SMTPD.CONF(5) | File Formats Manual | SMTPD.CONF(5) |
smtpd.conf
—
Simple Mail Transfer Protocol daemon configuration
file
smtpd.conf
is the configuration file for
the mail daemon smtpd(8).
When mail arrives, each “RCPT TO:” command generates
a mail envelope. If an envelope matches any of a pre-designated set of
criteria (using the match
directive), the message is
accepted for delivery. A copy of the message, as well as its associated
envelopes, is saved in the mail queue and later dispatched according to an
associated set of actions (using the action
directive). If an envelope does not match any options, it is rejected. The
match rules are evaluated sequentially, with the first match winning.
The format of the configuration file is fairly flexible. The
current line can be extended over multiple lines using a backslash
(‘\’). Comments can be put anywhere in the file using a hash
mark (‘#’), and extend to the end of the current line. Care
should be taken when commenting out multi-line text: the comment is
effective until the end of the entire block. Argument names not beginning
with a letter, digit, or underscore, as well as reserved words (such as
listen
, match
, and
port
), must be quoted. Arguments containing
whitespace should be surrounded by double quotes (").
Macros can be defined that are later expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters, but may not be reserved words. Macros are not expanded inside quotes. For example:
lan_addr = "192.168.0.1" listen on $lan_addr listen on $lan_addr tls auth
The syntax of smtpd.conf
is described
below.
action
name method [options]action
name,
selected by the match
...
action
directive when the message was received.
The action
directive provides configuration data
for delivery attempts. Required lookups are performed at the time of each
delivery attempt. Consequently, changing an action
directive or the files it references and restarting the
smtpd(8) daemon causes the
changes to take effect for subsequent delivery attempts for the respective
dispatcher name, even for messages that were already
stuck in the queue prior to the configuration changes.
The delivery method parameter may be one of the following:
expand-only
forward-only
lmtp
destination [rcpt-to]Optionally, rcpt-to might be specified to use the recipient email address (after expansion) instead of the local user in the LMTP session as RCPT TO.
maildir
[pathname [junk
]]The pathname may contain format specifiers that are expanded before use (see FORMAT SPECIFIERS).
If the junk
argument is provided,
the message will be moved to the Junk folder if it contains a
positive X-Spam header.
mbox
mda
commandThe command may contain format specifiers that are expanded before use (see FORMAT SPECIFIERS).
relay
The local delivery methods support additional options:
alias
<table>ttl
n{s
|m
|h
|d
}user
usernameThis is used for virtual hosting where a single username is in charge of handling delivery for all virtual users.
This option is not usable with the
mbox
delivery method.
userbase
<table>The userbase
does not apply for
the user
option.
virtual
<table>wrapper
namemda wrapper
.The relay delivery methods also support additional options:
backup
backup
mx
namehelo
helonamehelo-src
<table>host
relay-urlThe label corresponds to an entry in a credentials table, as documented in table(5). It is used with the “smtp+tls” and “smtps” protocols for authentication. Server certificates for those protocols are verified by default.
tls
[no-verify]auth
<table>host
option. The credential
table format is described in
table(5).mail-from
mailaddrsrc
address |
<address>bounce
warn-interval
delay [,
delay ...]s
, m
,
h
, or d
. At most four
delay parameters can be specified. The default is
"bounce
warn-interval
4h", sending a single warning after four
hours.ca
caname cert
cafilehostname
directive.include
"pathname"listen
on
interface [family]
[options]inet4
or inet6
.
The options are as follows:
auth
[<authtable>]auth-optional
[<authtable>]listen on
directive to both
accept incoming mail from untrusted senders and permit outgoing mail
from authenticated users (using match auth
).
It can be used in situations where it is not possible to listen on a
separate port (usually the submission port, 587) for users to
authenticate.ca
canameca
directive) as the CA certificate when verifying client
certificates.hostname
hostnamehostnames
<names>mask-src
no-dsn
pki
pkinamepki
directive) to prove a mail server's
identity.port
[port]received-auth
senders
<users>
[masquerade
]masquerade
option is provided, the From header is rewritten to match the sender
provided in the SMTP session.smtps
tls
.tag
tagtls
smtps
.tls-require
[verify
]tls
, but force clients to establish a
secure connection before being allowed to start an SMTP transaction.
With the verify
option, clients must also
provide a valid certificate to establish an SMTP session.listen
on
socket
[mask-src
]mask-src
option
is specified, printing of the HELO name, hostname, and IP address of the
originating host is suppressed in Received: header lines.match
options action
namematch
action
directive, receive the incoming message, put a copy into each matching
envelope, and atomically save the envelopes to the mail spool for later
processing by the respective dispatcher name.
The following matching options are supported and can all be negated:
!
] for any
!
] for local
!
] for domain
domain | <domain>!
] from any
!
] from local
!
] from socket
!
] from src
address |
<address>In addition, the following transaction options:
!
] auth
!
] helo
helo-name |
<helo-name>!
] mail-from
sender | <sender>!
] rcpt-to
recipient |
<recipient>!
] tag
tag!
] tls
match
options reject
match
action
directive.mda
wrapper
name commandmta
max-deferred
numberpki
pkiname cert
certfilehostname
directive. If a fallback certificate or
SNI is wanted, the ‘*’ wildcard may be used as
pkiname.
A certificate chain may be created by appending one or many certificates, including a Certificate Authority certificate, to certfile. The creation of certificates is documented in starttls(8).
pki
pkiname key
keyfilepki
pkiname dhe
paramsnone
, legacy
, and
auto
. For legacy
, a fixed
key length of 1024 bits is used, whereas for auto
,
the key length is determined automatically. The default is
none
, which disables DHE cipher suites.queue
compression
queue
encryption
[key]stdin
or a single dash
(‘-
’) is given instead of a
key, the key is read from the standard input.queue
ttl
delays
, m
,
h
, or d
. The default is
four days (4d).smtp
ciphers
controlsmtp
max-message-size
sizesmtp
sub-addr-delim
character+
’.table
name
[type:]pathnameEach table is identified by an arbitrary, unique name.
If the type is
db
, information is stored in a file created with
makemap(8); if it is
file
or omitted, information is stored in a
plain text file using the format described in
table(5). The
pathname to the file must be absolute.
table
name {value [,
...]}table
name
{key=value [,
...]}Some configuration directives support expansion of their
parameters at runtime. Such directives (for example
action
maildir
,
action
mda
) may use format
specifiers which are expanded before delivery or relaying. The following
formats are currently supported:
%{sender} | sender email address, may be empty string |
%{sender.user} | user part of the sender email address, may be empty |
%{sender.domain} | domain part of the sender email address, may be empty |
%{rcpt} | recipient email address |
%{rcpt.user} | user part of the recipient email address |
%{rcpt.domain} | domain part of the recipient email address |
%{dest} | recipient email address after expansion |
%{dest.user} | user part after expansion |
%{dest.domain} | domain part after expansion |
%{user.username} | local user |
%{user.directory} | home directory of the local user |
%{mbox.from} | name used in mbox From separator lines |
%{mda} | mda command, only available for mda wrappers |
Expansion formats also support partial expansion using the optional bracket notations with substring offset. For example, with recipient domain “example.org”:
%{rcpt.domain[0]} | expands to “e” |
%{rcpt.domain[1]} | expands to “x” |
%{rcpt.domain[8:]} | expands to “org” |
%{rcpt.domain[-3:]} | expands to “org” |
%{rcpt.domain[0:6]} | expands to “example” |
%{rcpt.domain[0:-4]} | expands to “example” |
In addition, modifiers may be applied to the token. For example, with recipient “User+Tag@Example.org”:
%{rcpt:lowercase} | expands to “user+tag@example.org” |
%{rcpt:uppercase} | expands to “USER+TAG@EXAMPLE.ORG” |
%{rcpt:strip} | expands to “User@Example.org” |
%{rcpt:lowercase|strip} | expands to “user@example.org” |
For security concerns, expanded values are sanitized and potentially dangerous characters are replaced with ‘:’. In situations where they are desirable, the “raw” modifier may be applied. For example, with recipient “user+t?g@example.org”:
%{rcpt} | expands to “user+t:g@example.org” |
%{rcpt:raw} | expands to “user+t?g@example.org” |
The default smtpd.conf
file which ships
with OpenBSD listens on the loopback network
interface (lo0) and allows for mail from users and
daemons on the local machine, as well as permitting email to remote servers.
Some more complex configurations are given below.
This first example is the same as the default configuration, but all outgoing mail is forwarded to a remote SMTP server. A secrets file is needed to specify a username and password:
# touch /etc/mail/secrets # chmod 640 /etc/mail/secrets # chown root:_smtpd /etc/mail/secrets # echo "bob username:password" > /etc/mail/secrets
smtpd.conf
would look like this:
table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 action "local" mbox alias <aliases> action "relay" relay host smtp+tls://bob@smtp.example.com \ auth <secrets> match for local action "local" match for any action "relay"
In this second example, the aim is to permit mail delivery and relaying only for users that can authenticate (using their normal login credentials). An RSA certificate must be provided to prove the server's identity. The mail server listens on all interfaces the default routes point to. Mail with a local destination is sent to an external MDA. First, the RSA certificate is created:
# openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096 # openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \ -out /etc/ssl/mail.example.com.crt -days 365 # chmod 600 /etc/ssl/mail.example.com.crt # chmod 600 /etc/ssl/private/mail.example.com.key
In the example above, a certificate valid for one year was created. The configuration file would look like this:
pki mail.example.com cert "/etc/ssl/mail.example.com.crt" pki mail.example.com key "/etc/ssl/private/mail.example.com.key" table aliases file:/etc/mail/aliases listen on lo0 listen on egress tls pki mail.example.com auth action mda_with_aliases mda "/path/to/mda -f -" alias <aliases> action mda_without_aliases mda "/path/to/mda -f -" action "relay" relay match for local action mda_with_aliases match from any for domain example.com action mda_without_aliases match for any action "relay" match auth from any for any action "relay"
For sites that wish to sign messages using DKIM, the dkimproxy package may be used as a filter. The following example is the same as the default configuration, but all outgoing mail is passed to dkimproxy_out on port 10027 for signing. The signed messages are received on port 10028 and tagged for relaying.
table aliases file:/etc/mail/aliases listen on lo0 listen on lo0 port 10028 tag DKIM action "mbox" mbox alias <aliases> action "relay" relay action relay_dkim relay host smtp://127.0.0.1:10027 match for local action "mbox" match tag DKIM for any action "relay" match for any action relay_dkim
Sites that accept non-local messages may be able to cut down on the volume of spam received by rejecting forged messages that claim to be from the local domain. The following example uses a list table other-relays to specify the IP addresses of relays that may legitimately originate mail with the owner's domain as the sender.
table aliases file:/etc/mail/aliases table other-relays file:/etc/mail/other-relays listen on lo0 listen on egress action "mbox" mbox alias <aliases> action "relay" relay match for local action "mbox" match for any action "relay" match !from src <other-relays> mail-from "@example.com" for any \ reject match from any for domain example.com action "mbox"
smtpd(8) first appeared in OpenBSD 4.6.
October 8, 2018 | OpenBSD-6.4 |