1SMTPD.CONF(5) File Formats Manual SMTPD.CONF(5)
2
6 smtpd.conf - Simple Mail Transfer Protocol daemon configuration file
7
9 smtpd.conf is the configuration file for the mail daemon smtpd(8).
10 When mail arrives, each ``RCPT TO:'' command generates a mail envelope.
12 If an envelope matches any of a pre-designated set of criteria (using
13 the
14 match directive), the message is accepted for delivery. A copy of the
15 message, as well as its associated envelopes, is saved in the mail
16 queue and later dispatched according to an associated set of actions
17 (using the
18 action directive). If an envelope does not match any options, it is
19 rejected. The match rules are evaluated sequentially, with the first
20 match winning.
21 The format of the configuration file is fairly flexible. The current
23 line can be extended over multiple lines using a backslash (Sq \.)
24 Comments can be put anywhere in the file using a hash mark (Sq #,) and
25 extend to the end of the current line. Care should be taken when com‐
26 menting out multi-line text: the comment is effective until the end of
27 the entire block. Argument names not beginning with a letter, digit,
28 or underscore, as well as reserved words (such as
29 listen,
30 match, and port), must be quoted. Arguments containing whitespace
31 should be surrounded by double quotes (".)
32 Macros can be defined that are later expanded in context. Macro names
34 must start with a letter, digit, or underscore, and may contain any of
35 those characters, but may not be reserved words. Macros are not
36 expanded inside quotes. For example:
37 lan_addr = "192.168.0.1"
38 listen on $lan_addr
39 listen on $lan_addr tls auth
40 The syntax of
42 smtpd.conf
43 is described below.
44 action name method [options]
46 When the queue runner processes an envelope from the mail queue,
47 it carries out the
48 action
49 name,
50 selected by the
51 match ... action
52 directive when the message was received.
53 The
54 action
55 directive provides configuration data for delivery attempts.
56 Required lookups are performed at the time of each delivery attempt.
57 Consequently, changing an
58 action
59 directive or the files it references and restarting the
60 smtpd(8)
61 daemon causes the changes to take effect for subsequent delivery
62 attempts for the respective dispatcher
63 name,
64 even for messages that were already stuck in the queue
65 prior to the configuration changes.
66 The delivery
68 method
69 parameter may be one of the following:
70 expand-only
72 Only accept the message if a delivery method was specified
73 in an aliases or
74 .forward
75 file.
76 forward-only
78 Only accept the message if the recipient results in a remote address
79 after the processing of aliases or forward file.
80 lmtp destination [rcpt-to]
82 Deliver the message to an LMTP server at
83 destination.
84 The location may be expressed as host:port or as a UNIX socket.
85 Optionally,
87 rcpt-to
88 might be specified to use the
89 recipient email address (after expansion) instead of the
90 local user in the LMTP session as RCPT TO.
91 maildir [pathname [junk]]
93 Deliver the message to the maildir in
94 pathname
95 if specified, or by default to
96 ~/Maildir.
97 The
99 pathname
100 may contain format specifiers that are expanded before use
101 (see .B FORMAT SPECIFIERS .)
102 If the
104 junk
105 argument is provided, the message will be moved to the
106 Ql Junk
107 folder if it contains a positive
108 Ql X-Spam
109 header.
110 This folder will be created under
111 pathname
112 if it does not yet exist.
113 mbox Deliver the message to the user's mbox with
115 mail.local(8).
116 mda command
118 Delegate the delivery to a
119 command
120 that receives the message on its standard input.
121 The
123 command
124 may contain format specifiers that are expanded before use
125 (see .B FORMAT SPECIFIERS .)
126 relay Relay the message to another SMTP server.
128 The local delivery methods support additional options:
130 alias Pf < table >
132 Use the mapping
133 table
134 for
135 aliases(5)
136 expansion.
137 ttl Sm off
139 n
140 {s | m | h | d}
141 Sm on
142 Specify how long a message may remain in the queue.
143 user username
145 Specify the
146 username
147 for performing the delivery, to be looked up with
148 getpwnam(3).
149 This is used for virtual hosting where a single username
151 is in charge of handling delivery for all virtual users.
152 This option is not usable with the
154 mbox
155 delivery method.
156 userbase Pf < table >
158 Use the mapping
159 table
160 for user lookups instead of the
161 getpwnam(3)
162 function.
163 The
165 userbase
166 does not apply for the
167 user
168 option.
169 virtual Pf < table >
171 Use the mapping
172 table
173 for virtual expansion.
174 The aliasing table format is described in
175 table(5).
176 wrapper name
178 Use the wrapper specified in
179 mda wrapper.
180 The relay delivery methods also support additional options:
182 backup Operate as a backup mail exchanger delivering messages to any mail exchanger
184 with higher priority.
185 backup mx name
187 Operate as a backup mail exchanger delivering messages to any mail exchanger
188 with higher priority than mail exchanger identified as
189 name.
190 helo heloname
192 Advertise
193 heloname
194 as the hostname to other mail exchangers during the HELO phase.
195 helo-src Pf < table >
197 Use the mapping
198 table
199 to look up a hostname matching the source address,
200 to advertise during the HELO phase.
201 domain Pf < domains >
203 Do not perform MX lookups but look up destination domain in
204 domains
205 and use matching relay url as relay host.
206 host relay-url
208 Do not perform MX lookups but relay messages to the relay host described by
209 relay-url.
210 The format for
211 relay-url
212 is
213 Sm off
214 [proto :// [label @]]
215 host [: port.]
216 Sm on
217 The following protocols are available:
218 smtp Normal SMTP session with opportunistic STARTTLS
220 (the default).
221 smtp+tls
223 Normal SMTP session with mandatory STARTTLS.
224 smtp+notls
226 Plain text SMTP session without TLS.
227 lmtp LMTP session.
229 port
230 is required.
231 smtps SMTP session with forced TLS on connection, default port is 465.
233 Unless noted,
234 port
235 defaults to 25.
236 The
238 label
239 corresponds to an entry in a credentials table,
240 as documented in
241 table(5).
242 It is used with the
243 ``smtp+tls''
244 and
245 ``smtps''
246 protocols for authentication.
247 Server certificates for those protocols are verified by default.
248 pki pkiname
250 For secure connections,
251 use the certificate associated with
252 pkiname
253 (declared in a
254 pki
255 directive)
256 to prove the client's identity to the remote mail server.
257 srs When relaying a mail resulting from a forward,
259 use the Sender Rewriting Scheme to rewrite sender address.
260 tls [no-verify]
262 Require TLS to be used when relaying, using mandatory STARTTLS by default.
263 When used with a smarthost, the protocol must not be
264 ``smtp+notls://''.
265 If
266 no-verify
267 is specified, do not require a valid certificate.
268 auth Pf < table >
270 Use the mapping
271 table
272 for connecting to
273 relay-url
274 using credentials.
275 This option is usable only with
276 host
277 option.
278 The credential table format is described in
279 table(5).
280 mail-from mailaddr
282 Use
283 mailaddr
284 as the MAIL FROM address within the SMTP transaction.
285 src sourceaddr | Pf < sourceaddr >
287 Use the string or list table
288 sourceaddr
289 for the source IP address,
290 which is useful on machines with multiple interfaces.
291 If the list contains more than one address, all of them are used
292 in such a way that traffic is routed as efficiently as possible.
293 admd authservid
295 The Administrative Management Domain this mailserver belongs to.
296 The authservid will be forwarded to filters using it to identify or mark
297 authentication-results headers.
298 If omitted it defaults to the server name.
299 bounce warn-interval delay [, delay ...]
301 Send warning messages to the envelope sender when temporary delivery
302 failures cause a message to remain on the queue for longer than
303 delay.
304 Each
305 delay
306 parameter consists of a positive decimal integer and a unit
307 s, m, h,
308 or
309 d.
310 At most four
311 delay
312 parameters can be specified.
313 The default is
314 Qq bounce warn-interval 4h,
315 sending a single warning after four hours.
316 ca caname cert cafile
318 Associate the Certificate Authority (CA) certificate file
319 cafile
320 with host
321 caname,
322 and use that file as the CA certificate for that host.
323 caname
324 is the server's name,
325 derived from the default hostname
326 or set using either
327 /etc/opensmtpd/mailname
328 or using the
329 hostname
330 directive.
331 filter chain-name chain {filter-name [, ...]}
333 Register a chain of filters
334 chain-name,
335 consisting of the filters listed from
336 filter-name.
337 Filters part of a filter chain are executed in order of declaration for
338 each phase that they are registered for.
339 A filter chain may be used in place of a filter for any directive but
340 filter chains themselves.
341 filter filter-name phase phase-name match conditions decision
343 Register a filter
344 filter-name.
345 A
346 decision
347 about what to do with the mail is taken at phase
348 phase-name
349 when matching
350 conditions.
351 Phases, matching conditions, and decisions are described in
352 MAIL FILTERING ,
353 below.
354 filter filter-name proc proc-name
356 Register
357 Qq proc
358 filter
359 filter-name
360 backed by the
361 proc-name
362 process.
363 filter filter-name proc-exec command
365 Register and execute
366 Qq proc
367 filter
368 filter-name
369 from
370 command.
371 If
372 command
373 starts with a slash it is executed with an absolute path,
374 else it will be run from
375 ``/usr/libexec/opensmtpd''.
376 include Qq pathname
378 Replace this directive with the content of the additional configuration
379 file at the absolute
380 pathname.
381 listen on interface [family] [options]
383 Listen on the
384 interface
385 for incoming connections, using the same syntax as for
386 ifconfig(8).
387 The
388 interface
389 parameter may also be an interface group, an IP address, or a domain name.
390 Listening can optionally be restricted to a specific address
391 family,
392 which can be either
393 inet4
394 or
395 inet6.
396 The
398 options
399 are as follows:
400 auth [Pf < authtable >]
402 Support SMTPAUTH: clients may only start SMTP transactions
403 after successful authentication.
404 Users are authenticated against either their own normal login credentials
405 or a credentials table
406 authtable,
407 the format of which is described in
408 table(5).
409 auth-optional [Pf < authtable >]
411 Support SMTPAUTH optionally:
412 clients need not authenticate, but may do so.
413 This allows a
414 listen on
415 directive to both accept incoming mail from untrusted senders
416 and permit outgoing mail from authenticated users
417 (using
418 match auth).
419 It can be used in situations where it is not possible to listen on a separate port
420 (usually the submission port, 587)
421 for users to authenticate.
422 ca caname
424 For secure connections,
425 use the CA certificate associated with
426 caname
427 (declared in a
428 ca
429 directive)
430 as the CA certificate when verifying client certificates.
431 filter name
433 Apply filter
434 name
435 on connections handled by this listener.
436 hostname hostname
438 Use
439 hostname
440 in the greeting banner instead of the default server name.
441 hostnames Pf < names >
443 Override the server name for specific addresses.
444 The
445 names
446 table contains a mapping of IP addresses to hostnames.
447 If the address on which the connection arrives appears in the mapping,
448 the associated hostname is used.
449 mask-src
451 Omit the
452 from
453 part when prepending
454 ``Received''
455 headers.
456 no-dsn Disable the DSN (Delivery Status Notification) extension.
458 pki pkiname
460 For secure connections,
461 use the certificate associated with
462 pkiname
463 (declared in a
464 pki
465 directive)
466 to prove a mail server's identity.
467 port [port]
469 Listen on the given
470 port
471 instead of the default port 25.
472 proxy-v2
474 Support the PROXYv2 protocol,
475 rewriting appropriately source address received from proxy.
476 received-auth
478 In
479 ``Received''
480 headers, report whether the session was authenticated
481 and by which local user.
482 senders Pf < users >[masquerade]
484 Look up the authenticated user in the
485 users
486 mapping table to find the email addresses that user is allowed
487 to submit mail as.
488 In addition, if the
489 masquerade
490 option is provided,
491 the From header is rewritten
492 to match the sender provided in the SMTP session.
493 smtps Support SMTPS, by default on port 465.
495 Mutually exclusive with
496 tls.
497 tag tag
499 Clients connecting to the listener are tagged with the given
500 tag.
501 tls Support STARTTLS, by default on port 25.
503 Mutually exclusive with
504 smtps.
505 tls-require [verify]
507 Like
508 tls,
509 but force clients to establish a secure connection
510 before being allowed to start an SMTP transaction.
511 With the
512 verify
513 option, clients must also provide a valid certificate
514 to establish an SMTP session.
515 listen on socket [options]
517 Listen for incoming SMTP connections on the Unix domain socket
518 /var/run/smtpd.sock.
519 This is done by default, even if the directive is absent.
520 The
522 options
523 are as follows:
524 filter name
526 Apply filter
527 name
528 on connections handled by this listener.
529 mask-src
531 Omit the
532 from
533 part when prepending
534 ``Received''
535 headers.
536 tag tag
538 Clients connecting to the listener are tagged with the given
539 tag.
540 match options action name
542 If at least one mail envelope matches the
543 options
544 of one
545 match action
546 directive, receive the incoming message, put a copy into each
547 matching envelope, and atomically save the envelopes to the mail
548 spool for later processing by the respective dispatcher
549 name.
550 The following matching options are supported and can all be negated:
552 [ !] for any
554 Specify that session may address any destination.
555 [ !] for local
557 Specify that session may address any local domain.
558 This is the default, and may be omitted.
559 [ !] for domain
561 domain | Pf < domain >
562 Specify that session may address the string or list table
563 domain.
564 [ !] for domain regex
566 domain | Pf < domain >
567 Specify that session may address the regex or regex table
568 domain.
569 [ !] for rcpt-to
571 recipient | Pf < recipient >
572 Specify that session may address the string or list table
573 recipient.
574 [ !] for rcpt-to regex
576 recipient | Pf < recipient >
577 Specify that session may address the regex or regex table
578 recipient.
579 [ !] from any
581 Specify that session may originate from any source.
582 [ !] from auth
584 Specify that session may originate from any authenticated user,
585 no matter the source IP address.
586 [ !] from auth
588 user | Pf < user >
589 Specify that session may originate from authenticated user or user list
590 user,
591 no matter the source IP address.
592 [ !] from auth regex
594 user | Pf < user >
595 Specify that session may originate from authenticated regex or regex list
596 user,
597 no matter the source IP address.
598 [ !] from local
600 Specify that session may only originate from a local IP address,
601 or from the local enqueuer.
602 This is the default, and may be omitted.
603 [ !] from mail-from
605 sender | Pf < sender >
606 Specify that session may originate from sender or sender list
607 sender,
608 no matter the source IP address.
609 [ !] from mail-from regex
611 sender | Pf < sender >
612 Specify that session may originate from regex or regex list
613 sender,
614 no matter the source IP address.
615 [ !] from rdns
617 Specify that session may only originate from an IP address that
618 resolves to a reverse DNS.
619 [ !] from rdns
621 hostname | Pf < hostname >
622 Specify that session may only originate from an IP address that
623 resolves to a reverse DNS matching string or list string
624 hostname.
625 [ !] from rdns regex
627 hostname | Pf < hostname >
628 Specify that session may only originate from an IP address that
629 resolves to a reverse DNS matching regex or list regex
630 hostname.
631 [ !] from socket
633 Specify that session may only originate from the local enqueuer.
634 [ !] from src
636 address | Pf < address >
637 Specify that session may only originate from string or list table
638 address
639 which can be a specific address or a subnet expressed in CIDR-notation.
640 [ !] from src regex
642 address | Pf < address >
643 Specify that session may only originate from regex or regex table
644 address
645 which can be a specific address or a subnet expressed in CIDR-notation.
646 In addition, the following transaction options:
648 [ !] auth
650 Matches transactions which have been authenticated.
651 [ !] auth
653 username | Pf < username >
654 Matches transactions which have been authenticated for user or user list
655 username.
656 [ !] auth regex
658 username | Pf < username >
659 Matches transactions which have been authenticated for regex or regex list
660 username.
661 [ !] helo
663 helo-name | Pf < helo-name >
664 Specify that session's HELO / EHLO should match the string or list table
665 helo-name.
666 [ !] helo regex
668 helo-name | Pf < helo-name >
669 Specify that session's HELO / EHLO should match the regex or regex table
670 helo-name.
671 [ !] mail-from
673 sender | Pf < sender >
674 Specify that transactions's MAIL FROM should match the string or list table
675 sender.
676 [ !] mail-from regex
678 sender | Pf < sender >
679 Specify that transactions's MAIL FROM should match the regex or regex table
680 sender.
681 [ !] rcpt-to
683 recipient | Pf < recipient >
684 Specify that transaction's RCPT TO should match the string or list table
685 recipient.
686 [ !] rcpt-to regex
688 recipient | Pf < recipient >
689 Specify that transaction's RCPT TO should match the regex or regex table
690 recipient.
691 [ !] tag tag
693 Matches transactions tagged with the given
694 tag.
695 [ !] tag regex tag
697 Matches transactions tagged with the given
698 tag
699 regex.
700 [ !] tls
702 Specify that transaction should take place in a TLS channel.
703 match options reject
705 Reject the incoming message during the SMTP dialogue.
706 The same
707 options
708 are supported as for the
709 match action
710 directive.
711 mda wrapper name command
713 Associate
714 command
715 with the mail delivery agent wrapper named
716 name.
717 When a local delivery specifies a wrapper, the
718 command
719 associated with the wrapper will be executed instead.
720 The command may contain format specifiers
721 (see .B FORMAT SPECIFIERS .)
722 mta max-deferred number
724 When delivery to a given host is suspended due to temporary failures,
725 cache at most
726 number
727 envelopes for that host such that they can be delivered
728 as soon as another delivery succeeds to that host.
729 The default is 100.
730 pki pkiname cert certfile
732 Associate certificate file
733 certfile
734 with host
735 pkiname,
736 and use that file to prove the identity of the mail server to clients.
737 pkiname
738 is the server's name,
739 derived from the default hostname
740 or set using either
741 /etc/opensmtpd/mailname
742 or using the
743 hostname
744 directive.
745 If a fallback certificate or SNI is wanted, the
746 Sq *
747 wildcard may be used as
748 pkiname.
749 A certificate chain may be created by appending one or many certificates,
751 including a Certificate Authority certificate,
752 to
753 certfile.
754 The creation of certificates is documented in
755 starttls(8).
756 pki pkiname key keyfile
758 Associate the key located in
759 keyfile
760 with host
761 pkiname.
762 pki pkiname dhe params
764 Specify the DHE parameters to use for DHE cipher suites with host
765 pkiname.
766 Valid parameter values are
767 none,
768 legacy,
769 and
770 auto.
771 For
772 legacy,
773 a fixed key length of 1024 bits is used, whereas for
774 auto,
775 the key length is determined automatically.
776 The default is
777 none,
778 which disables DHE cipher suites.
779 proc proc-name command
781 Register an external process named
782 proc-name
783 from
784 command.
785 Such processes may be used to share the same instance between multiple filters.
786 If
787 command
788 starts with a slash it is executed with an absolute path,
789 else it will be run from
790 ``/usr/libexec/opensmtpd''.
791 queue compression
793 Store queue files in a compressed format.
794 This may be useful to save disk space.
795 queue encryption [key]
797 Encrypt queue files with
798 EVP_aes_256_gcm(3).
799 If no
800 key
801 is specified, it is read with
802 getpass(3).
803 If the string
804 stdin
805 or a single dash
806 (Ql -)
807 is given instead of a
808 key,
809 the key is read from the standard input.
810 queue ttl delay
812 Set the default expiration time for temporarily undeliverable
813 messages, given as a positive decimal integer followed by a unit
814 s, m, h,
815 or
816 d.
817 The default is four days
818 (4d.)
819 smtp ciphers control
821 Set the
822 control
823 string for
824 SSL_CTX_set_cipher_list(3).
825 The default is
826 Qq HIGH:!aNULL:!MD5.
827 smtp limit max-mails count
829 Limit the number of messages to
830 count
831 for each session.
832 The default is 100.
833 smtp limit max-rcpt count
835 Limit the number of recipients to
836 count
837 for each transaction.
838 The default is 1000.
839 smtp max-message-size size
841 Reject messages larger than
842 size,
843 given as a positive number of bytes or as a string to be parsed with
844 scan_scaled(3).
845 The default is
846 Qq 35M.
847 smtp sub-addr-delim character
849 When resolving the local part of a local email address, ignore the ASCII
850 character
851 and all characters following it.
852 The default is
853 Ql +.
854 srs key secret
856 Set the secret key to use for SRS,
857 the Sender Rewriting Scheme.
858 srs key backup secret
860 Set a backup secret key to use as a fallback for SRS.
861 This can be used to implement SRS key rotation.
862 srs ttl delay
864 Set the time-to-live delay for SRS envelopes.
865 After this delay,
866 a bounce reply to the SRS address will be discarded to limit risks of forged addresses.
867 The default is four days
868 (4d.)
869 table name [type:] pathname
871 Tables provide additional configuration information for
872 smtpd(8)
873 in the form of lists or key-value mappings.
874 The format of the entries depends on what the table is used for.
875 Refer to
876 table(5)
877 for the exhaustive documentation.
878 Each table is identified by an arbitrary, unique
880 name.
881 If the
883 type
884 is
885 db,
886 information is stored in a file created with
887 makemap(8);
888 if it is
889 file
890 or omitted, information is stored in a plain text file
891 using the format described in
892 table(5).
893 The
894 pathname
895 to the file must be absolute.
896 table name {value [, ...]}
898 Instead of using a separate file, declare a list table
899 containing the given static
900 value s.
901 The table must contain at least one value and may declare multiple values as a
902 comma-separated (whitespace optional) list.
903 table name {key=value [, ...]}
905 Instead of using a separate file, declare a mapping table
906 containing the given static
907 key -value
908 pairs.
909 The table must contain at least one key-value pair and may declare
910 multiple pairs as a comma-separated (whitespace optional) list.
911 MAIL FILTERING
913 In a regular workflow, smtpd(8) may accept or reject a message based
914 only on the content of envelopes. Its decisions are about the handling
915 of the message, not about the handling of an active session.
916 Filtering extends the decision making process by allowing smtpd(8) to
918 stop at each phase of an SMTP session, check that conditions are met,
919 then decide if a session is allowed to move forward.
920 With filtering, a session may be interrupted at any phase before an
922 envelope is complete. A message may also be rejected after being sub‐
923 mitted, regardless of whether the envelope was accepted or not.
924 The following phases are currently supported:
926 connect Ta upon connection, before a banner is displayed
928 helo Ta after HELO command is submitted
930 ehlo Ta after EHLO command is submitted
932 mail-from Ta after MAIL FROM command is submitted
934 rcpt-to Ta after RCPT TO command is submitted
936 data Ta after DATA command is submitted
938 commit Ta after message is fully is submitted
940 At each phase, various conditions may be matched. The fcrdns, rdns,
942 and src data are available in all phases, but other data must have been
943 already submitted before they are available.
944 fcrdns Ta forward-confirmed reverse DNS is valid
946 rdns Ta session has a reverse DNS
948 rdns Pf < table >Ta session has a reverse DNS in table
950 src Pf < table >Ta source address is in table
952 helo Pf < table >Ta helo name is in table
954 auth Ta session is authenticated
956 auth Pf < table >Ta session username is in table
958 mail-from Pf < table >Ta sender address is in table
960 rcpt-to Pf < table >Ta recipient address is in table
962 These conditions may all be negated by prefixing them with an exclama‐
964 tion mark:
965 !fcrdns Ta forward-confirmed reverse DNS is invalid
967 Any conditions using a table may indicate that tables hold regex by
969 prefixing the table name with the keyword regex.
970 helo regex Pf < table >Ta helo name matches a regex in table
972 Finally, a number of decisions may be taken:
974 bypass Ta the session or transaction bypasses filters
976 disconnect message Ta the session is disconnected with message
978 junk Ta the session or transaction is junked, i.e., an
980 Ql X-Spam: yes header is added to any messages
981 reject message Ta the command is rejected with message
983 rewrite value Ta the command parameter is rewritten with value
985 Decisions that involve a message require that the message be RFC valid,
987 meaning that they should either start with a 4xx or 5xx status code.
988 Descisions can be taken at any phase, though junking can only happen
989 before a message is committed.
990 FORMAT SPECIFIERS
992 Some configuration directives support expansion of their parameters at
993 runtime. Such directives (for example
994 action maildir,
995 action mda) may use format specifiers which are expanded before deliv‐
996 ery or relaying. The following formats are currently supported:
997 %{sender} Ta sender email address, may be empty string
999 %{sender.user} Ta user part of the sender email address, may be
1001 empty
1002 %{sender.domain} Ta domain part of the sender email address, may
1004 be empty
1005 %{rcpt} Ta recipient email address
1007 %{rcpt.user} Ta user part of the recipient email address
1009 %{rcpt.domain} Ta domain part of the recipient email address
1011 %{dest} Ta recipient email address after expansion
1013 %{dest.user} Ta user part after expansion
1015 %{dest.domain} Ta domain part after expansion
1017 %{user.username} Ta local user
1019 %{user.directory} Ta home directory of the local user
1021 %{mbox.from} Ta name used in mbox From separator lines
1023 %{mda} Ta mda command, only available for mda wrappers
1025 Expansion formats also support partial expansion using the optional
1027 bracket notations with substring offset. For example, with recipient
1028 domain ``example.org :''
1029 %{rcpt.domain[0]} Ta expands to ``e''
1031 %{rcpt.domain[1]} Ta expands to ``x''
1033 %{rcpt.domain[8:]} Ta expands to ``org''
1035 %{rcpt.domain[-3:]} Ta expands to ``org''
1037 %{rcpt.domain[0:6]} Ta expands to ``example''
1039 %{rcpt.domain[0:-4]} Ta expands to ``example''
1041 In addition, modifiers may be applied to the token. For example, with
1043 recipient ``User+Tag@Example.org :''
1044 %{rcpt:lowercase} Ta expands to ``user+tag@example.org''
1046 %{rcpt:uppercase} Ta expands to ``USER+TAG@EXAMPLE.ORG''
1048 %{rcpt:strip} Ta expands to ``User@Example.org''
1050 %{rcpt:lowercase|strip} Ta expands to ``user@example.org''
1052 For security concerns, expanded values are sanitized and potentially
1054 dangerous characters are replaced with Sq :. In situations where they
1055 are desirable, the ``raw'' modifier may be applied. For example, with
1056 recipient ``user+t?g@example.org :''
1057 %{rcpt} Ta expands to ``user+t:g@example.org''
1059 %{rcpt:raw} Ta expands to ``user+t?g@example.org''
1061
1063 /etc/opensmtpd/smtpd.conf
1064 Default smtpd(8) configuration file.
1065 /etc/opensmtpd/mailname
1067 If this file exists, the first line is used as the server
1068 name. Otherwise, the server name is derived from the local
1069 hostname returned by gethostname(3), either directly if it
1070 is a fully qualified domain name, or by retrieving the
1071 associated canonical name through getaddrinfo(3).
1072 /var/run/smtpd.sock
1074 Unix domain socket for incoming SMTP connections.
1075 /var/spool/smtpd/
1077 Spool directories for mail during processing.
1078
1080 The default smtpd.conf file which ships with OpenBSD listens on the
1081 loopback network interface (lo0) and allows for mail from users and
1082 daemons on the local machine, as well as permitting email to remote
1083 servers. Some more complex configurations are given below.
1084 This first example is the same as the default configuration, but all
1086 outgoing mail is forwarded to a remote SMTP server. A secrets file is
1087 needed to specify a username and password:
1088 # touch /etc/opensmtpd/secrets
1089 # chmod 640 /etc/opensmtpd/secrets
1090 # chown root:_smtpd /etc/opensmtpd/secrets
1091 # echo "bob username:password" > /etc/opensmtpd/secrets
1092 smtpd.conf
1094 would look like this:
1095 table aliases file:/etc/opensmtpd/aliases
1096 table secrets file:/etc/opensmtpd/secrets
1097 listen on lo0
1098 action "local_mail" mbox alias <aliases>
1099 action "outbound" relay host smtp+tls://bob@smtp.example.com \
1100 auth <secrets>
1101 match from local for local action "local_mail"
1102 match from local for any action "outbound"
1103 In this second example,
1105 the aim is to permit mail delivery and relaying only for users that can authenticate
1106 (using their normal login credentials).
1107 An RSA certificate must be provided to prove the server's identity.
1108 The mail server listens on all interfaces the default routes point to.
1109 Mail with a local destination is sent to an external MDA.
1110 First, the RSA certificate is created:
1111 # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
1112 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
1113 -out /etc/ssl/mail.example.com.crt -days 365
1114 # chmod 600 /etc/ssl/mail.example.com.crt
1115 # chmod 600 /etc/ssl/private/mail.example.com.key
1116 In the example above,
1118 a certificate valid for one year was created.
1119 The configuration file would look like this:
1120 pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
1121 pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
1122 table aliases file:/etc/opensmtpd/aliases
1123 listen on lo0
1124 listen on egress tls pki mail.example.com auth
1125 action mda_with_aliases mda "/path/to/mda -f -" alias <aliases>
1126 action mda_without_aliases mda "/path/to/mda -f -"
1127 action "outbound" relay
1128 match for local action mda_with_aliases
1129 match from any for domain example.com action mda_without_aliases
1130 match for any action "outbound"
1131 match auth from any for any action "outbound"
1132 For sites that wish to sign messages using DKIM,
1134 the following example uses
1135 opensmtpd-filter-dkimsign
1136 for DKIM signing:
1137 table aliases file:/etc/opensmtpd/aliases
1138 filter "dkimsign" proc-exec "filter-dkimsign -d <domain> -s <selector> \
1139 -k /etc/opensmtpd/dkim/private.key" user _dkimsign group _dkimsign
1140 listen on socket filter "dkimsign"
1141 listen on lo0 filter "dkimsign"
1142 action "local_mail" mbox alias <aliases>
1143 action "outbound" relay
1144 match for local action "local_mail"
1145 match for any action "outbound"
1146 Alternatively, the
1148 opensmtpd-filter-rspamd
1149 package may be used to provide integration with
1150 rspamd ,
1151 a third-party daemon which provides multiple antispam features
1152 as well as DKIM signing.
1153 As well as configuring
1154 rspamd
1155 itself,
1156 it requires use of the
1157 proc-exec
1158 keyword:
1159 filter "rspamd" proc-exec "filter-rspamd"
1160 Sites that accept non-local messages may be able to cut down on the
1162 volume of spam received by rejecting forged messages that claim
1163 to be from the local domain.
1164 The following example uses a list table
1165 other-relays
1166 to specify the IP addresses of relays that may legitimately
1167 originate mail with the owner's domain as the sender.
1168 table aliases file:/etc/opensmtpd/aliases
1169 table other-relays file:/etc/opensmtpd/other-relays
1170 listen on lo0
1171 listen on egress
1172 action "local_mail" mbox alias <aliases>
1173 action "outbound" relay
1174 match for local action "local_mail"
1175 match for any action "outbound"
1176 match !from src <other-relays> mail-from "@example.com" for any \
1177 reject
1178 match from any for domain example.com action "local_mail"
1179
1181 mailer.conf(5), table(5), makemap(8), smtpd(8)
1182
1184 smtpd(8) first appeared in OpenBSD 4.6.
1185 $Mdocdate: September 23 2020 $ SMTPD.CONF(5)