---
categories: ['OpenBSD','Network','Client']
date: 2018-11-03T21:38:54+01:00
description: "Howto config the SMTPD service for a required authentication mail on OpenBSD (≥ v6.4)"
draft: false
tags: ["OpenBSD","smtpd","auth","client","mail"]
title: "OpenBSD: configure smtpd.conf to auth email client (≥ v6.4)"
translationKey: "openbsd-smtpd-auth-client"
---
## Description
**How to config your machine to send mail by terminal/console, on OpenBSD,
on SMTP server with a required authentication?**
## Introduction
**OpenSMTPD** is a free implementation of the SMTP protocol, as
defined in {{< rfc 5321 >}}, with some additional standard extensions.
It allows the machines to exchange mail.
Informations:
* Website: https://www.opensmtpd.org
* Version: 6.4.0 → **6.7**
* OS: OpenBSD 6.4 → **7.3**
*Effectively tested with [Gandi][1], and the association [L'autre.net][2],
and finally on my "owners" MX*.
## Installation
Since OpenBSD 6.4, inton the base system, we have the new version of
OpenSMTPD.
To start the service: `# rcctl start smtpd`
A small clarification on files:
* the config file is: `/etc/mail/smtpd.conf`.
* the logfile is: `/var/log/maillog`.
## Configuration
To send an email at one SMTP server require an authentication, as Gandi,
it's necessary to first create a secret file with the good rights on your
system, and to set the config file.
The manpage show us on [example](https://man.openbsd.org/smtpd.conf#EXAMPLES):
### File secrets
Create the needed secret file: `# touch /etc/mail/secrets`
Put the secured rights:
```sh
# chmod 640 /etc/mail/secrets
# chown root:_smtpd /etc/mail/secrets
```
Now, it's necessary to write those informations:
`identifiant username:password`
{{< color red >}}Do Not Write TEXTUALLY this information{{}},
replace with:
* `identifiant`: your choosed id — *this will use later on your config file*.
*(e.g.: as **perso**)*
* `username`: usually, your email.
* `password`: the password for your email identification.
{{< note warning >}}
It's possible to (re?)name the secrets file as you want, and put in other
place on your system.
It's better put rights `0400` on this secrets file.
Even, it's possible for the service to access at your secrets file, with
your personal rights as `$USER:$USER`, it's better to put the right group
`_smtpd`.
{{< /note >}}
### File `smtpd.conf`
Now, we modify the config file `/etc/mail/smtpd.conf`.
```cfg
# $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets
queue compression
# To accept external mail, replace with: listen on all
#
## add on 6.7
listen on socket
listen on lo0
action "local_mail" mbox alias
action "unbound" relay host smtp+tls://identifiant@server auth mail-from "@your-domain.tld"
# Uncomment the following to accept external mail for domain "example.org"
#
# match from any for domain "example.org" action "local"
### 6.6 writings
#match for local action "local_mail"
#match for any action "unbound"
### 6.7 writings
match from local for local action "local_mail"
match from local for any action "outbound"
```
---
**Explainations**
So compared to the original version, we added:
* the line `table secrets`: it call the secrets file
— *write your custom filename*.
* the line `action unbound`: to define the necessary action to send emails
to the SMTP server.
* NOTE about `identifiant@serveur`:
* you have to replace the string `identifiant` by your created.
*(as wroted above: **perso**)*.
* and too, to replace the `serveur` by the name of SMTP server.
* the string [`smtp+tls`](https://man.openbsd.org/smtpd.conf#host) is
the used protocol to connect at the SMTP server.
others protocols are:
* `lmtp`: to connect on a
{{< abbr LMTP "Local Mail Transfer Protocol" >}} session.
* `smtp`: to attempt a connection with a STARTTLS session, if
possible.
* `smtp+tls`: to force the connection on a STARTTLS session.
* `smtp+notls`: to use a plain text SMTP session without TLS.
* `smtps`: to force the connexion via
{{< abbr TLS "Transport Layer Secure" >}}
— *default port: 465*
* with no specified protocol, the connection will be done on the
default port: 25.
* the string [`auth`](https://man.openbsd.org/smtpd.conf#auth): to
specify the secret table.
* the string [`mail-from`](https://man.openbsd.org/smtpd.conf#mail_-from):
to specify the domain name to use.
* the line `match … action "relay"`: this is the action that will be
triggered to send the emails.
#### Changes on 6.7
OpenBSD 6.7 makes minor syntax changes:
- add `listen on socket` *{{< man smtpd.conf 5 "listen~2" >}}*
- modification of match actions for the **local** queue manager
*{{< man smtpd.conf 5 match >}}*:
`match from local for local action "local_mail"`
`match from local for any action "outbound"`
#### Changes on 6.6
The syntax of the action names has changed slightly between versions 6.4
and 6.6:
* `local` becomes `local_mail`
* `relay` becomes `unbound`
### aliases
About aliases system:
It is interesting to manage the related alias `root` account or
even that of your main user…
Edit the file `/etc/mail/aliases`, with rights admin.
At the end of file, modify `root` with your desired address email.
Do the same for your system user. ;)
And, do not forget to reload the aliases base, with the command
`newaliases`!
## Utilisation
{{< note warning >}}
Before restart the **opensmtpd** service, we need to test the config file:
`# smtpd -n`
If the result is: `configuration OK`
that's folk!
Otherwise, re-edit the file, at the line indicated first!
{{< /note >}}
Now, restart the service:
```sh
# rcctl restart smtpd
smtpd(ok)
smtpd(ok)
```
The log will display messages, as-is:
`Apr 3 07:17:05 sh1 smtpd[68810]: info: OpenSMTPD 7.0.0 starting`
Too, think to use the controller `smtpctl`… see the manpage **smtpctl.8**.
### Send
So:
* `echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" email`
* or, `echo "Test to send email on $(hostname); date: $(date)" | mail -s "Email test" root`
For all cases, the log will display messages, as instance:
```log
Apr 3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connecting address=smtp+tls://89.234.141.148:587 host=mail2.automario.eu
Apr 3 07:20:20 sh1 smtpd[56183]: 2cda1df4efff97f2 mta connected
Apr 3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta tls ciphers=TLSv1.3:AEAD-CHACHA20-POLY1305-SHA256:256
Apr 3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta cert-check result="valid" fingerprint="SHA256:17af91bcb27a530cc278cd8be90551593bee38ebaf6ade68053a508b14a8f817"
Apr 3 07:20:21 sh1 smtpd[56183]: 2cda1df4efff97f2 mta delivery evpid=4138560f4bd626cf from=<***@huc.fr.eu.org> to=<***@stephane-huc.net> rcpt=<-> source="46.23.90.29" relay="89.234.141.148 (mail2.automario.eu)" delay=1s result="Ok" stat="250 2.0.0 eb1a48cf Message accepted for delivery"
```
## Errors
See, below, the possible commons errors:
### Error: authentication failed
Check again your `username`, `password` id wrote on your {{< anchor "secret file" "file secrets" >}} !
### Error: Cannot parse smarthost
This message means the SMTP service can't figure out the strings `identifiant@serveur`
on your action rule.
Check your entries:
* your string `table secrets` need to match with the good secret filename!
* your strings `identifiant username:password` in your secret file.
* have you replace correctly the string `identifiant` on the config file?
* too, for the string `serveur`: make sure the SMTP server name exists!
### Error: Sender address rejected: Domain not found
This message means the SMTP service can't match with the desired domain name.
The tips: use the param [mail-from](https://man.openbsd.org/smtpd.conf#mail_-from) in
your action rule, to target the good domain name, as:
`mail-from "@votre-domaine.tld"`
**Do Not forget the symbol `@`.**
## Documentations
The SMTP protocol is define by RFC 5321 :
{{< rfcdoc 5321 >}}
### Manpages
* {{< man "smtpd.conf" 5 >}}, {{< man "smtpctl" 8 >}}
### Others informations
* See the [new changes syntaxe with the OpenSMTPD v6.4][3]
---
[1]: https://gandi.net
[2]: https://lautre.net
[3]: https://www.openbsd.org/faq/upgrade64.html
---