are currently supported:
942 %{sender} Ta sender email address, may be empty string
944 %{sender.user} Ta user part of the sender email address, may be
946 empty
947 %{sender.domain} Ta domain part of the sender email address, may
949 be empty
950 %{rcpt} Ta recipient email address
952 %{rcpt.user} Ta user part of the recipient email address
954 %{rcpt.domain} Ta domain part of the recipient email address
956 %{dest} Ta recipient email address after expansion
958 %{dest.user} Ta user part after expansion
960 %{dest.domain} Ta domain part after expansion
962 %{user.username} Ta local user
964 %{user.directory} Ta home directory of the local user
966 %{mbox.from} Ta name used in mbox From separator lines
968 %{mda} Ta mda command, only available for mda wrappers
970 Expansion formats also support partial expansion using the optional
972 bracket notations with substring offset. For example, with recipient
973 domain ``example.org :''
974 %{rcpt.domain[0]} Ta expands to ``e''
976 %{rcpt.domain[1]} Ta expands to ``x''
978 %{rcpt.domain[8:]} Ta expands to ``org''
980 %{rcpt.domain[-3:]} Ta expands to ``org''
982 %{rcpt.domain[0:6]} Ta expands to ``example''
984 %{rcpt.domain[0:-4]} Ta expands to ``example''
986 In addition, modifiers may be applied to the token. For example, with
988 recipient ``User+Tag@Example.org :''
989 %{rcpt:lowercase} Ta expands to ``user+tag@example.org''
991 %{rcpt:uppercase} Ta expands to ``USER+TAG@EXAMPLE.ORG''
993 %{rcpt:strip} Ta expands to ``User@Example.org''
995 %{rcpt:lowercase|strip} Ta expands to ``user@example.org''
997 For security concerns, expanded values are sanitized and potentially
999 dangerous characters are replaced with Sq :. In situations where they
1000 are desirable, the ``raw'' modifier may be applied. For example, with
1001 recipient ``user+t?g@example.org :''
1002 %{rcpt} Ta expands to ``user+t:g@example.org''
1004 %{rcpt:raw} Ta expands to ``user+t?g@example.org''
1006
1008 /etc/opensmtpd/smtpd.conf
1009 Default smtpd(8) configuration file.
1010 /etc/opensmtpd/mailname
1012 If this file exists, the first line is used as the server
1013 name. Otherwise, the server name is derived from the local
1014 hostname returned by gethostname(3), either directly if it
1015 is a fully qualified domain name, or by retrieving the
1016 associated canonical name through getaddrinfo(3).
1017 /var/run/smtpd.sock
1019 Unix domain socket for incoming SMTP connections.
1020 /var/spool/smtpd/
1022 Spool directories for mail during processing.
1023
1025 The default smtpd.conf file which ships with OpenBSD listens on the
1026 loopback network interface (lo0) and allows for mail from users and
1027 daemons on the local machine, as well as permitting email to remote
1028 servers. Some more complex configurations are given below.
1029 This first example is the same as the default configuration, but all
1031 outgoing mail is forwarded to a remote SMTP server. A secrets file is
1032 needed to specify a username and password:
1033 # touch /etc/opensmtpd/secrets
1034 # chmod 640 /etc/opensmtpd/secrets
1035 # chown root:_smtpd /etc/opensmtpd/secrets
1036 # echo "bob username:password" > /etc/opensmtpd/secrets
1037 smtpd.conf
1039 would look like this:
1040 table aliases file:/etc/opensmtpd/aliases
1041 table secrets file:/etc/opensmtpd/secrets
1042 listen on lo0
1043 action "local_mail" mbox alias <aliases>
1044 action "outbound" relay host smtp+tls://bob@smtp.example.com \
1045 auth <secrets>
1046 match for local action "local_mail"
1047 match for any action "outbound"
1048 In this second example,
1050 the aim is to permit mail delivery and relaying only for users that can authenticate
1051 (using their normal login credentials).
1052 An RSA certificate must be provided to prove the server's identity.
1053 The mail server listens on all interfaces the default routes point to.
1054 Mail with a local destination is sent to an external MDA.
1055 First, the RSA certificate is created:
1056 # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
1057 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
1058 -out /etc/ssl/mail.example.com.crt -days 365
1059 # chmod 600 /etc/ssl/mail.example.com.crt
1060 # chmod 600 /etc/ssl/private/mail.example.com.key
1061 In the example above,
1063 a certificate valid for one year was created.
1064 The configuration file would look like this:
1065 pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
1066 pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
1067 table aliases file:/etc/opensmtpd/aliases
1068 listen on lo0
1069 listen on egress tls pki mail.example.com auth
1070 action mda_with_aliases mda "/path/to/mda -f -" alias <aliases>
1071 action mda_without_aliases mda "/path/to/mda -f -"
1072 action "outbound" relay
1073 match for local action mda_with_aliases
1074 match from any for domain example.com action mda_without_aliases
1075 match for any action "outbound"
1076 match auth from any for any action "outbound"
1077 For sites that wish to sign messages using DKIM, the
1079 dkimproxy
1080 package may be used as a filter.
1081 The following example is the same as the default configuration,
1082 but all outgoing mail is passed to dkimproxy_out on port 10027
1083 for signing.
1084 The signed messages are received on port 10028 and tagged for relaying.
1085 table aliases file:/etc/opensmtpd/aliases
1086 listen on lo0
1087 listen on lo0 port 10028 tag DKIM
1088 action "local_mail" mbox alias <aliases>
1089 action "outbound" relay
1090 action "relay_dkim" relay host smtp://127.0.0.1:10027
1091 match for local action "local_mail"
1092 match tag DKIM for any action "outbound"
1093 match for any action "relay_dkim"
1094 Sites that accept non-local messages may be able to cut down on the
1096 volume of spam received by rejecting forged messages that claim
1097 to be from the local domain.
1098 The following example uses a list table
1099 other-relays
1100 to specify the IP addresses of relays that may legitimately
1101 originate mail with the owner's domain as the sender.
1102 table aliases file:/etc/opensmtpd/aliases
1103 table other-relays file:/etc/opensmtpd/other-relays
1104 listen on lo0
1105 listen on egress
1106 action "local_mail" mbox alias <aliases>
1107 action "outbound" relay
1108 match for local action "local_mail"
1109 match for any action "outbound"
1110 match !from src <other-relays> mail-from "@example.com" for any \
1111 reject
1112 match from any for domain example.com action "local_mail"
1113
1115 mailer.conf(5), table(5), makemap(8), smtpd(8)
1116
1118 smtpd(8) first appeared in OpenBSD 4.6.
1119 $Mdocdate: September 20 2019 $ SMTPD.CONF(5)