The Missing Bit

Configuring a Mail server on OpenBSD

mail openbsd

As certainly many of us do, I use email a lot.

Currently I am using fastmail, it works quite well, but I have a few issues:

In this post, I'll share how I configured my own IMAP server.

This is part one of two, which focus on IMAP.

First, to make the transition graduate, I'm going to buy a random domain and configure a redirection within fastmail.

I'm going to use my site that has no setup for email yet.

The plan is to use domain for testing. When everything works, I will setup fastmail to send a copy to my email then, after a few weeks, I'l change the MX.

So the (temporary) configuration will be: -> fastmail -> redirect to -> mail server

While in this setup, there will be no spam filter running on the server as we will relie on fastmail spam filter.

MX and DNS

Setup your MX record (whic must not be a CNAME). If you want to use SMTP delivery directly without a relay, you need a reverse DNS record.


The first thing is to create an SSL certificate for SMTP and IMAP.

I use let's encrypt certbot with DNS validation, which gives me an easy way to have my certificate. But your mileage may vary.

On OpenBSD, the rfc2136 plugin is not in port, but it can be installed with pip after installing certbot.

# pkg_add certbot
# pip install certbot-dns-rfc2136

This let me generate certificate easily for, I am going to use this for everything, but you might prefer using


For SMTP, we will use OpenSMTP from OpenBSD. It is a small, easy to configure and stable SMTP server.

There will be three types of connection to the SMTP server:

  1. Any SMTP server on the internet sending email to
  2. Authenticated users using SMTP as relay (for example me with my phone when I am outside)
  3. Internal client sending emails (for notification for example)

2 and 3 can send email to any address while 1 only to local domains.

Here is the commented SMTP config:

# Let's encrypt keypair, be sure to set permission for the _smtpd user/group
pki keypair cert           "/etc/letsencrypt/live/"
pki keypair key            "/etc/letsencrypt/live/"

table relaycreds               file:/etc/mail/relaycreds
table creds                    file:/etc/mail/creds
table vdoms                    file:/etc/mail/vdoms
table vusers                   file:/etc/mail/vusers

# This is internal listener on port 25, this is an open relay for my internal
# servers, this is a private network so I do not need encryption
listen on vlan4
# Outside listener on port 25
listen on vlan10 tls pki keypair
# Both following listener requires authentication
# SMTPS sending port
listen on vlan10 port 465 smtps pki keypair auth <creds>
# SMTP + STARTTLS sending port
listen on vlan10 port 587 tls-require pki keypair auth <creds>

# Action to deliver email to IMAP
action deliver lmtp "/var/dovecot/lmtp" virtual <vusers>

# For now, we will use fastmail SMTP, as SMTP without relay requires a reverse
# DNS record that I do not have yet
action send relay host "smtps://" auth <relaycreds>

# Deliver local emails, this will deliver everything to user kuon because of
# catch all in vusers
match from local for local action deliver

# Accept email for domains in vdoms
match from any for domain <vdoms> action deliver

# Allow authenticated users to send emails
match from auth for any action send

# Allow local net (on vlan 4) to send email
match from src xxxx:xxxx:xxxx::/48 for any action send
match from src for any action send


Be sure to set permission correctly on this file.

mypassword is in clear

kuon myusername:mypassword


IMAP and SMTP credentials.

Generate password with smtpctl encrypt



Accept email for the following domains.


This redirects everything to my user account.

@ kuon


For IMAP, install dovecot:

pkg_add dovecot
pkg_add dovecot-pigeonhole

This installs dovecot and sieve filtering.

Be sure to update /etc/login.conf to allow more file descriptor to dovecot:



The put dovecot in this class:

usermod -L dovecot _dovecot

Then, the package installs a lot of configuration files in /etc/dovecot, you don't need all that, just create/replace /etc/dovecot/dovecot.conf

# Select where you store emails

protocols = imap lmtp sieve

protocol lmtp {
  mail_plugins = $mail_plugins sieve

service lmtp {
  user = vmail
  unix_listener lmtp {
    mode = 0666

service managesieve-login {
  inet_listener sieve {
    port = 4190
  service_count = 1
  vsz_limit = 128M

service managesieve {
  process_limit = 1024

passdb {
  driver = passwd-file
  args = username_format=%n /etc/mail/creds

userdb {
  driver = static
  args = uid=vmail gid=vmail


namespace {
  inbox = yes
  separator = /

plugin {
  sieve = /srv/mail/%Lu/rules.sieve

This is quite self explanatory, what is important is that this enables the manage sieve server which allows users to upload sieve filters with their IMAP credentials.


I based a lof of the config on the following excellent article that I recommend you to read as well.

If you wish to comment or discuss this post, just mention me on Bluesky or email me.