OpenSMTPD + Dovecot email server

[ ← Back Home ]


Last modified on September 18, 2024

Prerequisites

Ports required: 25, 587, 993

Table of Contents

Installation

For OpenBSD (opensmtpd should be installed by default):

# pkg_add opensmtpd-filter-rspamd rspamd dovecot

For Arch Linux:

# pacman -S opensmtpd opensmtpd-filter-rspamd rspamd dovecot

Prerequisites

Open ports 25 (SMTP), 587 (SMTPS), and 993 (IMAPS). Port 25 will be used for incoming mail, 587 will be used for outgoing mail, and 993 will be used for serving mail to your email clients (e.g. neomutt).

You will also need to generate SSL certificates for your domain. I recommend using acme-client shipped with OpenBSD.

Making yourself credible

Reverse DNS

An rDNS record allows other email servers to match a sender’s IP address with the domain it claims to be. How this is set up depends on how you’re hosting your server. For me, it was a simple phone call to my ISP. A lot of people will say that you need a VPS to self-host email, but this isn’t true if you have an ISP that is willing to add an rDNS record for you.

You can check if you have an rDNS record with

# dig +short -x <public ip>

This should respond with the domain name of you email server. e.g.

# dig +short -x 95.217.236.249
lists.archlinux.org.

DKIM (Domain Keys Identified Mail)

See the Rspamd manual on DKIM signing

To get a keypair run the following command. For the selector I recommend putting dkim.

# rspamadm dkim_keygen -s '<selector>' -d <domain> -t ed25519 -k /etc/mail/dkim/<domain>.key

It should output something like this

<selector>._domainkey IN TXT ( "v=DKIM1; k=ed25519;"
        "p=ml82zTjl3EGAAwjpHezOeZQHzaDrxi64/jFfA+kdY2E=" ) ;

You’ll need to copy that to a TXT record on your DNS. The TXT record in the output is weirdly formatted. It should really look like this:

v=DKIM1; k=ed25519; p=<key>

You can inspect what other people’s keys look like by running

# dig +short TXT <selector>._domainkey.<domain>

e.g.

# dig +short TXT dkim._domainkey.zacoons.com
"v=DKIM1; k=ed25519; p=ZD6c3x5YiLDljo0xsP5LAs5IbONeziS+NpcZlOA1800="

WARNING: If you don’t want to be on the cutting edge, then use a good ol’ RSA key (see Rspamd manual above). Ed25519 keys are not widely supported in software, making it inadvisable to exclusively use them in a production environment, as it may result in rejected emails. If you choose to use Ed25519 keys, it is recommended to pair them with an RSA key, providing a fallback option in case a recipient domain is unable to parse Ed25519 keys or signatures.

SPF (Sender Policy Framework)

SPF records are designed to prevent forgery. They allow you to specify rules about how emails can be sent from your domain. For my server I have the following policy:

v=spf a -all

This will check that the sender’s IP address matches an A record for zacoons.com. Otherwise it will reject all mail from my domain.

Read about SPF here. You can see what others do by running

# dig +short TXT <domain>

e.g.

# dig +short TXT lists.archlinux.org
"v=spf1 ip4:95.217.236.249 ip6:2a01:4f9:c010:9eb4::1 ~all"

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC records tell other email servers how to treat emails from your domain if they fail validations such as DKIM and SPF. For my server I have the following policy:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@zacoons.com

This will cause the other server to quarantine emails from a domain which fails validation, and it will send a report to dmarc-reports@zacoons.com.

Read about DMARC here. You can see what others do by running

# dig +short TXT _dmarc.<domain>

e.g.

# dig +short TXT _dmarc.denshi.org
"v=DMARC1; p=reject; rua=mailto:dmarc@denshi.org; fo=1"

Configuration

OpenSMTPD

# /etc/mail/smtpd.conf

pki example.com cert "/etc/ssl/example.com.fullchain.pem"
pki example.com key "/etc/ssl/private/example.com.key"

table passwd file:/etc/mail/passwd
table aliases file:/etc/mail/aliases
table virtuals file:/etc/mail/virtuals

filter rspamd proc-exec "filter-rspamd"

# --- listeners ---

listen on lo

# inbound
# you may need to change `bse0` to another interface. run `ifconfig` to see what the relevant network interface is called on your computer
# this requires connecting servers to establish a TLS connection and they must have a valid SSL certificate
# it also applies Rspamd filters
listen on bse0 \
        tls-require verify pki example.com \
        filter rspamd

# outbound
# this listener requires authentication, making it only valid for sending outbound mail
# rspamd must be applied so that it can DKIM sign your mail
listen on bse0 port 587 \
        tls-require pki example.com auth <passwd> \
        filter rspamd

# --- actions and matchers ---

action local_mail maildir alias <aliases>
action remote_mail lmtp "/var/dovecot/lmtp" rcpt-to
action outbound relay helo example.com

# inbound
match from local for local action local_mail
match from any for domain example.com action remote_mail
# outbound
match from local for any action outbound
# requires auth for a remote connection to send mail
match from any auth for any action outbound

See man smtpd.conf for more information. There is also a section below which provides links to other email server guides.

The aliases file should already exist, but you’ll need to create /etc/mail/passwd and populate it like so:

billy@example.com:$2b$08$ynb94C/pvvrZ./BCjtVPwOcTnOBILHM7ifsCk6Oce/GUqW08kFxR2
billyette@example.com:$2b$08$rERmMLIRNgo.ab/conrvI.VWB5RpOF3YE4lPi00LtxtCWhAEp7uhS

This follows the format <username>:<encrypted password>.

The encrypted password is generated with

# smtpctl encrypt <password>

It’s not actually encrypted, just salted and hashed. Essentially it jumbles up the password so that it can’t be read, only checked against.

Rspamd

# /etc/rspamd/local.d/dkim_signing.conf

domain {
    example.com {
        path = "/etc/mail/dkim/example.com.key";
        selector = "dkim";
    }
}

Dovecot

Before you do anything, make a backup of the original configuration.

# mv /etc/dovecot/dovecot.conf /etc/dovecot/dovecot.conf.backup
# /etc/dovecot/dovecot.conf

protocols = imap lmtp

ssl = required
ssl_cert = </etc/ssl/example.com.fullchain.pem
ssl_key = </etc/ssl/private/example.com.key

mail_location = maildir:~/Maildir

passdb {
        driver = passwd-file
        args = /etc/mail/passwd
}

userdb {
        driver = static
        args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}

service imap-login {
        inet_listener imaps {
                port = 993
                ssl = yes
        }
        # disable imap
        inet_listener imap {
                port = 0
        }
}

namespace {
        inbox = yes
        mailbox "Sent" {
                auto = subscribe
                special_use = \Sent
        }
        mailbox "Drafts" {
                auto = subscribe
                special_use = \Drafts
        }
        mailbox "Trash" {
                auto = subscribe
                special_use = \Trash
        }
}

See Dovecot’s official documentation for more details. You can also refer to one of the links in the final section of this guide.

You’ll need to make a user called vmail

# useradd -d /var/vmail

Conclusion

On OpenBSD run:

# rcctl enable smtpd rspamd dovecot
# rcctl restart smtpd rspamd dovecot

On Arch Linux run:

# systemctl enable smtpd rspamd dovecot
# systemctl restart smtpd rspamd dovecot

Troubleshooting

The log file is at /var/log/maillog.

OpenSMTPD

To check configuration file run smtpd -nv.

To run with extra verbosity, execute the following commands:

# rcctl stop smtpd
# smtpd -dv

This will run the daemon directly in the terminal, where you can watch the output. You can also pass -T <trace> to smtpd for debugging specific issues. See man smtpd for a list of options.

You can use OpenSSL to connect as a client:

# openssl s_client -connect example.com:25 -starttls smtp
helo example.com

The following demonstrates logging in and sending an email:

# echo -ne "\0billy@example.com\0epicpwd" | base64
AGJpbGx5QGV4YW1wbGUuY29tAGVwaWNwd2Q=
# openssl s_client -connect example.com:587 -starttls smtp
helo example.com
auth plain AGJpbGx5QGV4YW1wbGUuY29tAGVwaWNwd2Q=
mail from: <billy@example.com>
rcpt to: <someone@gmail.com>
data
From: billy@example.com
To: someone@gmail.com
Subject: test

Yo
.
QUIT

Dovecot

For extra verbosity in the logs, you can add the following lines to your Dovecot configuration:

auth_verbose = yes
auth_verbose_passwords = yes
auth_debug = yes
auth_debug_passwords = yes
mail_debug = yes
verbose_ssl = yes

Furthermore, the Dovecot website has an excellent manual on testing and troubleshooting. It can be found here.

Other resources

Here are some other guides which you might find useful to cross-reference with this one.