« Previous 1 2 3 4 Next »
OpenSMTPD makes mail server configuration easy
Scrutinized
Mail Delivery
A line in smtpd.conf
allows email to leave the separate MTA for moritz@example.com
:
accept from local for any relay
From now on, OpenSMTPD relays email via the mail server responsible for the respective receiving domain. However, if you do not have a fixed IP address, you will probably not like this mechanism: Most email recipients use blacklists to block senders with dynamic IPs. The best case scenario is that the email ends up in the recipient's spam folder.
A mail server hosted by your provider can offer a solution – an SMTP smart host, as Sendmail calls it, which can also be accomplished easily using OpenSMTPD:
accept from local for any relay via secure+auth://provider@mail.provider.com:25 auth <authtable>
Placeholders can of course also be used here. Another table follows the same pattern for using SMTP Auth to authenticate against the server:
provider Username:Password
The provider
is the placeholder in the accept
rule. The Username
and Password
follow in plain text [3], which is unfortunate from a security perspective: Administrators should choose passwords that they do not use anywhere else for authenticating against the relay server. You will also want to design the configuration file rights so that as few people as necessary can read them.
On the LAN
If your mail server has to serve a large number of clients, you will typically want to release all local IPs for external sending. This can be accomplished either using tables, as before [3], or directly:
accept from source 10.0.0.0/24 for any relay
Relaying can also be varied on the basis of the sender address if multiple email addresses need to be managed via the local server. Placeholders can of course be used here. In Listing 4, @mail.com would thus send all email messages whose sender addresses contain mail.com via the mail.com server. However, you will want to restrict the source IP field to avoid creating a partially open relay.
Listing 4
Relaying with Multiple Addresses
accept from source 10.0.0.0/24 sender 'max.muster@web.com' for any relay via tls+auth://web@smtp.mail.com accept from source 10.0.0.0/24 sender 'max.muster@gmail.com' for any relay via tls+auth://gmail@mail.google.com
A Modicum of Protection
OpenSMTPD aims to provide more security than its competitors. One action designed to achieve this is encrypting the email queue on the disk:
queue encryption key [Key]
OpenSSL generates the required 16-byte key with:
openssl rand -hex 16
Of course, a plain text key in a configuration file that can be read by root is not the ideal solution security-wise. Any attacker who has escalated their privileges to root can read it. However, the key makes random sniffing by curious users more difficult and provides protection if the file permissions are not set up correctly. The queue can also be compressed using
queue compression
which also adds to the level of security provided by encryption security – as long as the key is protected. Entering
max-message-size 20M
then helps with email that is too large.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)