Skip to content

Instantly share code, notes, and snippets.

@gretel
Last active August 31, 2022 10:53
Show Gist options
  • Save gretel/cfebc1ac2ad7f3631f8a364ce98d5465 to your computer and use it in GitHub Desktop.
Save gretel/cfebc1ac2ad7f3631f8a364ce98d5465 to your computer and use it in GitHub Desktop.
low bs openbsd mail server configuration
# $OpenBSD: smtpd.conf,v 1.9 2016/05/03 18:43:45 jung Exp $
# tables
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains
table passwd file:/etc/mail/passwd
table secrets file:/etc/mail/secrets
table deny db:/etc/mail/deny.db
table receip db:/etc/mail/receip.db
table sender db:/etc/mail/sender.db
# tls
pki mail.biatch.host cert "/etc/letsencrypt/live/crapass.biatch.host/fullchain.pem"
pki mail.biatch.host key "/etc/letsencrypt/live/crapass.biatch.host/privkey.pem"
pki mail.biatch.host dhe auto
# options
smtp max-message-size 50M
queue encryption "HYO41yg7gVFUQOFFLig3tQEPwNvln0OY"
queue compression
filter "no_rdns" phase mail-from match !rdns reject "550 go away"
filter "no_fcrdns" phase mail-from match !fcrdns reject "550 go away"
filter "dnsbl" proc-exec "filter-dnsbl"
filter nazi_mode chain { no_rdns, no_fcrdns, dnsbl }
# listeners
listen on lo0 hostname "mail.biatch.host" filter "nazi_mode" tls tag IN_SMTP
listen on lo0 hostname "mail.biatch.host" smtps auth <passwd> received-auth tag IN_SMTPS
listen on lo0 hostname "mail.biatch.host" port submission tls-require auth <passwd> mask-src received-auth tag IN_SBMSSN
# inbound
action "lmtp-local" maildir alias <aliases>
action "lmtp-virtual" maildir virtual <receip>
# outbound
action "relay" relay host "smtp+tls://mail-spoofer@email-smtp.eu-west-1.amazonaws.com" auth <secrets> helo "mail.biatch.host"
# blacklist
match for any from any mail-from <deny> reject
# local-local
match from local for local action "lmtp-local"
# internet-auth-local
match auth from any for domain <domains> action "lmtp-virtual"
# internet-receip-local
match from any for any rcpt-to <receip> action "lmtp-virtual"
# local-auth-internet
match auth from any ! for domain <domains> action "relay"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment