smtpd.conf —
Simple Mail Transfer Protocol daemon configuration
file
smtpd.conf is the configuration file for the mail
daemon
smtpd(8).
When mail arrives, each “RCPT TO:” command generates a mail
envelope. If an envelope matches any of a pre-designated set of criteria
(using the
match directive), the message is
accepted for delivery. A copy of the message, as well as its associated
envelopes, is saved in the mail queue and later dispatched according to an
associated set of actions (using the
action
directive). If an envelope does not match any options, it is rejected. The
match rules are evaluated sequentially, with the first match winning.
The format of the configuration file is fairly flexible. The current line can be
extended over multiple lines using a backslash (‘\’). Comments
can be put anywhere in the file using a hash mark (‘#’), and
extend to the end of the current line. Care should be taken when commenting
out multi-line text: the comment is effective until the end of the entire
block. Argument names not beginning with a letter, digit, or underscore, as
well as reserved words (such as
listen,
match, and
port),
must be quoted. Arguments containing whitespace should be surrounded by double
quotes (").
Macros can be defined that are later expanded in context. Macro names must start
with a letter, digit, or underscore, and may contain any of those characters,
but may not be reserved words. Macros are not expanded inside quotes. For
example:
lan_addr = "192.168.0.1"
listen on $lan_addr
listen on $lan_addr tls auth
The syntax of
smtpd.conf is described below.
-
action
name method
[options]
- When the queue runner processes an envelope from the mail
queue, it carries out the action
name, selected by the
match ...
action directive when the message was
received. The action directive provides
configuration data for delivery attempts. Required lookups are performed
at the time of each delivery attempt. Consequently, changing an
action directive or the files it references
and restarting the smtpd(8) daemon causes the
changes to take effect for subsequent delivery attempts for the respective
dispatcher name, even for messages that
were already stuck in the queue prior to the configuration changes.
The delivery method parameter may be one of
the following:
- expand-only
- Only accept the message if a delivery method was
specified in an aliases or .forward
file.
- forward-only
- Only accept the message if the recipient results in a
remote address after the processing of aliases or forward file.
-
lmtp
destination
[rcpt-to]
- Deliver the message to an LMTP server at
destination. The location may be
expressed as host:port or as a UNIX socket.
Optionally, rcpt-to might be specified
to use the recipient email address (after expansion) instead of the
local user in the LMTP session as RCPT TO.
-
maildir
[pathname
[junk]]
- Deliver the message to the maildir in
pathname if specified, or by default
to ~/Maildir.
The pathname may contain format
specifiers that are expanded before use (see
FORMAT
SPECIFIERS).
If the junk argument is provided, the
message will be moved to the
‘
Junk
’ folder if it contains a
positive ‘X-Spam
’ header. This
folder will be created under pathname
if it does not yet exist.
- mbox
- Deliver the message to the user's mbox with
mail.local(8).
-
mda
command
- Delegate the delivery to a
command that receives the message on
its standard input.
The command may contain format
specifiers that are expanded before use (see
FORMAT
SPECIFIERS).
- relay
- Relay the message to another SMTP server.
The local delivery methods support additional options:
-
alias
<table>
- Use the mapping table
for aliases(5) expansion.
-
ttl
n{s|m|h|d}
- Specify how long a message may remain in the
queue.
-
user
username
- Specify the username
for performing the delivery, to be looked up with
getpwnam(3).
This is used for virtual hosting where a single username is in charge of
handling delivery for all virtual users.
This option is not usable with the mbox
delivery method.
-
userbase
<table>
- Use the mapping table
for user lookups instead of the
getpwnam(3) function.
The userbase does not apply for the
user option.
-
virtual
<table>
- Use the mapping table
for virtual expansion. The aliasing table format is described in
table(5).
-
wrapper
name
- Use the wrapper specified in
mda wrapper.
The relay delivery methods also support additional options:
- backup
- Operate as a backup mail exchanger delivering messages
to any mail exchanger with higher priority.
-
backup
mx name
- Operate as a backup mail exchanger delivering messages
to any mail exchanger with higher priority than mail exchanger
identified as name.
-
helo
heloname
- Advertise heloname as
the hostname to other mail exchangers during the HELO phase.
-
helo-src
<table>
- Use the mapping table
to look up a hostname matching the source address, to advertise during
the HELO phase.
-
domain
<domains>
- Do not perform MX lookups but look up destination
domain in domains and use matching
relay url as relay host.
-
host
relay-url
- Do not perform MX lookups but relay messages to the
relay host described by relay-url.
The format for relay-url is
[proto://[label@]]host[:port].
The following protocols are available:
- smtp
- Normal SMTP session with opportunistic STARTTLS
(the default).
- smtp+tls
- Normal SMTP session with mandatory STARTTLS.
- smtp+notls
- Plain text SMTP session without TLS.
- lmtp
- LMTP session. port
is required.
- smtps
- SMTP session with forced TLS on connection, default
port is 465.
Unless noted, port defaults to 25.
The label corresponds to an entry in a
credentials table, as documented in
table(5). It is used with the
“smtp+tls” and “smtps” protocols for
authentication. Server certificates for those protocols are verified
by default.
-
pki
pkiname
- For secure connections, use the certificate associated
with pkiname (declared in a
pki directive) to prove the client's
identity to the remote mail server.
- srs
- When relaying a mail resulting from a forward, use the
Sender Rewriting Scheme to rewrite sender address.
-
tls
[no-verify]
- Require TLS to be used when relaying, using mandatory
STARTTLS by default. When used with a smarthost, the protocol must not
be “smtp+notls://”. If
no-verify is specified, do not require a
valid certificate.
-
auth
<table>
- Use the mapping table
for connecting to relay-url using
credentials. This option is usable only with
host option. The credential table format
is described in table(5).
-
mail-from
mailaddr
- Use mailaddr as the
MAIL FROM address within the SMTP transaction.
-
src
sourceaddr |
<sourceaddr>
- Use the string or list table
sourceaddr for the source IP address,
which is useful on machines with multiple interfaces. If the list
contains more than one address, all of them are used in such a way
that traffic is routed as efficiently as possible.
-
admd
authservid
- The Administrative Management Domain this mailserver
belongs to. The authservid will be forwarded to filters using it to
identify or mark authentication-results headers. If omitted it defaults to
the server name.
-
bounce
warn-interval
delay [,
delay ...]
- Send warning messages to the envelope sender when temporary
delivery failures cause a message to remain on the queue for longer than
delay. Each
delay parameter consists of a positive
decimal integer and a unit s,
m, h, or
d. At most four
delay parameters can be specified. The
default is “bounce
warn-interval
4h”, sending a single warning after four
hours.
-
ca
caname cert
cafile
- Associate the Certificate Authority (CA) certificate file
cafile with host
caname, and use that file as the CA
certificate for that host. caname is the
server's name, derived from the default hostname or set using either
/etc/mailname or using the
hostname directive.
-
filter
chain-name
chain
{filter-name [,
...]}
- Register a chain of filters
chain-name, consisting of the filters
listed from filter-name. Filters part of
a filter chain are executed in order of declaration for each phase that
they are registered for. A filter chain may be used in place of a filter
for any directive but filter chains themselves.
-
filter
filter-name
phase
phase-name
match conditions
decision
- Register a filter
filter-name. A
decision about what to do with the mail
is taken at phase phase-name when
matching conditions. Phases, matching
conditions, and decisions are described in
MAIL FILTERING,
below.
-
filter
filter-name
proc
proc-name
- Register “proc” filter
filter-name backed by the
proc-name process.
-
filter
filter-name
proc-exec
command
- Register and execute “proc” filter
filter-name from
command. If
command starts with a slash it is
executed with an absolute path, else it will be run from
“/usr/libexec/opensmtpd”.
-
include
“pathname”
- Replace this directive with the content of the additional
configuration file at the absolute
pathname.
-
listen
on interface
[family]
[options]
- Listen on the interface
for incoming connections, using the same syntax as for
ifconfig(8). The
interface parameter may also be an
interface group, an IP address, or a domain name. Listening can optionally
be restricted to a specific address
family, which can be either
inet4 or inet6.
The options are as follows:
-
auth
[<authtable>]
- Support SMTPAUTH: clients may only start SMTP
transactions after successful authentication. Users are authenticated
against either their own normal login credentials or a credentials
table authtable, the format of which
is described in table(5).
-
auth-optional
[<authtable>]
- Support SMTPAUTH optionally: clients need not
authenticate, but may do so. This allows a
listen on directive to both accept
incoming mail from untrusted senders and permit outgoing mail from
authenticated users (using match auth).
It can be used in situations where it is not possible to listen on a
separate port (usually the submission port, 587) for users to
authenticate.
-
ca
caname
- For secure connections, use the CA certificate
associated with caname (declared in a
ca directive) as the CA certificate when
verifying client certificates.
-
filter
name
- Apply filter name on
connections handled by this listener.
-
hostname
hostname
- Use hostname in the
greeting banner instead of the default server name.
-
hostnames
<names>
- Override the server name for specific addresses. The
names table contains a mapping of IP
addresses to hostnames. If the address on which the connection arrives
appears in the mapping, the associated hostname is used.
- mask-src
- Omit the from part when
prepending “Received” headers.
- no-dsn
- Disable the DSN (Delivery Status Notification)
extension.
-
pki
pkiname
- For secure connections, use the certificate associated
with pkiname (declared in a
pki directive) to prove a mail server's
identity.
-
port
[port]
- Listen on the given
port instead of the default port
25.
- proxy-v2
- Support the PROXYv2 protocol, rewriting appropriately
source address received from proxy.
- received-auth
- In “Received” headers, report whether the
session was authenticated and by which local user.
-
senders
<users>
[masquerade]
- Look up the authenticated user in the
users mapping table to find the email
addresses that user is allowed to submit mail as. In addition, if the
masquerade option is provided, the From
header is rewritten to match the sender provided in the SMTP
session.
- smtps
- Support SMTPS, by default on port 465. Mutually
exclusive with tls.
-
tag
tag
- Clients connecting to the listener are tagged with the
given tag.
- tls
- Support STARTTLS, by default on port 25. Mutually
exclusive with smtps.
-
tls-require
[verify]
- Like tls, but force
clients to establish a secure connection before being allowed to start
an SMTP transaction. With the verify
option, clients must also provide a valid certificate to establish an
SMTP session.
-
listen
on socket
[options]
- Listen for incoming SMTP connections on the Unix domain
socket /var/run/smtpd.sock. This is done by
default, even if the directive is absent.
The options are as follows:
-
filter
name
- Apply filter name on
connections handled by this listener.
- mask-src
- Omit the from part when
prepending “Received” headers.
-
tag
tag
- Clients connecting to the listener are tagged with the
given tag.
-
match
options action
name
- If at least one mail envelope matches the
options of one
match action
directive, receive the incoming message, put a copy into each matching
envelope, and atomically save the envelopes to the mail spool for later
processing by the respective dispatcher
name.
The following matching options are supported and can all be negated:
- [!]
for any
- Specify that session may address any destination.
- [!]
for local
- Specify that session may address any local domain. This
is the default, and may be omitted.
- [!]
for domain
domain |
<domain>
- Specify that session may address the string or list
table domain.
- [!]
for domain regex
domain |
<domain>
- Specify that session may address the regex or regex
table domain.
- [!]
for rcpt-to
recipient |
<recipient>
- Specify that session may address the string or list
table recipient.
- [!]
for rcpt-to regex
recipient |
<recipient>
- Specify that session may address the regex or regex
table recipient.
- [!]
from any
- Specify that session may originate from any
source.
- [!]
from auth
- Specify that session may originate from any
authenticated user, no matter the source IP address.
- [!]
from auth
user |
<user>
- Specify that session may originate from authenticated
user or user list user, no matter the
source IP address.
- [!]
from auth regex
user |
<user>
- Specify that session may originate from authenticated
regex or regex list user, no matter
the source IP address.
- [!]
from local
- Specify that session may only originate from a local IP
address, or from the local enqueuer. This is the default, and may be
omitted.
- [!]
from mail-from
sender |
<sender>
- Specify that session may originate from sender or
sender list sender, no matter the
source IP address.
- [!]
from mail-from regex
sender |
<sender>
- Specify that session may originate from regex or regex
list sender, no matter the source IP
address.
- [!]
from rdns
- Specify that session may only originate from an IP
address that resolves to a reverse DNS.
- [!]
from rdns
hostname |
<hostname>
- Specify that session may only originate from an IP
address that resolves to a reverse DNS matching string or list string
hostname.
- [!]
from rdns regex
hostname |
<hostname>
- Specify that session may only originate from an IP
address that resolves to a reverse DNS matching regex or list regex
hostname.
- [!]
from socket
- Specify that session may only originate from the local
enqueuer.
- [!]
from src
address |
<address>
- Specify that session may only originate from string or
list table address which can be a
specific address or a subnet expressed in CIDR-notation.
- [!]
from src regex
address |
<address>
- Specify that session may only originate from regex or
regex table address which can be a
specific address or a subnet expressed in CIDR-notation.
In addition, the following transaction options:
- [!]
auth
- Matches transactions which have been
authenticated.
- [!]
auth
username |
<username>
- Matches transactions which have been authenticated for
user or user list username.
- [!]
auth regex
username |
<username>
- Matches transactions which have been authenticated for
regex or regex list username.
- [!]
helo
helo-name |
<helo-name>
- Specify that session's HELO / EHLO should match the
string or list table helo-name.
- [!]
helo regex
helo-name |
<helo-name>
- Specify that session's HELO / EHLO should match the
regex or regex table helo-name.
- [!]
mail-from
sender |
<sender>
- Specify that transactions's MAIL FROM should match the
string or list table sender.
- [!]
mail-from regex
sender |
<sender>
- Specify that transactions's MAIL FROM should match the
regex or regex table sender.
- [!]
rcpt-to
recipient |
<recipient>
- Specify that transaction's RCPT TO should match the
string or list table recipient.
- [!]
rcpt-to regex
recipient |
<recipient>
- Specify that transaction's RCPT TO should match the
regex or regex table recipient.
- [!]
tag
tag
- Matches transactions tagged with the given
tag.
- [!]
tag regex
tag
- Matches transactions tagged with the given
tag regex.
- [!]
tls
- Specify that transaction should take place in a TLS
channel.
-
match
options
reject
- Reject the incoming message during the SMTP dialogue. The
same options are supported as for the
match action
directive.
-
mda
wrapper name
command
- Associate command with the
mail delivery agent wrapper named name.
When a local delivery specifies a wrapper, the
command associated with the wrapper will
be executed instead. The command may contain format specifiers (see
FORMAT
SPECIFIERS).
-
mta
max-deferred
number
- When delivery to a given host is suspended due to temporary
failures, cache at most number envelopes
for that host such that they can be delivered as soon as another delivery
succeeds to that host. The default is 100.
-
pki
pkiname cert
certfile
- Associate certificate file
certfile with host
pkiname, and use that file to prove the
identity of the mail server to clients.
pkiname is the server's name, derived
from the default hostname or set using either
/etc/mailname or using the
hostname directive. If a fallback certificate
or SNI is wanted, the ‘*’ wildcard may be used as
pkiname.
A certificate chain may be created by appending one or many certificates,
including a Certificate Authority certificate, to
certfile. The creation of certificates is
documented in starttls(8).
-
pki
pkiname key
keyfile
- Associate the key located in
keyfile with host
pkiname.
-
pki
pkiname dhe
params
- Specify the DHE parameters to use for DHE cipher suites
with host pkiname. Valid parameter values
are none,
legacy, and
auto. For
legacy, a fixed key length of 1024 bits is
used, whereas for auto, the key length is
determined automatically. The default is
none, which disables DHE cipher suites.
-
proc
proc-name
command
- Register an external process named
proc-name from
command. Such processes may be used to
share the same instance between multiple filters. If
command starts with a slash it is
executed with an absolute path, else it will be run from
“/usr/libexec/opensmtpd”.
-
queue
compression
- Store queue files in a compressed format. This may be
useful to save disk space.
-
queue
encryption
[key]
- Encrypt queue files with
EVP_aes_256_gcm(3). If no
key is specified, it is read with
getpass(3). If the string
stdin or a single dash
(‘
-
’) is given instead of a
key, the key is read from the standard
input.
-
queue
ttl delay
- Set the default expiration time for temporarily
undeliverable messages, given as a positive decimal integer followed by a
unit s, m,
h, or d. The
default is four days (4d).
-
smtp
ciphers
control
- Set the control string for
SSL_CTX_set_cipher_list(3). The default is
“HIGH:!aNULL:!MD5”.
-
smtp
limit max-mails
count
- Limit the number of messages to
count for each session. The default is
100.
-
smtp
limit max-rcpt
count
- Limit the number of recipients to
count for each transaction. The default
is 1000.
-
smtp
max-message-size
size
- Reject messages larger than
size, given as a positive number of bytes
or as a string to be parsed with
scan_scaled(3). The default is
“35M”.
-
smtp
sub-addr-delim
character
- When resolving the local part of a local email address,
ignore the ASCII character and all
characters following it. The default is
‘
+
’.
-
srs
key
secret
- Set the secret key to use for SRS, the Sender Rewriting
Scheme.
-
srs
key backup
secret
- Set a backup secret key to use as a fallback for SRS. This
can be used to implement SRS key rotation.
-
srs
ttl delay
- Set the time-to-live delay for SRS envelopes. After this
delay, a bounce reply to the SRS address will be discarded to limit risks
of forged addresses. The default is four days (4d).
-
table
name
[type:]pathname
- Tables provide additional configuration information for
smtpd(8) in the form of lists or key-value
mappings. The format of the entries depends on what the table is used for.
Refer to table(5) for the exhaustive
documentation.
Each table is identified by an arbitrary, unique
name.
If the type is
db, information is stored in a file created
with makemap(8); if it is
file or omitted, information is stored in a
plain text file using the format described in
table(5). The
pathname to the file must be
absolute.
-
table
name
{value [,
...]}
- Instead of using a separate file, declare a list table
containing the given static values. The
table must contain at least one value and may declare multiple values as a
comma-separated (whitespace optional) list.
-
table
name
{key=value
[, ...]}
- Instead of using a separate file, declare a mapping table
containing the given static
key-value
pairs. The table must contain at least one key-value pair and may declare
multiple pairs as a comma-separated (whitespace optional) list.
In a regular workflow,
smtpd(8) may accept or
reject a message based only on the content of envelopes. Its decisions are
about the handling of the message, not about the handling of an active
session.
Filtering extends the decision making process by allowing
smtpd(8) to stop at each phase of an SMTP
session, check that conditions are met, then decide if a session is allowed to
move forward.
With filtering, a session may be interrupted at any phase before an envelope is
complete. A message may also be rejected after being submitted, regardless of
whether the envelope was accepted or not.
The following phases are currently supported:
connect |
upon connection, before a banner is displayed |
helo |
after HELO command is submitted |
ehlo |
after EHLO command is submitted |
mail-from |
after MAIL FROM command is submitted |
rcpt-to |
after RCPT TO command is submitted |
data |
after DATA command is submitted |
commit |
after message is fully is submitted |
At each phase, various conditions may be matched. The fcrdns, rdns, and src data
are available in all phases, but other data must have been already submitted
before they are available.
fcrdns |
forward-confirmed reverse DNS is valid |
rdns |
session has a reverse DNS |
rdns
<table> |
session has a reverse DNS in table |
src
<table> |
source address is in table |
helo
<table> |
helo name is in table |
auth |
session is authenticated |
auth
<table> |
session username is in table |
mail-from
<table> |
sender address is in table |
rcpt-to
<table> |
recipient address is in table |
These conditions may all be negated by prefixing them with an exclamation mark:
!fcrdns |
forward-confirmed reverse DNS is invalid |
Any conditions using a table may indicate that tables hold regex by prefixing
the table name with the keyword regex.
helo regex
<table> |
helo name matches a regex in table |
Finally, a number of decisions may be taken:
bypass |
the session or transaction bypasses filters |
disconnect
message
|
the session is disconnected with message |
junk |
the session or transaction is junked, i.e., an
‘X-Spam: yes ’ header is added to any
messages |
reject message
|
the command is rejected with message |
rewrite value
|
the command parameter is rewritten with value |
Decisions that involve a message require that the message be RFC valid, meaning
that they should either start with a 4xx or 5xx status code. Descisions can be
taken at any phase, though junking can only happen before a message is
committed.
Some configuration directives support expansion of their parameters at runtime.
Such directives (for example
action
maildir,
action
mda) may use format specifiers which are expanded
before delivery or relaying. The following formats are currently supported:
%{sender} |
sender email address, may be empty string |
%{sender.user} |
user part of the sender email address, may be
empty |
%{sender.domain} |
domain part of the sender email address, may be
empty |
%{rcpt} |
recipient email address |
%{rcpt.user} |
user part of the recipient email address |
%{rcpt.domain} |
domain part of the recipient email address |
%{dest} |
recipient email address after expansion |
%{dest.user} |
user part after expansion |
%{dest.domain} |
domain part after expansion |
%{user.username} |
local user |
%{user.directory} |
home directory of the local user |
%{mbox.from} |
name used in mbox From separator lines |
%{mda} |
mda command, only available for mda wrappers |
Expansion formats also support partial expansion using the optional bracket
notations with substring offset. For example, with recipient domain
“example.org”:
%{rcpt.domain[0]} |
expands to “e” |
%{rcpt.domain[1]} |
expands to “x” |
%{rcpt.domain[8:]} |
expands to “org” |
%{rcpt.domain[-3:]} |
expands to “org” |
%{rcpt.domain[0:6]} |
expands to “example” |
%{rcpt.domain[0:-4]} |
expands to “example” |
In addition, modifiers may be applied to the token. For example, with recipient
“
[email protected]”:
For security concerns, expanded values are sanitized and potentially dangerous
characters are replaced with ‘:’. In situations where they are
desirable, the “raw” modifier may be applied. For example, with
recipient “user+t?
[email protected]”:
- /etc/smtpd.conf
- Default smtpd(8) configuration
file.
- /etc/mailname
- If this file exists, the first line is used as the server
name. Otherwise, the server name is derived from the local hostname
returned by gethostname(3), either directly
if it is a fully qualified domain name, or by retrieving the associated
canonical name through getaddrinfo(3).
- /var/run/smtpd.sock
- Unix domain socket for incoming SMTP connections.
- /var/spool/smtpd/
- Spool directories for mail during processing.
The default
smtpd.conf file which ships with
OpenBSD listens on the loopback network interface
(
lo0) and allows for mail from users and daemons
on the local machine, as well as permitting email to remote servers. Some more
complex configurations are given below.
This first example is the same as the default configuration, but all outgoing
mail is forwarded to a remote SMTP server. A secrets file is needed to specify
a username and password:
# touch /etc/secrets
# chmod 640 /etc/secrets
# chown root:_smtpd /etc/secrets
# echo "bob username:password" > /etc/secrets
smtpd.conf would look like this:
table aliases file:/etc/aliases
table secrets file:/etc/secrets
listen on lo0
action "local_mail" mbox alias <aliases>
action "outbound" relay host smtp+tls://[email protected] \
auth <secrets>
match from local for local action "local_mail"
match from local for any action "outbound"
In this second example, the aim is to permit mail delivery and relaying only for
users that can authenticate (using their normal login credentials). An RSA
certificate must be provided to prove the server's identity. The mail server
listens on all interfaces the default routes point to. Mail with a local
destination is sent to an external MDA. First, the RSA certificate is created:
# openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
# openssl req -new -x509 -key /etc/ssl/private/mail.example.com.key \
-out /etc/ssl/mail.example.com.crt -days 365
# chmod 600 /etc/ssl/mail.example.com.crt
# chmod 600 /etc/ssl/private/mail.example.com.key
In the example above, a certificate valid for one year was created. The
configuration file would look like this:
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
table aliases file:/etc/aliases
listen on lo0
listen on egress tls pki mail.example.com auth
action mda_with_aliases mda "/path/to/mda -f -" alias <aliases>
action mda_without_aliases mda "/path/to/mda -f -"
action "outbound" relay
match for local action mda_with_aliases
match from any for domain example.com action mda_without_aliases
match for any action "outbound"
match auth from any for any action "outbound"
For sites that wish to sign messages using DKIM, the following example uses
opensmtpd-filter-dkimsign for DKIM signing:
table aliases file:/etc/aliases
filter "dkimsign" proc-exec "filter-dkimsign -d <domain> -s <selector> \
-k /etc/dkim/private.key" user _dkimsign group _dkimsign
listen on socket filter "dkimsign"
listen on lo0 filter "dkimsign"
action "local_mail" mbox alias <aliases>
action "outbound" relay
match for local action "local_mail"
match for any action "outbound"
Alternatively, the
opensmtpd-filter-rspamd package
may be used to provide integration with
rspamd, a
third-party daemon which provides multiple antispam features as well as DKIM
signing. As well as configuring
rspamd itself, it
requires use of the
proc-exec keyword:
filter "rspamd" proc-exec "filter-rspamd"
Sites that accept non-local messages may be able to cut down on the volume of
spam received by rejecting forged messages that claim to be from the local
domain. The following example uses a list table
other-relays to specify the IP addresses of
relays that may legitimately originate mail with the owner's domain as the
sender.
table aliases file:/etc/aliases
table other-relays file:/etc/other-relays
listen on lo0
listen on egress
action "local_mail" mbox alias <aliases>
action "outbound" relay
match for local action "local_mail"
match for any action "outbound"
match !from src <other-relays> mail-from "@example.com" for any \
reject
match from any for domain example.com action "local_mail"
mailer.conf(5),
table(5),
makemap(8),
smtpd(8)
smtpd(8) first appeared in
OpenBSD
4.6.