Puffy image/svg+xml Puffy 2019-06-14 Stéphane HUC OpenBSD Team Inkscape Puffy OpenBSD https://www.openbsd.org/art4.html English "Puffy", it's a symbol of OpenBSD

OpenBSD: configure smtpd.conf to auth email client (≥ v6.4)

Article published the ; modified the
5 minutes to read

This article has 1047 words.
RAW source of the article:
Commit version: fce98db


How to config your machine to send mail by terminal/console, on OpenBSD, on SMTP server with a required authentication?


OpenSMTPD is a free implementation of the SMTP protocol, as defined in RFC 5321 , with some additional standard extensions. It allows the machines to exchange mail.


Effectively tested with Gandi, and the association L’autre.net, and finally on my “owners” MX.


Since OpenBSD 6.4, inton the base system, we have the new version of OpenSMTPD.

To start the service: # rcctl start smtpd

A small clarification on files:

  • the config file is: /etc/mail/smtpd.conf.
  • the logfile is: /var/log/maillog.


To send an email at one SMTP server require an authentication, as Gandi, it’s necessary to first create a secret file with the good rights on your system, and to set the config file.

The manpage show us on example:

File secrets

Create the needed secret file: # touch /etc/mail/secrets

Put the secured rights:

# chmod 640 /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets

Now, it’s necessary to write those informations: identifiant username:password Do Not Write TEXTUALLY this information , replace with:

  • identifiant: your choosed id — this will use later on your config file. (e.g.: as perso)
  • username: usually, your email.
  • password: the password for your email identification.

File smtpd.conf

Now, we modify the config file /etc/mail/smtpd.conf.

#	$OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

queue compression

# To accept external mail, replace with: listen on all
## add on 6.7
listen on socket

listen on lo0

action "local_mail" mbox alias <aliases>
action "unbound" relay host smtp+tls://identifiant@server auth <secrets> mail-from "@your-domain.tld"

# Uncomment the following to accept external mail for domain "example.org"
# match from any for domain "example.org" action "local"
### 6.6 writings
#match for local action "local_mail"
#match for any action "unbound"
### 6.7 writings
match from local for local action "local_mail"
match from local for any action "outbound"


So compared to the original version, we added:

  • the line table secrets: it call the secrets file — write your custom filename.
  • the line action unbound: to define the necessary action to send emails to the SMTP server.
    • NOTE about identifiant@serveur:
      • you have to replace the string identifiant by your created. (as wroted above: perso).
      • and too, to replace the serveur by the name of SMTP server.
    • the string smtp+tls is the used protocol to connect at the SMTP server. others protocols are:
      • lmtp: to connect on a LMTP session.
      • smtp: to attempt a connection with a STARTTLS session, if possible.
      • smtp+tls: to force the connection on a STARTTLS session.
      • smtp+notls: to use a plain text SMTP session without TLS.
      • smtps: to force the connexion via TLSdefault port: 465
      • with no specified protocol, the connection will be done on the default port: 25.
    • the string auth: to specify the secret table.
    • the string mail-from: to specify the domain name to use.
    • the line match … action "relay": this is the action that will be triggered to send the emails.

Changes on 6.7

OpenBSD 6.7 makes minor syntax changes:

  • add listen on socket smtpd.conf(5)#listen2
  • modification of match actions for the local queue manager smtpd.conf(5)#match : match from local for local action "local_mail" match from local for any action "outbound"

Changes on 6.6

The syntax of the action names has changed slightly between versions 6.4 and 6.6:

  • local becomes local_mail
  • relay becomes unbound


About aliases system:

It is interesting to manage the related alias root account or even that of your main user…

Edit the file /etc/mail/aliases, with rights admin. At the end of file, modify root with your desired address email. Do the same for your system user. ;)

And, do not forget to reload the aliases base, with the command newaliases!



Now, restart the service:

# rcctl restart smtpd

The log will display messages, as-is: Apr 3 07:17:05 sh1 smtpd[68810]: info: OpenSMTPD 7.0.0 starting

Too, think to use the controller smtpctl… see the manpage smtpctl.8.



  • echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" email
  • or, echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" root

For all cases, the log will display messages, as instance:

Apr  3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connecting address=smtp+tls:// host=mail2.automario.eu
Apr  3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connected
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta tls ciphers=TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta cert-check result="valid" fingerprint="SHA256:17af91bcb27a530cc278cd8be90551593bee38ebaf6ade68053a508b14a8f817"
Apr  3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta delivery evpid=4138560f4bd626cf from=<***@huc.fr.eu.org> to=<***@stephane-huc.net> rcpt=<-> source="" relay=" (mail2.automario.eu)" delay=1s result="Ok" stat="250 2.0.0 eb1a48cf Message accepted for delivery"


See, below, the possible commons errors:

Error: authentication failed

Check again your username, password id wrote on your secret file !

Error: Cannot parse smarthost

This message means the SMTP service can’t figure out the strings identifiant@serveur on your action rule.

Check your entries:

  • your string table secrets need to match with the good secret filename!
  • your strings identifiant username:password in your secret file.
  • have you replace correctly the string identifiant on the config file?
  • too, for the string serveur: make sure the SMTP server name exists!

Error: Sender address rejected: Domain not found

This message means the SMTP service can’t match with the desired domain name.

The tips: use the param mail-from in your action rule, to target the good domain name, as: mail-from "@votre-domaine.tld" Do Not forget the symbol @.


The SMTP protocol is define by RFC 5321 :

RFC 5321

IETF Tools
RFC Editor


Others informations