1SMTPD.CONF(5)                 File Formats Manual                SMTPD.CONF(5)
2
3
4

NAME

6       smtpd.conf - Simple Mail Transfer Protocol daemon configuration file
7

DESCRIPTION

9       smtpd.conf is the configuration file for the mail daemon smtpd(8).
10
11       When mail arrives, each ``RCPT TO:'' command generates a mail envelope.
12       If an envelope matches any of a pre-designated set of criteria (using
13       the
14        match directive), the message is accepted for delivery.  A copy of the
15       message, as well as its associated envelopes, is saved in the mail
16       queue and later dispatched according to an associated set of actions
17       (using the
18        action directive).  If an envelope does not match any options, it is
19       rejected.  The match rules are evaluated sequentially, with the first
20       match winning.
21
22       The format of the configuration file is fairly flexible.  The current
23       line can be extended over multiple lines using a backslash (Sq \.)
24       Comments can be put anywhere in the file using a hash mark (Sq #,) and
25       extend to the end of the current line.  Care should be taken when com‐
26       menting out multi-line text: the comment is effective until the end of
27       the entire block.  Argument names not beginning with a letter, digit,
28       or underscore, as well as reserved words (such as
29        listen,
30        match, and port), must be quoted.  Arguments containing whitespace
31       should be surrounded by double quotes (".)
32
33       Macros can be defined that are later expanded in context.  Macro names
34       must start with a letter, digit, or underscore, and may contain any of
35       those characters, but may not be reserved words.  Macros are not
36       expanded inside quotes.  For example:
37           lan_addr = "192.168.0.1"
38           listen on $lan_addr
39           listen on $lan_addr tls auth
40
41       The syntax of
42       smtpd.conf
43       is described below.
44
45             action name method [options]
46                   When the queue runner processes an envelope from the mail queue,
47                   it carries out the
48                    action
49                   name,
50                   selected by the
51                    match ... action
52                   directive when the message was received.
53                   The
54                    action
55                   directive provides configuration data for delivery attempts.
56                   Required lookups are performed at the time of each delivery attempt.
57                   Consequently, changing an
58                    action
59                   directive or the files it references and restarting the
60                   smtpd(8)
61                   daemon causes the changes to take effect for subsequent delivery
62                   attempts for the respective dispatcher
63                   name,
64                   even for messages that were already stuck in the queue
65                   prior to the configuration changes.
66
67            The delivery
68            method
69            parameter may be one of the following:
70
71                 expand-only
72                        Only accept the message if a delivery method was specified
73                        in an aliases or
74                         .forward
75                        file.
76
77                 forward-only
78                        Only accept the message if the recipient results in a remote address
79                        after the processing of aliases or forward file.
80
81                 lmtp destination [rcpt-to]
82                        Deliver the message to an LMTP server at
83                        destination.
84                        The location may be expressed as host:port or as a UNIX socket.
85
86                 Optionally,
87                 rcpt-to
88                 might be specified to use the
89                 recipient email address (after expansion) instead of the
90                 local user in the LMTP session as RCPT TO.
91
92                 maildir [pathname [junk]]
93                        Deliver the message to the maildir in
94                        pathname
95                        if specified, or by default to
96                        ~/Maildir.
97
98                 The
99                 pathname
100                 may contain format specifiers that are expanded before use
101                 (see .B FORMAT SPECIFIERS .)
102
103                 If the
104                 junk
105                 argument is provided, the message will be moved to the
106                 Ql Junk
107                 folder if it contains a positive
108                 Ql X-Spam
109                 header.
110                 This folder will be created under
111                 pathname
112                 if it does not yet exist.
113
114                 mbox   Deliver the message to the user's mbox with
115                        mail.local(8).
116
117                 mda command
118                        Delegate the delivery to a
119                        command
120                        that receives the message on its standard input.
121
122                 The
123                 command
124                 may contain format specifiers that are expanded before use
125                 (see .B FORMAT SPECIFIERS .)
126
127                 relay  Relay the message to another SMTP server.
128
129            The local delivery methods support additional options:
130
131                 alias Pf < table >
132                        Use the mapping
133                        table
134                        for
135                        aliases(5)
136                        expansion.
137
138                 ttl    Sm off
139                        n
140                        {s | m | h | d}
141                        Sm on
142                        Specify how long a message may remain in the queue.
143
144                 user username
145                        Specify the
146                        username
147                        for performing the delivery, to be looked up with
148                        getpwnam(3).
149
150                 This is used for virtual hosting where a single username
151                 is in charge of handling delivery for all virtual users.
152
153                 This option is not usable with the
154                 mbox
155                 delivery method.
156
157                 userbase Pf < table >
158                        Use the mapping
159                        table
160                        for user lookups instead of the
161                        getpwnam(3)
162                        function.
163
164                 The
165                 userbase
166                 does not apply for the
167                 user
168                 option.
169
170                 virtual Pf < table >
171                        Use the mapping
172                        table
173                        for virtual expansion.
174                        The aliasing table format is described in
175                        table(5).
176
177                 wrapper name
178                        Use the wrapper specified in
179                        mda wrapper.
180
181            The relay delivery methods also support additional options:
182
183                 backup Operate as a backup mail exchanger delivering messages to any mail exchanger
184                        with higher priority.
185
186                 backup mx name
187                        Operate as a backup mail exchanger delivering messages to any mail exchanger
188                        with higher priority than mail exchanger identified as
189                        name.
190
191                 helo heloname
192                        Advertise
193                        heloname
194                        as the hostname to other mail exchangers during the HELO phase.
195
196                 helo-src Pf < table >
197                        Use the mapping
198                        table
199                        to look up a hostname matching the source address,
200                        to advertise during the HELO phase.
201
202                 domain Pf < domains >
203                        Do not perform MX lookups but look up destination domain in
204                        domains
205                        and use matching relay url as relay host.
206
207                 host relay-url
208                        Do not perform MX lookups but relay messages to the relay host described by
209                        relay-url.
210                        The format for
211                        relay-url
212                        is
213                        Sm off
214                        [proto :// [label @]]
215                        host [: port.]
216                        Sm on
217                        The following protocols are available:
218
219                      smtp   Normal SMTP session with opportunistic STARTTLS
220                             (the default).
221
222                      smtp+tls
223                             Normal SMTP session with mandatory STARTTLS.
224
225                      smtp+notls
226                             Plain text SMTP session without TLS.
227
228                      lmtp   LMTP session.
229                             port
230                             is required.
231
232                      smtps  SMTP session with forced TLS on connection, default port is 465.
233                 Unless noted,
234                 port
235                 defaults to 25.
236
237                 The
238                 label
239                 corresponds to an entry in a credentials table,
240                 as documented in
241                 table(5).
242                 It is used with the
243                 ``smtp+tls''
244                 and
245                 ``smtps''
246                 protocols for authentication.
247                 Server certificates for those protocols are verified by default.
248
249                 pki pkiname
250                        For secure connections,
251                        use the certificate associated with
252                        pkiname
253                        (declared in a
254                         pki
255                        directive)
256                        to prove the client's identity to the remote mail server.
257
258                 srs    When relaying a mail resulting from a forward,
259                        use the Sender Rewriting Scheme to rewrite sender address.
260
261                 tls [no-verify]
262                        Require TLS to be used when relaying, using mandatory STARTTLS by default.
263                        When used with a smarthost, the protocol must not be
264                        ``smtp+notls://''.
265                        If
266                        no-verify
267                        is specified, do not require a valid certificate.
268
269                 auth Pf < table >
270                        Use the mapping
271                        table
272                        for connecting to
273                        relay-url
274                        using credentials.
275                        This option is usable only with
276                        host
277                        option.
278                        The credential table format is described in
279                        table(5).
280
281                 mail-from mailaddr
282                        Use
283                        mailaddr
284                        as the MAIL FROM address within the SMTP transaction.
285
286                 src sourceaddr | Pf < sourceaddr >
287                        Use the string or list table
288                        sourceaddr
289                        for the source IP address,
290                        which is useful on machines with multiple interfaces.
291                        If the list contains more than one address, all of them are used
292                        in such a way that traffic is routed as efficiently as possible.
293
294             admd authservid
295                   The Administrative Management Domain this mailserver belongs to.
296                   The authservid will be forwarded to filters using it to identify or mark
297                   authentication-results headers.
298                   If omitted it defaults to the server name.
299
300             bounce warn-interval delay [, delay ...]
301                   Send warning messages to the envelope sender when temporary delivery
302                   failures cause a message to remain on the queue for longer than
303                   delay.
304                   Each
305                   delay
306                   parameter consists of a positive decimal integer and a unit
307                   s, m, h,
308                   or
309                   d.
310                   At most four
311                   delay
312                   parameters can be specified.
313                   The default is
314                   Qq  bounce warn-interval 4h,
315                   sending a single warning after four hours.
316
317             ca caname cert cafile
318                   Associate the Certificate Authority (CA) certificate file
319                   cafile
320                   with host
321                   caname,
322                   and use that file as the CA certificate for that host.
323                   caname
324                   is the server's name,
325                   derived from the default hostname
326                   or set using either
327                   /etc/opensmtpd/mailname
328                   or using the
329                    hostname
330                   directive.
331
332             filter chain-name  chain {filter-name [, ...]}
333                   Register a chain of filters
334                   chain-name,
335                   consisting of the filters listed from
336                   filter-name.
337                   Filters part of a filter chain are executed in order of declaration for
338                   each phase that they are registered for.
339                   A filter chain may be used in place of a filter for any directive but
340                   filter chains themselves.
341
342             filter filter-name  phase phase-name  match conditions decision
343                   Register a filter
344                   filter-name.
345                   A
346                   decision
347                   about what to do with the mail is taken at phase
348                   phase-name
349                   when matching
350                   conditions.
351                   Phases, matching conditions, and decisions are described in
352                   MAIL FILTERING ,
353                   below.
354
355             filter filter-name  proc proc-name
356                   Register
357                   Qq proc
358                   filter
359                   filter-name
360                   backed by the
361                   proc-name
362                   process.
363
364             filter filter-name  proc-exec command
365                   Register and execute
366                   Qq proc
367                   filter
368                   filter-name
369                   from
370                   command.
371                   If
372                   command
373                   starts with a slash it is executed with an absolute path,
374                   else it will be run from
375                   ``/usr/libexec/opensmtpd''.
376
377             include Qq pathname
378                   Replace this directive with the content of the additional configuration
379                   file at the absolute
380                   pathname.
381
382             listen on interface [family] [options]
383                   Listen on the
384                   interface
385                   for incoming connections, using the same syntax as for
386                   ifconfig(8).
387                   The
388                   interface
389                   parameter may also be an interface group, an IP address, or a domain name.
390                   Listening can optionally be restricted to a specific address
391                   family,
392                   which can be either
393                   inet4
394                   or
395                   inet6.
396
397            The
398            options
399            are as follows:
400
401                 auth [Pf < authtable >]
402                        Support SMTPAUTH: clients may only start SMTP transactions
403                        after successful authentication.
404                        Users are authenticated against either their own normal login credentials
405                        or a credentials table
406                        authtable,
407                        the format of which is described in
408                        table(5).
409
410                 auth-optional [Pf < authtable >]
411                        Support SMTPAUTH optionally:
412                        clients need not authenticate, but may do so.
413                        This allows a
414                         listen on
415                        directive to both accept incoming mail from untrusted senders
416                        and permit outgoing mail from authenticated users
417                        (using
418                        match auth).
419                        It can be used in situations where it is not possible to listen on a separate port
420                        (usually the submission port, 587)
421                        for users to authenticate.
422
423                  ca caname
424                        For secure connections,
425                        use the CA certificate associated with
426                        caname
427                        (declared in a
428                         ca
429                        directive)
430                        as the CA certificate when verifying client certificates.
431
432                  filter name
433                        Apply filter
434                        name
435                        on connections handled by this listener.
436
437                 hostname hostname
438                        Use
439                        hostname
440                        in the greeting banner instead of the default server name.
441
442                 hostnames Pf < names >
443                        Override the server name for specific addresses.
444                        The
445                        names
446                        table contains a mapping of IP addresses to hostnames.
447                        If the address on which the connection arrives appears in the mapping,
448                        the associated hostname is used.
449
450                 mask-src
451                        Omit the
452                        from
453                        part when prepending
454                        ``Received''
455                        headers.
456
457                 no-dsn Disable the DSN (Delivery Status Notification) extension.
458
459                 pki pkiname
460                        For secure connections,
461                        use the certificate associated with
462                        pkiname
463                        (declared in a
464                         pki
465                        directive)
466                        to prove a mail server's identity.
467
468                 port [port]
469                        Listen on the given
470                        port
471                        instead of the default port 25.
472
473                 proxy-v2
474                        Support the PROXYv2 protocol,
475                        rewriting appropriately source address received from proxy.
476
477                 received-auth
478                        In
479                        ``Received''
480                        headers, report whether the session was authenticated
481                        and by which local user.
482
483                 senders Pf < users >[masquerade]
484                        Look up the authenticated user in the
485                        users
486                        mapping table to find the email addresses that user is allowed
487                        to submit mail as.
488                        In addition, if the
489                        masquerade
490                        option is provided,
491                        the From header is rewritten
492                        to match the sender provided in the SMTP session.
493
494                 smtps  Support SMTPS, by default on port 465.
495                        Mutually exclusive with
496                        tls.
497
498                 tag tag
499                        Clients connecting to the listener are tagged with the given
500                        tag.
501
502                 tls    Support STARTTLS, by default on port 25.
503                        Mutually exclusive with
504                        smtps.
505
506                 tls-require [verify]
507                        Like
508                        tls,
509                        but force clients to establish a secure connection
510                        before being allowed to start an SMTP transaction.
511                        With the
512                        verify
513                        option, clients must also provide a valid certificate
514                        to establish an SMTP session.
515
516             listen on socket [options]
517                   Listen for incoming SMTP connections on the Unix domain socket
518                   /var/run/smtpd.sock.
519                   This is done by default, even if the directive is absent.
520
521            The
522            options
523            are as follows:
524
525                  filter name
526                        Apply filter
527                        name
528                        on connections handled by this listener.
529
530                 mask-src
531                        Omit the
532                        from
533                        part when prepending
534                        ``Received''
535                        headers.
536
537                 tag tag
538                        Clients connecting to the listener are tagged with the given
539                        tag.
540
541             match options action name
542                   If at least one mail envelope matches the
543                   options
544                   of one
545                    match action
546                   directive, receive the incoming message, put a copy into each
547                   matching envelope, and atomically save the envelopes to the mail
548                   spool for later processing by the respective dispatcher
549                   name.
550
551            The following matching options are supported and can all be negated:
552
553                 [ !]   for any
554                        Specify that session may address any destination.
555
556                 [ !]   for local
557                        Specify that session may address any local domain.
558                        This is the default, and may be omitted.
559
560                 [ !]   for domain
561                        domain | Pf < domain >
562                        Specify that session may address the string or list table
563                        domain.
564
565                 [ !]   for domain regex
566                        domain | Pf < domain >
567                        Specify that session may address the regex or regex table
568                        domain.
569
570                 [ !]   for rcpt-to
571                        recipient | Pf < recipient >
572                        Specify that session may address the string or list table
573                        recipient.
574
575                 [ !]   for rcpt-to regex
576                        recipient | Pf < recipient >
577                        Specify that session may address the regex or regex table
578                        recipient.
579
580                 [ !]   from any
581                        Specify that session may originate from any source.
582
583                 [ !]   from auth
584                        Specify that session may originate from any authenticated user,
585                        no matter the source IP address.
586
587                 [ !]   from auth
588                        user | Pf < user >
589                        Specify that session may originate from authenticated user or user list
590                        user,
591                        no matter the source IP address.
592
593                 [ !]   from auth regex
594                        user | Pf < user >
595                        Specify that session may originate from authenticated regex or regex list
596                        user,
597                        no matter the source IP address.
598
599                 [ !]   from local
600                        Specify that session may only originate from a local IP address,
601                        or from the local enqueuer.
602                        This is the default, and may be omitted.
603
604                 [ !]   from mail-from
605                        sender | Pf < sender >
606                        Specify that session may originate from sender or sender list
607                        sender,
608                        no matter the source IP address.
609
610                 [ !]   from mail-from regex
611                        sender | Pf < sender >
612                        Specify that session may originate from regex or regex list
613                        sender,
614                        no matter the source IP address.
615
616                 [ !]   from rdns
617                        Specify that session may only originate from an IP address that
618                        resolves to a reverse DNS.
619
620                 [ !]   from rdns
621                        hostname | Pf < hostname >
622                        Specify that session may only originate from an IP address that
623                        resolves to a reverse DNS matching string or list string
624                        hostname.
625
626                 [ !]   from rdns regex
627                        hostname | Pf < hostname >
628                        Specify that session may only originate from an IP address that
629                        resolves to a reverse DNS matching regex or list regex
630                        hostname.
631
632                 [ !]   from socket
633                        Specify that session may only originate from the local enqueuer.
634
635                 [ !]   from src
636                        address | Pf < address >
637                        Specify that session may only originate from string or list table
638                        address
639                        which can be a specific address or a subnet expressed in CIDR-notation.
640
641                 [ !]   from src regex
642                        address | Pf < address >
643                        Specify that session may only originate from regex or regex table
644                        address
645                        which can be a specific address or a subnet expressed in CIDR-notation.
646
647            In addition, the following transaction options:
648
649                 [ !]   auth
650                        Matches transactions which have been authenticated.
651
652                 [ !]   auth
653                        username | Pf < username >
654                        Matches transactions which have been authenticated for user or user list
655                        username.
656
657                 [ !]   auth regex
658                        username | Pf < username >
659                        Matches transactions which have been authenticated for regex or regex list
660                        username.
661
662                 [ !]   helo
663                        helo-name | Pf < helo-name >
664                        Specify that session's HELO / EHLO should match the string or list table
665                        helo-name.
666
667                 [ !]   helo regex
668                        helo-name | Pf < helo-name >
669                        Specify that session's HELO / EHLO should match the regex or regex table
670                        helo-name.
671
672                 [ !]   mail-from
673                        sender | Pf < sender >
674                        Specify that transactions's MAIL FROM should match the string or list table
675                        sender.
676
677                 [ !]   mail-from regex
678                        sender | Pf < sender >
679                        Specify that transactions's MAIL FROM should match the regex or regex table
680                        sender.
681
682                 [ !]   rcpt-to
683                        recipient | Pf < recipient >
684                        Specify that transaction's RCPT TO should match the string or list table
685                        recipient.
686
687                 [ !]   rcpt-to regex
688                        recipient | Pf < recipient >
689                        Specify that transaction's RCPT TO should match the regex or regex table
690                        recipient.
691
692                 [ !]   tag tag
693                        Matches transactions tagged with the given
694                        tag.
695
696                 [ !]   tag regex tag
697                        Matches transactions tagged with the given
698                        tag
699                        regex.
700
701                 [ !]   tls
702                        Specify that transaction should take place in a TLS channel.
703
704             match options reject
705                   Reject the incoming message during the SMTP dialogue.
706                   The same
707                   options
708                   are supported as for the
709                    match action
710                   directive.
711
712             mda wrapper name command
713                   Associate
714                   command
715                   with the mail delivery agent wrapper named
716                   name.
717                   When a local delivery specifies a wrapper, the
718                   command
719                   associated with the wrapper will be executed instead.
720                   The command may contain format specifiers
721                   (see .B FORMAT SPECIFIERS .)
722
723             mta max-deferred number
724                   When delivery to a given host is suspended due to temporary failures,
725                   cache at most
726                   number
727                   envelopes for that host such that they can be delivered
728                   as soon as another delivery succeeds to that host.
729                   The default is 100.
730
731             pki pkiname cert certfile
732                   Associate certificate file
733                   certfile
734                   with host
735                   pkiname,
736                   and use that file to prove the identity of the mail server to clients.
737                   pkiname
738                   is the server's name,
739                   derived from the default hostname
740                   or set using either
741                   /etc/opensmtpd/mailname
742                   or using the
743                    hostname
744                   directive.
745                   If a fallback certificate or SNI is wanted, the
746                   Sq *
747                   wildcard may be used as
748                   pkiname.
749
750            A certificate chain may be created by appending one or many certificates,
751            including a Certificate Authority certificate,
752            to
753            certfile.
754            The creation of certificates is documented in
755            starttls(8).
756
757             pki pkiname key keyfile
758                   Associate the key located in
759                   keyfile
760                   with host
761                   pkiname.
762
763             pki pkiname dhe params
764                   Specify the DHE parameters to use for DHE cipher suites with host
765                   pkiname.
766                   Valid parameter values are
767                   none,
768                   legacy,
769                   and
770                   auto.
771                   For
772                   legacy,
773                   a fixed key length of 1024 bits is used, whereas for
774                   auto,
775                   the key length is determined automatically.
776                   The default is
777                   none,
778                   which disables DHE cipher suites.
779
780             proc proc-name command
781                   Register an external process named
782                   proc-name
783                   from
784                   command.
785                   Such processes may be used to share the same instance between multiple filters.
786                   If
787                   command
788                   starts with a slash it is executed with an absolute path,
789                   else it will be run from
790                   ``/usr/libexec/opensmtpd''.
791
792             queue compression
793                   Store queue files in a compressed format.
794                   This may be useful to save disk space.
795
796             queue encryption [key]
797                   Encrypt queue files with
798                   EVP_aes_256_gcm(3).
799                   If no
800                   key
801                   is specified, it is read with
802                   getpass(3).
803                   If the string
804                   stdin
805                   or a single dash
806                   (Ql -)
807                   is given instead of a
808                   key,
809                   the key is read from the standard input.
810
811             queue ttl delay
812                   Set the default expiration time for temporarily undeliverable
813                   messages, given as a positive decimal integer followed by a unit
814                   s, m, h,
815                   or
816                   d.
817                   The default is four days
818                   (4d.)
819
820             smtp ciphers control
821                   Set the
822                   control
823                   string for
824                   SSL_CTX_set_cipher_list(3).
825                   The default is
826                   Qq HIGH:!aNULL:!MD5.
827
828             smtp limit max-mails count
829                   Limit the number of messages to
830                   count
831                   for each session.
832                   The default is 100.
833
834             smtp limit max-rcpt count
835                   Limit the number of recipients to
836                   count
837                   for each transaction.
838                   The default is 1000.
839
840             smtp max-message-size size
841                   Reject messages larger than
842                   size,
843                   given as a positive number of bytes or as a string to be parsed with
844                   scan_scaled(3).
845                   The default is
846                   Qq 35M.
847
848             smtp sub-addr-delim character
849                   When resolving the local part of a local email address, ignore the ASCII
850                   character
851                   and all characters following it.
852                   The default is
853                   Ql +.
854
855             srs key secret
856                   Set the secret key to use for SRS,
857                   the Sender Rewriting Scheme.
858
859             srs key backup secret
860                   Set a backup secret key to use as a fallback for SRS.
861                   This can be used to implement SRS key rotation.
862
863             srs ttl delay
864                   Set the time-to-live delay for SRS envelopes.
865                   After this delay,
866                   a bounce reply to the SRS address will be discarded to limit risks of forged addresses.
867                   The default is four days
868                   (4d.)
869
870             table name [type:] pathname
871                   Tables provide additional configuration information for
872                   smtpd(8)
873                   in the form of lists or key-value mappings.
874                   The format of the entries depends on what the table is used for.
875                   Refer to
876                   table(5)
877                   for the exhaustive documentation.
878
879            Each table is identified by an arbitrary, unique
880            name.
881
882            If the
883            type
884            is
885            db,
886            information is stored in a file created with
887            makemap(8);
888            if it is
889            file
890            or omitted, information is stored in a plain text file
891            using the format described in
892            table(5).
893            The
894            pathname
895            to the file must be absolute.
896
897             table name {value [, ...]}
898                   Instead of using a separate file, declare a list table
899                   containing the given static
900                   value s.
901                   The table must contain at least one value and may declare multiple values as a
902                   comma-separated (whitespace optional) list.
903
904             table name {key=value [, ...]}
905                   Instead of using a separate file, declare a mapping table
906                   containing the given static
907                   key -value
908                   pairs.
909                   The table must contain at least one key-value pair and may declare
910                   multiple pairs as a comma-separated (whitespace optional) list.
911
912   MAIL FILTERING
913       In a regular workflow, smtpd(8) may accept or reject a message based
914       only on the content of envelopes.  Its decisions are about the handling
915       of the message, not about the handling of an active session.
916
917       Filtering extends the decision making process by allowing smtpd(8) to
918       stop at each phase of an SMTP session, check that conditions are met,
919       then decide if a session is allowed to move forward.
920
921       With filtering, a session may be interrupted at any phase before an
922       envelope is complete.  A message may also be rejected after being sub‐
923       mitted, regardless of whether the envelope was accepted or not.
924
925       The following phases are currently supported:
926
927            connect Ta upon connection, before a banner is displayed
928
929            helo Ta after HELO command is submitted
930
931            ehlo Ta after EHLO command is submitted
932
933            mail-from Ta after MAIL FROM command is submitted
934
935            rcpt-to Ta after RCPT TO command is submitted
936
937            data Ta after DATA command is submitted
938
939            commit Ta after message is fully is submitted
940
941       At each phase, various conditions may be matched.  The fcrdns, rdns,
942       and src data are available in all phases, but other data must have been
943       already submitted before they are available.
944
945            fcrdns Ta forward-confirmed reverse DNS is valid
946
947            rdns Ta session has a reverse DNS
948
949            rdns Pf < table >Ta session has a reverse DNS in table
950
951            src Pf < table >Ta source address is in table
952
953            helo Pf < table >Ta helo name is in table
954
955            auth Ta session is authenticated
956
957            auth Pf < table >Ta session username is in table
958
959            mail-from Pf < table >Ta sender address is in table
960
961            rcpt-to Pf < table >Ta recipient address is in table
962
963       These conditions may all be negated by prefixing them with an exclama‐
964       tion mark:
965
966            !fcrdns Ta forward-confirmed reverse DNS is invalid
967
968       Any conditions using a table may indicate that tables hold regex by
969       prefixing the table name with the keyword regex.
970
971            helo regex Pf < table >Ta helo name matches a regex in table
972
973       Finally, a number of decisions may be taken:
974
975            bypass Ta the session or transaction bypasses filters
976
977            disconnect message Ta the session is disconnected with message
978
979            junk Ta the session or transaction is junked, i.e., an
980                   Ql X-Spam: yes header is added to any messages
981
982            reject message Ta the command is rejected with message
983
984            rewrite value Ta the command parameter is rewritten with value
985
986       Decisions that involve a message require that the message be RFC valid,
987       meaning that they should either start with a 4xx or 5xx status code.
988       Descisions can be taken at any phase, though junking can only happen
989       before a message is committed.
990
991   FORMAT SPECIFIERS
992       Some configuration directives support expansion of their parameters at
993       runtime.  Such directives (for example
994        action maildir,
995        action mda) may use format specifiers which are expanded before deliv‐
996       ery or relaying.  The following formats are currently supported:
997
998            %{sender} Ta sender email address, may be empty string
999
1000            %{sender.user} Ta user part of the sender email address, may be
1001            empty
1002
1003            %{sender.domain} Ta domain part of the sender email address, may
1004            be empty
1005
1006            %{rcpt} Ta recipient email address
1007
1008            %{rcpt.user} Ta user part of the recipient email address
1009
1010            %{rcpt.domain} Ta domain part of the recipient email address
1011
1012            %{dest} Ta recipient email address after expansion
1013
1014            %{dest.user} Ta user part after expansion
1015
1016            %{dest.domain} Ta domain part after expansion
1017
1018            %{user.username} Ta local user
1019
1020            %{user.directory} Ta home directory of the local user
1021
1022            %{mbox.from} Ta name used in mbox From separator lines
1023
1024            %{mda} Ta mda command, only available for mda wrappers
1025
1026       Expansion formats also support partial expansion using the optional
1027       bracket notations with substring offset.  For example, with recipient
1028       domain ``example.org :''
1029
1030            %{rcpt.domain[0]} Ta expands to ``e''
1031
1032            %{rcpt.domain[1]} Ta expands to ``x''
1033
1034            %{rcpt.domain[8:]} Ta expands to ``org''
1035
1036            %{rcpt.domain[-3:]} Ta expands to ``org''
1037
1038            %{rcpt.domain[0:6]} Ta expands to ``example''
1039
1040            %{rcpt.domain[0:-4]} Ta expands to ``example''
1041
1042       In addition, modifiers may be applied to the token.  For example, with
1043       recipient ``User+Tag@Example.org :''
1044
1045            %{rcpt:lowercase} Ta expands to ``user+tag@example.org''
1046
1047            %{rcpt:uppercase} Ta expands to ``USER+TAG@EXAMPLE.ORG''
1048
1049            %{rcpt:strip} Ta expands to ``User@Example.org''
1050
1051            %{rcpt:lowercase|strip} Ta expands to ``user@example.org''
1052
1053       For security concerns, expanded values are sanitized and potentially
1054       dangerous characters are replaced with Sq :.  In situations where they
1055       are desirable, the ``raw'' modifier may be applied.  For example, with
1056       recipient ``user+t?g@example.org :''
1057
1058            %{rcpt} Ta expands to ``user+t:g@example.org''
1059
1060            %{rcpt:raw} Ta expands to ``user+t?g@example.org''
1061

FILES

1063            /etc/opensmtpd/smtpd.conf
1064                   Default smtpd(8) configuration file.
1065
1066            /etc/opensmtpd/mailname
1067                   If this file exists, the first line is used as the server
1068                   name.  Otherwise, the server name is derived from the local
1069                   hostname returned by gethostname(3), either directly if it
1070                   is a fully qualified domain name, or by retrieving the
1071                   associated canonical name through getaddrinfo(3).
1072
1073            /var/run/smtpd.sock
1074                   Unix domain socket for incoming SMTP connections.
1075
1076            /var/spool/smtpd/
1077                   Spool directories for mail during processing.
1078

EXAMPLES

1080       The default smtpd.conf file which ships with OpenBSD listens on the
1081       loopback network interface (lo0) and allows for mail from users and
1082       daemons on the local machine, as well as permitting email to remote
1083       servers.  Some more complex configurations are given below.
1084
1085       This first example is the same as the default configuration, but all
1086       outgoing mail is forwarded to a remote SMTP server.  A secrets file is
1087       needed to specify a username and password:
1088           # touch /etc/opensmtpd/secrets
1089           # chmod 640 /etc/opensmtpd/secrets
1090           # chown root:_smtpd /etc/opensmtpd/secrets
1091           # echo "bob username:password" > /etc/opensmtpd/secrets
1092
1093       smtpd.conf
1094       would look like this:
1095           table aliases file:/etc/opensmtpd/aliases
1096           table secrets file:/etc/opensmtpd/secrets
1097           listen on lo0
1098           action "local_mail" mbox alias <aliases>
1099           action "outbound" relay host smtp+tls://bob@smtp.example.com \
1100                auth <secrets>
1101           match from local for local action "local_mail"
1102           match from local for any action "outbound"
1103
1104       In this second example,
1105       the aim is to permit mail delivery and relaying only for users that can authenticate
1106       (using their normal login credentials).
1107       An RSA certificate must be provided to prove the server's identity.
1108       The mail server listens on all interfaces the default routes point to.
1109       Mail with a local destination is sent to an external MDA.
1110       First, the RSA certificate is created:
1111           # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
1112           # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
1113                -out /etc/ssl/mail.example.com.crt -days 365
1114           # chmod 600 /etc/ssl/mail.example.com.crt
1115           # chmod 600 /etc/ssl/private/mail.example.com.key
1116
1117       In the example above,
1118       a certificate valid for one year was created.
1119       The configuration file would look like this:
1120           pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
1121           pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
1122           table aliases file:/etc/opensmtpd/aliases
1123           listen on lo0
1124           listen on egress tls pki mail.example.com auth
1125           action mda_with_aliases mda "/path/to/mda -f -" alias <aliases>
1126           action mda_without_aliases mda "/path/to/mda -f -"
1127           action "outbound" relay
1128           match for local action mda_with_aliases
1129           match from any for domain example.com action mda_without_aliases
1130           match for any action "outbound"
1131           match auth from any for any action "outbound"
1132
1133       For sites that wish to sign messages using DKIM,
1134       the following example uses
1135       opensmtpd-filter-dkimsign
1136       for DKIM signing:
1137           table aliases file:/etc/opensmtpd/aliases
1138           filter "dkimsign" proc-exec "filter-dkimsign -d <domain> -s <selector> \
1139                -k /etc/opensmtpd/dkim/private.key" user _dkimsign group _dkimsign
1140           listen on socket filter "dkimsign"
1141           listen on lo0 filter "dkimsign"
1142           action "local_mail" mbox alias <aliases>
1143           action "outbound" relay
1144           match for local action "local_mail"
1145           match for any action "outbound"
1146
1147       Alternatively, the
1148       opensmtpd-filter-rspamd
1149       package may be used to provide integration with
1150       rspamd ,
1151       a third-party daemon which provides multiple antispam features
1152       as well as DKIM signing.
1153       As well as configuring
1154       rspamd
1155       itself,
1156       it requires use of the
1157       proc-exec
1158       keyword:
1159           filter "rspamd" proc-exec "filter-rspamd"
1160
1161       Sites that accept non-local messages may be able to cut down on the
1162       volume of spam received by rejecting forged messages that claim
1163       to be from the local domain.
1164       The following example uses a list table
1165       other-relays
1166       to specify the IP addresses of relays that may legitimately
1167       originate mail with the owner's domain as the sender.
1168           table aliases file:/etc/opensmtpd/aliases
1169           table other-relays file:/etc/opensmtpd/other-relays
1170           listen on lo0
1171           listen on egress
1172           action "local_mail" mbox alias <aliases>
1173           action "outbound" relay
1174           match for local action "local_mail"
1175           match for any action "outbound"
1176           match !from src <other-relays> mail-from "@example.com" for any \
1177                 reject
1178           match from any for domain example.com action "local_mail"
1179

SEE ALSO

1181       mailer.conf(5), table(5), makemap(8), smtpd(8)
1182

HISTORY

1184       smtpd(8) first appeared in OpenBSD 4.6.
1185
1186
1187
1188                        $Mdocdate: September 23 2020 $           SMTPD.CONF(5)
Impressum