Hi all, I've got a few silly questions regarding OpenSMTPD… I'd ask on the opensmtpd misc mailing list, but my subscribe requests keep bouncing after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure they're on-topic here too.
I have two servers (actually more than that, but two that are relevant to this discussion). One is a Gentoo Linux machine with Postfix, which acts as my primary MX. I keep it up to date, it's been a good workhorse, and provided many years of service. No reason to change it at this stage. I have a VPS with a hosting provider (BinaryLane in Brisbane; they're OpenStack/Xen-based), which runs OpenBSD 6.4. I primarily use this machine as a slave DNS server (with nsd). I figure it'd be a nice idea to use this machine as a backup MX. Right now, OpenSMTPD is running there, and whilst it is not publicly listening for SMTP traffic, it is configured to forward all *local* mail to my primary MX (where it has a virtual domain configured) so I can receive messages from `cron`, etc. Aside from some hiccups with TLS verification which I worked around by adding my custom CA to /etc/ssl/cert.pem, it all went smoothly. (I'd prefer to have OpenSMTPD verify my home server's certificate against a *specific* CA key, but at least it's working.) First and foremost is the issue of backscatter-prevention. I would like OpenSMTPD to validate the addresses passed to it before accepting them for relay to my primary MX. In Postfix I can put relay_recipient_maps = hash:/etc/postfix/valid_recipients into /etc/postfix/main.cf and fill that valid_recipients file with f...@example.com x b...@example.com x I can come up with a full list -- no problem, but the question is how do I encode this list into the configuration of OpenSMTPD so that if the list contained f...@example.com and b...@example.com, but someone tries sending to foo...@example.com, that RCPT TO request is rejected before the email delivery begins. Second is about how to define custom mail transports. Rather than using SMTP/SSL like I am now, I'd like the emails destined for relay to my server, to be encrypted using a RSA key, (well, AES, then RSA encrypt the AES key) then either: - scp'd to a special spool directory on my Linux server… OR if it happens to be down, - placed in a special directory on the VPS for my server to later ciphon down using `rsync --remove-source-files` over SSH. (Basically, a bit like UUCP.) The idea here is two-fold: 1. if someone gets even `root` access to the VPS (or mirrors the disk, etc)… there's no copy of the private key needed to decrypt the files -- that is safely stored on my home server. 2. if say the NBN roll-out in my patch of Brisbane gets royally screwed and I lose my static IPv4 address, I can make this server my primary MX and have the old server just "poll" for new messages. (Outbound delivery of mail will be a separate issue.) Again, in Postfix I'd define a script to do the encryption/scp/etc in /etc/postfix/master.cf, then set up transport_maps to direct the mail there. Would the equivalent in OpenSMTPD be `mda` or is there some other method? -- Stuart Longland (aka Redhatter, VK4MSL) I haven't lost my mind... ...it's backed up on a tape somewhere.