OpenBSD: configure smtpd.conf to auth email client (≥ v6.4)

Article published the3 November 2018 ; modified the23 June 2023
5 minutes to read

This article has 1047 words.
RAW source of the article:
Commit version: fce98db

Description

How to config your machine to send mail by terminal/console, on OpenBSD, on SMTP server with a required authentication?

Introduction

OpenSMTPD is a free implementation of the SMTP protocol, as defined in RFC 5321 , with some additional standard extensions. It allows the machines to exchange mail.

Informations:

Website: https://www.opensmtpd.org
Version: 6.4.0 → 6.7
OS: OpenBSD 6.4 → 7.3

Effectively tested with Gandi, and the association L’autre.net, and finally on my “owners” MX.

Installation

Since OpenBSD 6.4, inton the base system, we have the new version of OpenSMTPD.

To start the service: # rcctl start smtpd

A small clarification on files:

the config file is: /etc/mail/smtpd.conf.
the logfile is: /var/log/maillog.

Configuration

To send an email at one SMTP server require an authentication, as Gandi, it’s necessary to first create a secret file with the good rights on your system, and to set the config file.

The manpage show us on example:

File secrets

Create the needed secret file: # touch /etc/mail/secrets

Put the secured rights:

# chmod 640 /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets

Now, it’s necessary to write those informations: identifiant username:password Do Not Write TEXTUALLY this information , replace with:

identifiant: your choosed id — this will use later on your config file. (e.g.: as perso)
username: usually, your email.
password: the password for your email identification.

Warning

It’s possible to (re?)name the secrets file as you want, and put in other place on your system.

It’s better put rights 0400 on this secrets file.

Even, it’s possible for the service to access at your secrets file, with your personal rights as $USER:$USER, it’s better to put the right group _smtpd.

File `smtpd.conf`

Now, we modify the config file /etc/mail/smtpd.conf.

#	$OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

queue compression

# To accept external mail, replace with: listen on all
#
## add on 6.7
listen on socket

listen on lo0

action "local_mail" mbox alias <aliases>
action "unbound" relay host smtp+tls://identifiant@server auth <secrets> mail-from "@your-domain.tld"

# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
### 6.6 writings
#match for local action "local_mail"
#match for any action "unbound"
### 6.7 writings
match from local for local action "local_mail"
match from local for any action "outbound"

Explainations

So compared to the original version, we added:

the line table secrets: it call the secrets file — write your custom filename.
the line action unbound: to define the necessary action to send emails to the SMTP server.
- NOTE about identifiant@serveur:
  - you have to replace the string identifiant by your created. (as wroted above: perso).
  - and too, to replace the serveur by the name of SMTP server.
- the string smtp+tls is the used protocol to connect at the SMTP server. others protocols are:
  - lmtp: to connect on a LMTP session.
  - smtp: to attempt a connection with a STARTTLS session, if possible.
  - smtp+tls: to force the connection on a STARTTLS session.
  - smtp+notls: to use a plain text SMTP session without TLS.
  - smtps: to force the connexion via TLS — default port: 465
  - with no specified protocol, the connection will be done on the default port: 25.
- the string auth: to specify the secret table.
- the string mail-from: to specify the domain name to use.
- the line match … action "relay": this is the action that will be triggered to send the emails.

Changes on 6.7

OpenBSD 6.7 makes minor syntax changes:

add listen on socket smtpd.conf(5)#listen2
modification of match actions for the local queue manager smtpd.conf(5)#match : match from local for local action "local_mail" match from local for any action "outbound"

Changes on 6.6

The syntax of the action names has changed slightly between versions 6.4 and 6.6:

local becomes local_mail
relay becomes unbound

aliases

About aliases system:

It is interesting to manage the related alias root account or even that of your main user…

Edit the file /etc/mail/aliases, with rights admin. At the end of file, modify root with your desired address email. Do the same for your system user. ;)

And, do not forget to reload the aliases base, with the command newaliases!

Utilisation

Warning

Before restart the opensmtpd service, we need to test the config file: # smtpd -n

If the result is: configuration OK that’s folk!

Otherwise, re-edit the file, at the line indicated first!

Now, restart the service:

# rcctl restart smtpd
smtpd(ok)
smtpd(ok)

The log will display messages, as-is: Apr 3 07:17:05 sh1 smtpd[68810]: info: OpenSMTPD 7.0.0 starting

Too, think to use the controller smtpctl… see the manpage smtpctl.8.

Send

So:

echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" email
or, echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" root

For all cases, the log will display messages, as instance:

Apr  3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connecting address=smtp+tls://89.234.141.148:587 host=mail2.automario.eu
Apr  3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connected
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta tls ciphers=TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta cert-check result="valid" fingerprint="SHA256:17af91bcb27a530cc278cd8be90551593bee38ebaf6ade68053a508b14a8f817"
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta delivery evpid=4138560f4bd626cf from=<***@huc.fr.eu.org> to=<***@stephane-huc.net> rcpt=<-> source="46.23.90.29" relay="89.234.141.148 (mail2.automario.eu)" delay=1s result="Ok" stat="250 2.0.0 eb1a48cf Message accepted for delivery"

Errors

See, below, the possible commons errors:

Error: authentication failed

Check again your username, password id wrote on your secret file !

Error: Cannot parse smarthost

This message means the SMTP service can’t figure out the strings identifiant@serveur on your action rule.

Check your entries:

your string table secrets need to match with the good secret filename!
your strings identifiant username:password in your secret file.
have you replace correctly the string identifiant on the config file?
too, for the string serveur: make sure the SMTP server name exists!

Error: Sender address rejected: Domain not found

This message means the SMTP service can’t match with the desired domain name.

The tips: use the param mail-from in your action rule, to target the good domain name, as: mail-from "@votre-domaine.tld" Do Not forget the symbol @.

Documentations

The SMTP protocol is define by RFC 5321 :

RFC 5321

IETF Tools: HTML, PDF, TXT
RFC Editor: HTML, PDF, TXT

Manpages

smtpd.conf(5) , smtpctl(8)

Others informations

See the new changes syntaxe with the OpenSMTPD v6.4