Setting Up Email With OpenSMTPD and Dovecot

By: Grady McKeddie-Owens

Originally Published: 2024-05-06 07:00PM EST

Last Edit: 2024-10-10 01:10PM EST


Setting up email is a frustrating experience for many, especially on lesser known email server software because of a lack of high quality and easily accessible information. This guide is talking about my current setup, the problems with it and some pitfalls you may run into.

Setting Up a Mail Server in Hindsight

If you don't have OpenSMTPD or set up yet, I think the fastest way to get things going is simply by following IRCNow's guide [2] EDIT (2024-10-10): While the guide is still mostly accurate, it is now outdated as opensmtpd-extras has been split into the opensmtpd-table-* packages. Simply install opensmtpd-table-passwd package in place of opensmtpd-extras. Ensure you follow all links that lead to other wiki pages and change the key lengths to 4096 for maximum security.

Because they are awesome and open source, I will include an archive of their page as of 2024-05-06 which is still working as of OpenBSD 7.5. This is just incase it ever goes down.

I used the BYOES [1] guide and if you did also, I recommend you follow along to address potential issues in your configuration if you misconfigured things

BYOES: A flawed guide

Initally while setting up the server, I used BYOES [1]. The guide, although it ended up working, is flawed and using the configuration unmodified will make your SMTP server vulnerable to a number of exploits which are easy to fix. Notable flaws are as follows:

To be completely fair I did not follow the spamd set up so it's entirely possible that some or all of these problems are mitigated by using spamd. In any case if you do not set up spamd, do not use it as a public email server it is not secure.

As far as I can tell, only OpenSMTP is affected but I am learning about new problems as I keep going.

If you choose to follow the BYOES guide and messed things up like I did, there is a lot of helpful fixes in IRCNow's guide [2].

Fixing Your Broken OpenSMTPD Configuration

To make the encryption significantly stronger, it is recommended you run this modifed version of the script recommended in the guide

#!/bin/sh

# MIT License
#
# Copyright (c) 2022 Michael Graves
# 
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# 
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# 
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

KEYLEN=4096

if [ $# -lt 1 ]; then
        echo "specifiy domain"
        exit
fi
if [ -f $1.key ]; then
        echo "$1.key already exists. remove first"
        exit
fi

(umask 337; openssl genrsa -out $1.key $KEYLEN)
openssl rsa -in $1.key -pubout -out $1.pub
group info _dkimsign >/dev/null && chgrp _dkimsign $1.key
echo "add the $1.dns to the zone file"
echo "selector1._domainkey.$1. 3600 IN TXT \"v=DKIM1; k=rsa; p=$(sed -e '1d' -e '$d' $1.pub | tr -d '\n')\"" 

The DNS entry will be incorrect so you will need to copy it manually. "selector1_domainkey.whatever.com" and "v=DKIM1; ..." are the relevant areas to copy

To ensure your configuration isn't used as an open relay you need to replace this

match from any for any relay

with this

match auth from any for any relay

This will ensure that you must be authenticated to exploit the open relay which is significantly better.

To prevent your IP from being leaked it's as simple as adding mask-src in the listen statements.

Finally, if you want to configure your server to prevent anyone with credentials from sending emails as anyone then you will need to refactor much of the configuration from the original guide so that you can use "example@yourdomain.com" to authenticate instead of just using the username "example". You also will need to either modify the dovecot configuration or back up your passwd file and maintain 2 passwd files. This probably isn't needed if you are running a single user mail server and you have a good password.

Challenges and Frustrations Maintaining Your Own Email Server

There are other problems which are frustrating when maintaining your own email server. Notable flaws include:

Not really sure how to resolve the first one apart from asking Gmail and Yahoo users to mark your email as not spam but for preventing spam going into your server you can somewhat mitigate this by configuring spam assassin and using a dkim signatures plugin in your email client.

Overall I would say if you want to just have a cool looking email address, you want to learn or you want your email to be a little bit more private than if it was in the hands of say Google or Microsoft, then maintaining your own email server can be beneficial and is an interesting challenge. If you don't want the hassle or you can't deal with the limitations, there's nothing wrong with buying G-Suite or using Microsoft's Exchange server or something.