OpenSMTPd Quest: 2 – TLS and Postmaster/Webmaster Aliases Returns

#OpenSMTPdDiary

This version of OpenSMTPd adds TLS authentication and user aliases for Postmaster, Webmaster, and Security. This way an encrypted tunnel with pki authentication is possible, NOT GUARANTEED, and the administrator can receive email from external sources at addresses like "postmaster@domain.com"

Please note that you need a valid PKI Certificate for TLS to work, these can be attained by adding a HTTP server to your setup open on 80 and 443, then installing and configuring LetsEncrypt. After you have a webserver for LetsEncrypt to talk to, you can tell OpenSMTPd to use it too through the config below. Be aware that this setup still does not have Spam filtering, or any additional security that would be necessary for production, or really any public, servers.

To add or change user aliases, which is not the same thing as virtual users (which will be added later), edit /etc/mail/aliases and make the changes, then convert aliases to aliases.db. For OpenBSD: >doas makemap /etc/mail/aliases

Here's an overview of whats in aliases, "adminuser" should be swapped with your account:

# # $OpenBSD: aliases,v 1.67 2019/01/26 10:58:05 florian Exp $ # # Aliases in this file will NOT be expanded in the header from # Mail, but WILL be visible over networks or from /usr/libexec/mail.local. # # >>>>>>>>>> The program "newaliases" must be run after # >> NOTE >> this file is updated for any changes to # >>>>>>>>>> show through to smtpd. # # Basic system aliases -- these MUST be present #MAILER-DAEMON: postmaster postmaster: adminuser # General redirections for important pseudo accounts daemon: root ftp-bugs: root operator: root www: root # Redirections for pseudo accounts that should not receive mail _bgpd: /dev/null _dhcp: /dev/null _dpb: /dev/null _dvmrpd: /dev/null _eigrpd: /dev/null _file: /dev/null _fingerd: /dev/null _ftp: /dev/null _hostapd: /dev/null _identd: /dev/null _iked: /dev/null _isakmpd: /dev/null _iscsid: /dev/null _ldapd: /dev/null _ldpd: /dev/null _mopd: /dev/null _nsd: /dev/null _ntp: /dev/null _ospfd: /dev/null _ospf6d: /dev/null _pbuild: /dev/null _pfetch: /dev/null _pflogd: /dev/null _ping: /dev/null _pkgfetch: /dev/null _pkguntar: /dev/null _portmap: /dev/null _ppp: /dev/null _rad: /dev/null _radiusd: /dev/null _rbootd: /dev/null _relayd: /dev/null _rebound: /dev/null _ripd: /dev/null _rstatd: /dev/null _rusersd: /dev/null _rwalld: /dev/null _smtpd: /dev/null _smtpq: /dev/null _sndio: /dev/null _snmpd: /dev/null _spamd: /dev/null _switchd: /dev/null _syslogd: /dev/null _tcpdump: /dev/null _traceroute: /dev/null _tftpd: /dev/null _unbound: /dev/null _unwind: /dev/null _vmd: /dev/null _x11: /dev/null _ypldap: /dev/null bin: /dev/null build: /dev/null nobody: /dev/null _tftp_proxy: /dev/null _ftp_proxy: /dev/null _sndiop: /dev/null _syspatch: /dev/null _slaacd: /dev/null sshd: /dev/null # Well-known aliases -- these should be filled in! root: root # manager: # dumper: # RFC 2142: NETWORK OPERATIONS MAILBOX NAMES abuse: adminuser # noc: root security: adminuser # RFC 2142: SUPPORT MAILBOX NAMES FOR SPECIFIC INTERNET ERVICES hostmaster: adminuser # usenet: root # news: usenet webmaster: adminuser # ftp: root

Now, here's whats in opensmtpd.conf.local:

##### Aliases ##### ext_if = "fxp0" table aliases db:/etc/mail/aliases.db ##### PKI ###### pki your.hostname.com key "/etc/letsencrypt/live/your.hostname.com/privkey.pem" pki your.hostname.com cert "/etc/letsencrypt/live/your.hostname.com/fullchain.pem" ##### Basic Functions ##### listen on $ext_if tls pki your.hostname.com auth-optional listen on $ext_if smtps pki your.hostname.com auth listen on $ext_if port submission tls-require pki yourdomain.com action "local" maildir alias ##### Matching rules required for anything to happen ###### match from any for local action "local" ##### More complex rules for relay control options ###### smtp max-message-size 50M