Hello Edgar,

thanks very much for your in depth reply and the effort you've put into it.

As for the "user" keyword, the way I understand this, it that it equals the "as" statement in the old version.

... lmtp "/run/cyrus/lmtp" rcpt-to ->as nobody<-

Does however not work as I imangined. I am currently trying to get 6.4.2 up and running this week, see next thread.

Back to your reply: That catchall from your example in "@ catchall" is not a keyword, is it? But a local user accout?

> but some real user has to own the mailbox...

Care to explain, why is that? From my unknowledgable point of view, the mailbox handling should be done on the other side of the lmtpd socket. This misconception is at the very heart of my question.

The idea being that smtpd connects to the lmtp socket as user "nobody" (in my example) and delivers the mail to whatever is watining on the other side. So the only privileges required should be to connect to the socket, what in turn requires a system user.

Basically I am hoping to get the same behaviour for lmtp devilvery as for relay, where I can specify a mail-from list and it works like a charm, from a 6.5 installation:

action "relay" relay host smtp+notls://
match mail-from <vusers> for domain "example.com" action "relay"

Maybe with 6.4.2p with will also work with lmtp. Will hopefully be able to test that later this week and report back

Thanks again


Am 31.08.19 um 19:14 schrieb Edgar Pettijohn:
On Fri, Aug 30, 2019 at 11:14:37PM -0500, Edgar Pettijohn wrote:
On Fri, Aug 30, 2019 at 05:00:24PM +0200, Ede Wolf wrote:

Semi complete example at the bottom. I'll leave it to you to reverse translate
to the old syntax. I didn't notice till after I was done and am too lazy to
change it. :) Also noticed while re-reading smtpd.conf(5) there is a `user'
keyword that can be used in an action:

  user username
                      Specify the username for performing the delivery, to be
                      looked up with getpwnam(3).

                      This is used for virtual hosting where a single username
                      is in charge of handling delivery for all virtual users.

                      This option is not usable with the mbox delivery method.

Not sure if its available in whichever version you are using, but may make
things easier enough to warrant an upgrade.
While trying to learn opensmtpd, amongst other things I am struggeling with
the virtual user handling - for a non virtual domain setup.

 From what I have been able to understand so far it seems, as if there is no
way to deliver mails to a lmtp socket, if there is not at least some
reference/mapping to a system user?

accept from any for domain "example.com" recipient <vusers> alias <aliases>
deliver to lmtp "/run/cyrus/lmtp" rcpt-to as nobody

where vusers contains:

vusers would need to be `key => value' pairs


This is a list. More suitable for a vdomains table.

However, despite being listed in vusers, when trying to send a mail to bob,
it gets rejected with "550 Invalid recipient". Creating a systemuser "bob"
makes it work. But then I do not need the vusers table, so I am wondering,
is it possible to get along without the need for a system user?
Now the man page mentions a userbase parameter, and I assume, the according
table has to be in the format of the userinfo table mentioned in tables(5)?
What then effectively again refers to a system user - just with a mapping in

My attempts with a single userlist instead so far either resulted in a
'invalid use of table "susers" as USERBASE parameter' or simply a syntax

Is that assumption correct? Is there no way of keeping virtual users
completely off the system or did I get something terribly wrong? Even when
not using mbox/Maildir at all, where this requirement could make sense?

They are off the system, but some real user has to own the mailbox, etc...
And since user filtering will eventually be done at an earlier stage, I
would like smtpd to be able to unconditionally forward any mail unaltered
(except aliases) to the lmtp socket.

So, in addition to bob@example as for the tests com I would like to be able
to use *@example.com or just example.com to not do any user checking at all.
Depending on the syntax requirements.

Is it possible to deactivate the user checking one way or the other?

you could use a catchall


@       catchall

Thanks for any insight or heads up on what I may have missed or


groupadd -g 5000 vmail
useradd -g vmail -u 5000 vmail -d /var/vmail -m
chown -R vmail.vmail /var/vmail


bob     5000:5000:/var/vmail/bob


b...@example.com        bob

/etc/mail/smtpd.conf snippet

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to  userbase <userinfo> virtual 
# may need to finesse the above. I'm not using cyrus or userbase table, so not 
100 percent
# sure if it will work as is.

match from all for domain <domains> action "a01"

Another option (that I use):


b...@example.com                vmail

action "a01" lmtp "/var/cyrus/lmtp" rcpt-to virtual <vusers>
match from all for domain <domains> action "a01"

No need for the userbase. I'm not really sure where a userbase table comes into 
play. Maybe someone out there using it can provide an example use case.

it sorta works...
deathstar$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 deathstar.my.domain ESMTP OpenSMTPD
ehlo p.com
250-deathstar.my.domain Hello p.com [], pleased to meet you
250-SIZE 36700160
250 HELP
mail from:<me>
250 2.0.0 Ok
rcpt to:<bob>
250 2.1.5 Destination address valid: Recipient ok
354 Enter mail, end with "." on a line by itself
to: u
from: me

hi bob.

250 2.0.0 0a7d910f Message accepted for delivery

a19e5552f2afe6dc smtp connected address= host=localhost
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
debug: aliases_virtual_get: 'bob' resolved to 1 nodes
warn: smtpd: parent_forward_open: /var/mail/bob: No such file or directory
smtp: 0x1903053fd000: fd 13 from queue
smtp: 0x1903053fd000: message fd 13
smtp: 0x1903053fd000: message begin
debug: 0x19034b71f000: adding Date
debug: 0x19034b71f000: adding Message-ID
debug: 0x1903053fd000: end of message, error=0
a19e5552f2afe6dc smtp message msgid=0a7d910f size=335 nrcpt=1 proto=ESMTP
a19e5552f2afe6dc smtp envelope evpid=0a7d910fa2469b23 from=<m...@deathstar.my.domain> 
debug: scheduler: evp:0a7d910fa2469b23 scheduled (mda)
mda: new user a19e5554bded3360 for "userinfo:bob" delivering as "root"
debug: lka: userinfo userinfo:bob
debug: mda: new session a19e555520bf2fa5 for user "userinfo:bob" evpid 
debug: mda: no more envelope for "userinfo:bob"
debug: mda: got message fd 13 for session a19e555520bf2fa5 evpid 
debug: mda: querying mda fd for session a19e555520bf2fa5 evpid 0a7d910fa2469b23
debug: smtpd: forking mda for session a19e555520bf2fa5: bob as root
debug: mda: got mda fd 14 for session a19e555520bf2fa5 evpid 0a7d910fa2469b23
debug: mda: end-of-file for session a19e555520bf2fa5 evpid 0a7d910fa2469b23
debug: mda: all data sent for session a19e555520bf2fa5 evpid 0a7d910fa2469b23
debug: smtpd: mda process done for session a19e555520bf2fa5: exited abnormally
a19e5554bded3360 mda delivery evpid=0a7d910fa2469b23 from=<m...@deathstar.my.domain> 
to=<b...@deathstar.my.domain> rcpt=<b...@deathstar.my.domain> user=bob delay=16s 
result=PermFail stat=Error ("mail.local: unknown name: bob")
debug: mda: session a19e555520bf2fa5 done
debug: mda: user "bob" becomes runnable
debug: mda: all done for user "userinfo:bob"

So probably don't want to use mail.local to deliver the message or make sure 
/var/mail/bob exists in this particular example.

Reply via email to