The Missing Bit

Configuring a Mail server on OpenBSD
2022-05-15

mail openbsd

As certainly many of us do, I use email a lot.

Currently I am using fastmail, it works quite well, but I have a few issues:

In this post, I'll share how I configured my own IMAP server.

This is part one of two, which focus on IMAP.

First, to make the transition graduate, I'm going to buy a random domain and configure a redirection within fastmail.

I'm going to use my kuon.org site that has no setup for email yet.

The plan is to use kuon.org domain for testing. When everything works, I will setup fastmail to send a copy to my me@kuon.org email then, after a few weeks, I'l change the kuon.ch MX.

So the (temporary) configuration will be:

me@kuon.ch -> fastmail -> redirect to me@kuon.org -> mail server

While in this setup, there will be no spam filter running on the server as we will relie on fastmail spam filter.

MX and DNS

Setup your MX record (whic must not be a CNAME). If you want to use SMTP delivery directly without a relay, you need a reverse DNS record.

SSL

The first thing is to create an SSL certificate for SMTP and IMAP.

I use let's encrypt certbot with DNS validation, which gives me an easy way to have my certificate. But your mileage may vary.

On OpenBSD, the rfc2136 plugin is not in port, but it can be installed with pip after installing certbot.

# pkg_add certbot
# pip install certbot-dns-rfc2136

This let me generate certificate easily for mx.kuon.org, I am going to use this for everything, but you might prefer using smtp.example.com imap.example.com...

SMTP

For SMTP, we will use OpenSMTP from OpenBSD. It is a small, easy to configure and stable SMTP server.

There will be three types of connection to the SMTP server:

  1. Any SMTP server on the internet sending email to @kuon.ch
  2. Authenticated users using SMTP as relay (for example me with my phone when I am outside)
  3. Internal client sending emails (for notification for example)

2 and 3 can send email to any address while 1 only to local domains.

Here is the commented SMTP config:

# Let's encrypt keypair, be sure to set permission for the _smtpd user/group
pki keypair cert           "/etc/letsencrypt/live/mx.kuon.org/fullchain.pem"
pki keypair key            "/etc/letsencrypt/live/mx.kuon.org/privkey.pem"

table relaycreds               file:/etc/mail/relaycreds
table creds                    file:/etc/mail/creds
table vdoms                    file:/etc/mail/vdoms
table vusers                   file:/etc/mail/vusers

# This is internal listener on port 25, this is an open relay for my internal
# servers, this is a private network so I do not need encryption
listen on vlan4
# Outside listener on port 25
listen on vlan10 tls pki keypair
# Both following listener requires authentication
# SMTPS sending port
listen on vlan10 port 465 smtps pki keypair auth <creds>
# SMTP + STARTTLS sending port
listen on vlan10 port 587 tls-require pki keypair auth <creds>


# Action to deliver email to IMAP
action deliver lmtp "/var/dovecot/lmtp" virtual <vusers>

# For now, we will use fastmail SMTP, as SMTP without relay requires a reverse
# DNS record that I do not have yet
action send relay host "smtps://kuon@smtp.fastmail.com/" auth <relaycreds>

# Deliver local emails, this will deliver everything to user kuon because of
# catch all in vusers
match from local for local action deliver

# Accept email for domains in vdoms
match from any for domain <vdoms> action deliver

# Allow authenticated users to send emails
match from auth for any action send

# Allow local net (on vlan 4) to send email
match from src xxxx:xxxx:xxxx::/48 for any action send
match from src 10.0.0.0/8 for any action send

relaycreds

Be sure to set permission correctly on this file.

mypassword is in clear

kuon myusername:mypassword

creds

IMAP and SMTP credentials.

Generate password with smtpctl encrypt

kuon:$2b$09$12345678123456781234567812345678123567812345678123456

vdoms

Accept email for the following domains.

kuon.org

vusers

This redirects everything to my user account.

@ kuon

IMAP

For IMAP, install dovecot:

pkg_add dovecot
pkg_add dovecot-pigeonhole

This installs dovecot and sieve filtering.

Be sure to update /etc/login.conf to allow more file descriptor to dovecot:

add:

dovecot:\
  :openfiles=5000:\
  :tc=daemon:

The put dovecot in this class:

usermod -L dovecot _dovecot

Then, the package installs a lot of configuration files in /etc/dovecot, you don't need all that, just create/replace /etc/dovecot/dovecot.conf

# Select where you store emails
mail_home=/srv/mail/%Lu
mail_location=sdbox:~/Mail

protocols = imap lmtp sieve

protocol lmtp {
  mail_plugins = $mail_plugins sieve
}

service lmtp {
  user = vmail
  unix_listener lmtp {
    mode = 0666
  }
}

service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  service_count = 1
  vsz_limit = 128M
}

service managesieve {
  process_limit = 1024
}

passdb {
  driver = passwd-file
  args = username_format=%n /etc/mail/creds
}

userdb {
  driver = static
  args = uid=vmail gid=vmail
}

ssl=yes
ssl_cert=</etc/letsencrypt/live/mx.kuon.org/fullchain.pem
ssl_key=</etc/letsencrypt/live/mx.kuon.org/privkey.pem

namespace {
  inbox = yes
  separator = /
}

plugin {
  sieve = /srv/mail/%Lu/rules.sieve
}

This is quite self explanatory, what is important is that this enables the manage sieve server which allows users to upload sieve filters with their IMAP credentials.

References

I based a lof of the config on the following excellent article that I recommend you to read as well.

If you wish to comment or discuss this post, just mention me on Bluesky or email me.