OpenBSD: configure smtpd.conf to auth email client (v6.4 >=)

Article published the ; modified the
6 minute(s) to read

This article has 1073 words.
RAW source of the article: MD

Description

How to config your machine to send mail by terminal/console, on OpenBSD, on SMTP server with a required authentication?

Introduction

OpenSMTPD is a free implementation of the SMTP protocol, as defined in RFC 5321 , with some additional standard extensions. It allows the machines to exchange mail.

Informations:

Effectively tested with Gandi, and the association L’autre.net. :smiley:

Installation

On the base system of OpenBSD 6.4, we have the new version of OpenSMTPD — the 6.4.0.

To start the service: # rcctl start smtpd

A small clarification on files:

  • the config file is: /etc/mail/smtpd.conf.
  • the logfile is: /var/log/maillog.

Configuration

To send an email at one SMTP server require an authentication, as Gandi, it’s necessary to first create a secret file with the good rights on your system, and to set the config file.

The manpage show us on example:

File secrets

Create the needed secret file: # touch /etc/mail/secrets

Put the secured rights:

Code: sh

# chmod 640 /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets

Now, it’s necessary to write those informations:
identifiant username:password
Do Not Write TEXTUALLY this information , replace with:

  • identifiant: your choosed id — this will use later on your config file.
  • username: usually, your email.
  • password: the password for your email identification.
Warning

File smtpd.conf

Now, we modify the config file /etc/mail/smtpd.conf.

File: /etc/mail/smtpd.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#	$OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

queue compression

# To accept external mail, replace with: listen on all
#
## add on 6.7
listen on socket

listen on lo0

action "local_mail" mbox alias <aliases>
action "unbound" relay host smtp+tls://identifiant@serveur auth <secrets> mail-from "@your-domain.tld"

# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
### 6.6 writings
#match for local action "local_mail"
#match for any action "unbound"
### 6.7 writings
match from local for local action "local_mail"
match from local for any action "outbound"

Explainations

So compared to the original version, we added:

  • the line table secrets: it call the secrets file — write your custom filename.
  • the line action unbound: to define the necessary action to send emails to the SMTP server.
    • NOTE about identifiant@serveur:
      • you have to replace the string identifiant by your created.
      • and too, to replace the serveur by the name of SMTP server.
    • the string smtp+tls is the used protocol to connect at the SMTP server.
      others protocols are:
      • lmtp: to connect on a LMTP session.
      • smtp: to attempt a connection with a STARTTLS session, if possible.
      • smtp+tls: to force the connection on a STARTTLS session.
      • smtp+notls: to use a plain text SMTP session without TLS.
      • smtps: to force the connexion via TLSdefault port: 465
      • with no specified protocol, the connection will be done on the default port: 25.
    • the string auth: to specify the secret table.
    • the string mail-from: to specify the domain name to use.
    • the line match … action "relay": this is the action that will be triggered to send the emails.

Changes on 6.7

OpenBSD 6.7 makes minor syntax changes:

  • add listen on socket smtpd.conf(5)#listen2
  • modification of match actions for the local queue manager smtpd.conf(5)#match :
    match from local for local action "local_mail"
    match from local for any action "outbound"

Changes on 6.6

The syntax of the action names has changed slightly between versions 6.4 and 6.6:

  • local becomes local_mail
  • relay becomes unbound

aliases

About aliases system:

It is interesting to manage the related alias root account or even that of your main user…

Edit the file /etc/mail/aliases, with rights admin.
At the end of file, modify root with your desired address email.
Do the same for your system user. ;)

And, do not forget to reload the aliases base, with the command newaliases!

Utilisation

Warning

Now, restart the service:

Code: sh

# rcctl restart smtpd
smtpd(ok)
smtpd(ok)

The log will display messages, as-is:
Nov 3 20:43:54 ptb-aw13zou smtpd[35308]: info: OpenSMTPD 6.4.0 starting

Send

So:

  • echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" email
  • or, echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" root

For all cases, the log will display messages, as:

File: /var/log/maillog

1
2
3
4
5
6
7
()
Nov 3 19:22:34 *** smtpd[37263]: 062ec369dcc6160f mta connecting address=smtp+tls://217.70.178.9:25 host=mail.gandi.net
Nov 3 19:22:34 *** smtpd[37263]: 062ec369dcc6160f mta connected
Nov 3 19:22:34 *** smtpd[37263]: 062ec369dcc6160f mta starttls ciphers=version=TLSv1.2, cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
Nov 3 19:22:35 *** smtpd[37263]: smtp-out: Server certificate verification succeeded on session 062ec369dcc6160f
Nov 3 20:49:48 *** smtpd[94764]: 2020e211382c500d mta delivery evpid=a30c319b18ad8967 from=<***@stephane-huc.net> to=<***@stephane-huc.net> rcpt=<-> source="192.168.***.***" relay="217.70.178.9 (mail.gandi.net)" delay=6m41s result="Ok" stat="250 2.0.0 Ok: queued as 91BD31C0003"
()

Errors

See, below, the possible commons errors:

Error: authentication failed

Check again your username, password id wrote on your secret file !

Error: Cannot parse smarthost

This message means the SMTP service can’t figure out the strings identifiant@serveur on your action rule.

Check your entries:

  • your string table secrets need to match with the good secret filename!
  • your strings identifiant username:password in your secret file.
  • have you replace correctly the string identifiant on the config file?
  • too, for the string serveur: make sure the SMTP server name exists!

Error: Sender address rejected: Domain not found

This message means the SMTP service can’t match with the desired domain name.

The tips: use the param mail-from in your action rule, to target the good domain name, as:
mail-from "@votre-domaine.tld"
Do Not forget the symbol @.

Documentations

The SMTP protocol is define by RFC 5321 :

RFC 5321

IETF Tools
HTML, PDF, TXT
RFC Editor
HTML, PDF, TXT

Manpages

Others informations