OpenSMTPD… how do I do these things, or do I just use postfix?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSMTPD… how do I do these things, or do I just use postfix?

Stuart Longland
Hi all,

I've got a few silly questions regarding OpenSMTPD… I'd ask on the
opensmtpd misc mailing list, but my subscribe requests keep bouncing
after a few days.  Since I'm running OpenSMTPD on OpenBSD, I figure
they're on-topic here too.

I have two servers (actually more than that, but two that are relevant
to this discussion).  One is a Gentoo Linux machine with Postfix, which
acts as my primary MX.  I keep it up to date, it's been a good
workhorse, and provided many years of service.  No reason to change it
at this stage.

I have a VPS with a hosting provider (BinaryLane in Brisbane; they're
OpenStack/Xen-based), which runs OpenBSD 6.4.  I primarily use this
machine as a slave DNS server (with nsd).  I figure it'd be a nice idea
to use this machine as a backup MX.

Right now, OpenSMTPD is running there, and whilst it is not publicly
listening for SMTP traffic, it is configured to forward all *local* mail
to my primary MX (where it has a virtual domain configured) so I can
receive messages from `cron`, etc.

Aside from some hiccups with TLS verification which I worked around by
adding my custom CA to /etc/ssl/cert.pem, it all went smoothly.  (I'd
prefer to have OpenSMTPD verify my home server's certificate against a
*specific* CA key, but at least it's working.)

First and foremost is the issue of backscatter-prevention.  I would like
OpenSMTPD to validate the addresses passed to it before accepting them
for relay to my primary MX.  In Postfix I can put

  relay_recipient_maps = hash:/etc/postfix/valid_recipients

into /etc/postfix/main.cf and fill that valid_recipients file with

        [hidden email] x
        [hidden email] x

I can come up with a full list -- no problem, but the question is how do
I encode this list into the configuration of OpenSMTPD so that if the
list contained [hidden email] and [hidden email], but someone tries
sending to [hidden email], that RCPT TO request is rejected before
the email delivery begins.

Second is about how to define custom mail transports.  Rather than using
SMTP/SSL like I am now, I'd like the emails destined for relay to my
server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
the AES key) then either:
- scp'd to a special spool directory on my Linux server… OR if it
happens to be down,
- placed in a special directory on the VPS for my server to later ciphon
down using `rsync --remove-source-files` over SSH.  (Basically, a bit
like UUCP.)

The idea here is two-fold:
1. if someone gets even `root` access to the VPS (or mirrors the disk,
etc)… there's no copy of the private key needed to decrypt the files --
that is safely stored on my home server.
2. if say the NBN roll-out in my patch of Brisbane gets royally screwed
and I lose my static IPv4 address, I can make this server my primary MX
and have the old server just "poll" for new messages. (Outbound delivery
of mail will be a separate issue.)

Again, in Postfix I'd define a script to do the encryption/scp/etc in
/etc/postfix/master.cf, then set up transport_maps to direct the mail
there.  Would the equivalent in OpenSMTPD be `mda` or is there some
other method?
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD??? how do I do these things, or do I just use postfix?

Gilles Chehade-7
On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
> Hi all,
>
> I've got a few silly questions regarding OpenSMTPD??? I'd ask on the
> opensmtpd misc mailing list, but my subscribe requests keep bouncing
> after a few days.  Since I'm running OpenSMTPD on OpenBSD, I figure
> they're on-topic here too.
>

I can probably help with this ;-)


> [...]
>
> First and foremost is the issue of backscatter-prevention.  I would like
> OpenSMTPD to validate the addresses passed to it before accepting them
> for relay to my primary MX.  In Postfix I can put
>
>   relay_recipient_maps = hash:/etc/postfix/valid_recipients
>
> into /etc/postfix/main.cf and fill that valid_recipients file with
>
> [hidden email] x
> [hidden email] x
>
> I can come up with a full list -- no problem, but the question is how do
> I encode this list into the configuration of OpenSMTPD so that if the
> list contained [hidden email] and [hidden email], but someone tries
> sending to [hidden email], that RCPT TO request is rejected before
> the email delivery begins.
>

How you do it depends on which version you are running.

before 6.4:

  accept [...] recipient <table> [...]


after 6.4:

  match [..] rcpt-to <table> [...]


where table is a table containing a list of recipient addresses for that
rule to match.


> Second is about how to define custom mail transports.  Rather than using
> SMTP/SSL like I am now, I'd like the emails destined for relay to my
> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
> the AES key) then either:
> - scp'd to a special spool directory on my Linux server??? OR if it
> happens to be down,
> - placed in a special directory on the VPS for my server to later ciphon
> down using `rsync --remove-source-files` over SSH.  (Basically, a bit
> like UUCP.)
>

no custom mail transports in smtpd.

a way to achieve what you want is to write a custom mda, and this is
actually how i did it to achieve a use-case similar to yours in the
past.


--
Gilles Chehade       @poolpOrg

https://www.poolp.org                 tip me: https://paypal.me/poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD??? how do I do these things, or do I just use postfix?

Stuart Longland
Hi Gilles,
On 25/1/19 11:29 pm, Gilles Chehade wrote:

> On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
>> First and foremost is the issue of backscatter-prevention.  I would like
>> OpenSMTPD to validate the addresses passed to it before accepting them
>> for relay to my primary MX.…
>
> How you do it depends on which version you are running.
>
> before 6.4:
>
>   accept [...] recipient <table> [...]
>
>
> after 6.4:
>
>   match [..] rcpt-to <table> [...]
>
>
> where table is a table containing a list of recipient addresses for that
> rule to match.

That looks as if it'll do nicely.  I'll do some research into how the
table is formatted… but I'm guessing of the two formats supported, the
array form `table mylist { value1, value2, value3 }` would be the form
to use here?

>> Second is about how to define custom mail transports.  Rather than using
>> SMTP/SSL like I am now, I'd like the emails destined for relay to my
>> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
>> the AES key) then either:
>> - scp'd to a special spool directory on my Linux server??? OR if it
>> happens to be down,
>> - placed in a special directory on the VPS for my server to later ciphon
>> down using `rsync --remove-source-files` over SSH.  (Basically, a bit
>> like UUCP.)
>>
>
> no custom mail transports in smtpd.
>
> a way to achieve what you want is to write a custom mda, and this is
> actually how i did it to achieve a use-case similar to yours in the
> past.

No problems, I'll have a closer look at how the MDA stuff works then. :-)

Really it's an `rmail` work-alike that I'll probably wind up writing,
we'll see how it goes.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
  ...it's backed up on a tape somewhere.

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD??? how do I do these things, or do I just use postfix?

Gilles Chehade-7
On Sat, Jan 26, 2019 at 09:23:37PM +1000, Stuart Longland wrote:

> Hi Gilles,
> On 25/1/19 11:29 pm, Gilles Chehade wrote:
> > On Fri, Jan 25, 2019 at 11:15:47PM +1000, Stuart Longland wrote:
> >> First and foremost is the issue of backscatter-prevention.  I would like
> >> OpenSMTPD to validate the addresses passed to it before accepting them
> >> for relay to my primary MX.???
> >
> > How you do it depends on which version you are running.
> >
> > before 6.4:
> >
> >   accept [...] recipient <table> [...]
> >
> >
> > after 6.4:
> >
> >   match [..] rcpt-to <table> [...]
> >
> >
> > where table is a table containing a list of recipient addresses for that
> > rule to match.
>
> That looks as if it'll do nicely.  I'll do some research into how the
> table is formatted??? but I'm guessing of the two formats supported, the
> array form `table mylist { value1, value2, value3 }` would be the form
> to use here?
>

yes, if you use a static table:

     table foobar { [hidden email], [hidden email] }

if the table is a file, then one address per-line, see table(5).


> >> Second is about how to define custom mail transports.  Rather than using
> >> SMTP/SSL like I am now, I'd like the emails destined for relay to my
> >> server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
> >> the AES key) then either:
> >> - scp'd to a special spool directory on my Linux server??? OR if it
> >> happens to be down,
> >> - placed in a special directory on the VPS for my server to later ciphon
> >> down using `rsync --remove-source-files` over SSH.  (Basically, a bit
> >> like UUCP.)
> >>
> >
> > no custom mail transports in smtpd.
> >
> > a way to achieve what you want is to write a custom mda, and this is
> > actually how i did it to achieve a use-case similar to yours in the
> > past.
>
> No problems, I'll have a closer look at how the MDA stuff works then. :-)
>
> Really it's an `rmail` work-alike that I'll probably wind up writing,
> we'll see how it goes.
>

mda is basically a program that reads input from stdin and exits with the
proper status to report to the mta that delivery was successful, whatever
happens in between is up to you.

--
Gilles Chehade       @poolpOrg

https://www.poolp.org                 tip me: https://paypal.me/poolpOrg