Basic OpenSMTPD relay setup on OpenBSD 7.3

Relay

My NAS sends me the system warnings via email, and i find it really useful. I host my mails at FastMail and i don’t really want to open the can of worms called ‘Host your own mailserver’, therefore i tried to realy emails through my private mailbox. Relaying means every time a mail gets sent my computer will connect a 3rdparty SMTP server and instruct it to send the mail in our behalf.

OpenSMTPD

OpenBSD’s OpenSMTPD is a mailer daemon which is included in the base system, this means no 3rdparty package needed to send mails from the terminal. The setup feels a bit complicated on the first glance, so let’s check how i managed to set it up.

EHLO SERVER!

We need the following stuff to set up a smtp relay:

Fastmail and many other mail provider (gmail included) won’t accept your web-login credentials for IMAP and SMTP anymore, but lets you to create app-specific passwords to set up mail on your devices and programs. In case any of your app-password gets compromitted (stolen computer, hacked device, etc). you can simply delete that specific app-password, so you don’t have to set new credentials on every device / program. You can create a new app-specific password on Fastmail webmail “Settings” > “Privacy & Security” page “Integration” tab. Here Fastmail lets you to generate and name your app-specific passwords and limit the access to specific protocols and data (in our case only SMTP access is needed). The generated password will be shown only once therefore do not close it yet. We will also need the SMTP server connection data, i used the following settings:

Server smtp.fastmail.com
Port 465
SSL/TLS Encryption Enabled, but not STARTTLS
Authentication PLAIN
Username Your complete fastmail address, like “my_user@fastmail.com”. Even if you have an own domain, you should use the fastmail one here.
Password Your app-specific password

Now we have all the required info, let’s do the setup!

EHLO CONFIGS!

Lets store our secrets:

$ doas echo "mailbox my_user@fastmail.com:f34rfdjsoidccww" >> /etc/mail/secrets

where mailbox is simply a tag, we will reference this secret later using this handle. my_user@fastmail.com is our complete fastmail username while the random string after the colon is our app-specific password we just made. This command will add our secrets to the /etc/mail/secrets file.

Then we should secure our secrets file from the prying eyes:

$ doas chmod 640 /etc/mail/secrets
$ doas chown root:_smtpd /etc/mail/secrets

Then we need to configure OpenSMTPD to relay all email through our fastmail SMTP server using the /etc/mail/smtpd.conf file:

table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets

listen on lo0

action "local_mail" mbox alias <aliases>
action "outbound" relay host smtps://mailbox@smtp.fastmail.com:465 auth <secrets>

match from local for local action "local_mail"
match from local for any action "outbound"

The important part is the longest line and the last line. This two line instructs OpenSMTPD to relay all outgoing emails via FastMail’s SMTP server.

Lets analyze the smtps://mailbox@smtp.fastmail.com:465 part:

We know FastMail do not require STARTTLS authentication, therefore (according to the smtpd.conf(5) manpage) we should use the smtps protocol:

smtps       SMTP session with forced TLS on connection. The default port is 465.

The mailbox string is the handle from the /etc/mail/secrets file we created previously.

The smtp.fastmail.com is the URL of the FastMail’s SMTP server, while the 465 is the port number we have seen earlier.

After doing all of this, we should check the config file:

$ doas smtpd -n
configuration OK

Looking good! Now let’s restart smtpd:

$ doas rcctl restart smtpd
smtpd(ok)

And we can test it sending an email using the following command:

$ mail -s "Test email" -r 'my_user@fastmail.com' my_user@fastmail.com

Type some text, this will be the mail body, then press an enter and press CTRL+D to send the mail, which should arrive in couple seconds.