-
Notifications
You must be signed in to change notification settings - Fork 0
/
smtpd.conf
65 lines (54 loc) · 3.12 KB
/
smtpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Use Let's encrypt's certificate for this server's hostname.
pki <server_hostname.com> cert "/etc/letsencrypt/live/<server_hostname.com>/fullchain.pem"
pki <server_hostname.com> key "/etc/letsencrypt/live/<server_hostname.com>/privkey.pem"
# Define filters.
# Reject emails from IP addresses without a domain associated.
# This blocks most spam without blocking legitimate emails.
filter check-rdns phase connect match !rdns disconnect "550 no rDNS"
# Reject emails from IP addresses that don't match the IP address of their
# associated domain (forward-confirmed reverse DNS). This is less useful.
filter check-fcrdns phase connect match !fcrdns disconnect "550 no FCrDNS"
# Do DKIM signing.
filter dkimsign proc-exec "filter-dkimsign -d <sender_domain.xyz> -s mail -k /etc/dkim_private.key"
# Or with rspamd:
# filter dkimsign proc-exec filter-rspamd
# Listen on port 25 so we can receive emails.
listen on 0.0.0.0 tls pki <server_hostname.com> filter { check-rdns, check-fcrdns }
listen on :: tls pki <server_hostname.com> filter { check-rdns, check-fcrdns }
# Since we have SSH access, we don't even need to setup SMTP credentials;
# we can use a script that SSHs into our email server
# and calls OpenSMTPD's sendmail:
# #!/bin/bash
# ssh root@<server_hostname.com> sendmail ${*/\~/\\~}
# (this prevents home directory expansion with sourcehut addresses)
# Then it can be used by multiple programs, like mutt and git send-email,
# and in arbitrary scripts,
# without configuring the SMTP credentials multiple times,
# and without storing another password.
# OpenSMTPD's sendmail connects to OpenSMTPD through a socket,
# so we will sign messages from the socket using DKIM.
listen on socket filter dkimsign
# If you do want SMTP authentication, use this instead:
# listen on 0.0.0.0 port 587 tls-require pki <server_hostname.com> auth { <username> = "<password hash>" } mask-src filter dkimsign
# listen on :: port 587 tls-require pki <server_hostname.com> auth { <username> = "<password hash>" } mask-src filter dkimsign
# The credentials after auth are what you use
# as the SMTP username and password in email clients.
# The username is arbitrary, it doesn't have to be a system user.
# The password hash is generated with smtpctl encrypt.
# mask-src removes your IP address from the Received header.
# Define actions.
# Receive every email as an arbitrary user.
# I use the opensmtpd user so I don't have to create a new one.
# (root doesn't work: https://www.reddit.com/r/freebsd/comments/382ekp/opensmtpd_cant_access_roots_mailbox/)
# This requires running mkdir ~mail/smtpd && chown opensmtpd ~mail/smtpd
action receive maildir "/var/mail/smtpd" virtual { '@' = opensmtpd }
action "relay" relay
# Execute actions when the conditions match.
# Accept emails for our domain.
# If it is different from the hostname and you want to receive emails from cron,
# also add the hostname like so: { domain1, domain2, ... }
match from any for domain { <sender_domain.xyz> } action receive
# Send emails from authenticated users.
# If you chose not to setup SMTP login, you can omit "auth from any",
# and it will default to "from local".
match auth from any for any action "relay"