Setting up a mail server on OpenBSD 3.6

This is not complete. I intended to polish it up but never quite got around to it. OpenBSD 3.6 is pretty old now so I doubt that I'll make any more improvements to this article.

This howto will detail how to set up the version of sendmail included with OpenBSD 3.6 to accept authentication via CyrusSASL. It also describes how to set up the POP3 server to use SSL/TLS so that users' passwords are not sent in the clear. Finally, to complete the mail server SpamAssassin and Procmail are set up. The howto assumes that both ports and source are installed.

OpenBSD 3.6 includes Sendmail as part of the standard installation. It is set up to allow STARTTLS which is useful but it does not include support for any of the AUTH mechanisms - probably because CyrusSASL is required. AUTH is essential if server users will need to send email from arbitary connections, such as a laptop on a dialup line.

The first stage is to install CyrusSASL from the ports tree:
# cd /usr/ports/security/cyrus-sasl2
# make install clean

Then we need to enable SASL in the sendmail build config and rebuild sendmail:
# echo WANT_SMTPAUTH=yes >> /etc/mk.conf
# cd /usr/src/gnu/usr.sbin/sendmail
# make && make install && make clean

We need to set up Sendmail to use the SASL auth daemon by adding a file called Sendmail.conf (capitalization is important). We also need to create a working directory for SASL and make the daemon start an boot:
# echo pwcheck_method: saslauthd > /usr/local/lib/sasl2/Sendmail.conf
# mkdir /var/sasl2
# vi /etc/rc.local
Somewhere near the bottom of rc.local add the following four lines:
# Saslauthd provides authentication for Sendmail
if [ -x /usr/local/sbin/saslauthd ] ; then
    echo -n ' saslauthd'; /usr/local/sbin/saslauthd -a getpwent
fi

Next we need to configure sendmail. First create a config, then modify /etc/rc.conf so that sendmail uses the new config:
# cd /usr/share/sendmail/cf
# cp openbsd-proto.mc sendmail.mc
# vi sendmail.mc
You will need the following lines in the config: 

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnldefine(`confCACERT_PATH', `CERT_DIR')dnldefine(`confCACERT', `CERT_DIR/cacert.pem')dnldefine(`confSERVER_CERT', `CERT_DIR/mailhost.example.com.crt.pem')dnldefine(`confSERVER_KEY', `CERT_DIR/mailhost.example.com.key.pem')dnlTRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnldefine(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnldefine(`confAUTH_OPTIONS', `A')dnlFEATURE(local_procmail,`',`procmail -t -Y -a $h -d $u')dnlMAILER(local)dnlMAILER(smtp)dnlMAILER(procmail)dnl
Make and install the new config:
# m4 ../m4/cf.m4 sendmail.mc > /etc/mail/sendmail.cf
And finally make it start on boot:
# vi /etc/rc.conf
Find the line which refers to sendmail_flags and change it to:
sendmail_flags="-L sm-mta -bd -q30m"

We need to install procmail and HTML::Tagset in order to use Spamassassin, we will also add stunnel while we're at it:
# pkg_add procmail-3.22.tgz p5-HTML-Tagset-3.03.tgz stunnel-4.05.tgz

You will need to download and install Digest, Digest-SHA1 and HTML-Parser Perl modules as well as Spamassassin. To install each of these you will need to untar the package, then cd to the directory that this creates. I generally untar the packages into /opt as root then chown the resulting directory to my unprivileged user. Then you need to:
$ perl Makefile.pl
$ make
$ su
# make install
I can't remember the order that the packages are needed in except Spamassassin is last!

To get Spamassassin to start at boot add the following four lines near the bottom of rc.local:
# Spamd is the Spamassassin daemon not the BSD spamd!
if [ -x /usr/bin/spamd ]; then
    echo -n ' spamd'; /usr/bin/spamd -c -d
fi

You will need to add the following two lines to each user's .procmailrc file:
:0fw: spamassassin.lock
| /usr/bin/spamc

Sendmail will not use the user's .procmailrc file unless its permissions are set correctly, e.g.:
$ chmod 0640 ~/.procmailrc

Finally we will set up stunnel so that users can access their mail via POP3S . This will encrypt all communications so that neither mail nor passwords can be "sniffed" in transit.

You need to edit /etc/stunnel/stunnel.conf to contain the following:
cert = /etc/ssl/private/stunnel.pem
chroot = /var/stunnel/
# PID is created inside chroot jail
pid = /var/run/stunnel.pid
setuid = _stunnel
setgid = _stunnel

# Service-level configuration

[pop3s]
accept = 995
connect = 110

Then you need to make a certificate.....see the related article.

contact us

Note: This information will only be used to reply to your feedback. We respect your privacy and will never abuse your email address or other personal information.

bottom corner