I’ve been running my own mail servers since the early 90s, so I have a lot of 
familiarity with the concept (mostly on Sendmail, but I switch 100% to OpenBSD 
for mail a little over two years ago).

I set up things in the Pre 6.5 days with opensmtpd/dovecot/spamdb/spamd, and 
this are working well.  Now I need to expand things a bit.  First, I have to 
upgrade my machines to 6.6. and I plan on using gilles@ excellent 
 for that.

What I need a pointer to is setting up a smarthost on OpenBSD (not just an 
endpoint to send/receive mail).  The issue I’m facing is this:  I have 4-6 
little OpenBSD boxes behind a dynamic address on a broadband connect that 
blocks port 25.  There are only two accounts on these boxes, root and me (but 
it’s looking like there will be more).  I want all root mail to go to me, but 
me on the smarthost, or (possibly) sent to j-random email address with the 
address coming from me@mydomain, but routed through the smarthost with 
authentication (I’m fine with using a Cert, but I can’t use a Let’s Encrypt 
cert because a) there’s no web browser running on these hosts, and b) they’re 
not accessible from the internet).  I’d prefer to not have to listen on yet 
another port, since I’m already listening on 469 & 587 as well as 25, but if I 
have to do that specifically for relaying, I can, of course.

In my sendmail days, we had masquarade, and everything was just using port 25 
and allowing from particular IPs.  When I set up my backup MX machine it, too, 
has a static IP so I can use the IP to accept mail from it.  Moving forward, 
I’d like to have it use whatever I set up for the small boxes for authenticated 

I can (and will, if it comes to that) figure this all out myself, but I figure 
if anyone already knows where some of this might be presented much like the 
article referenced above, I’d sure appreciate a pointer to it.  Particularly 
about masquarading as an arbitrary user@domain (taking all users and tacking on 
@domain) (for reasons, all my machines have foo.bar as their domain externally, 
int.foo.bar internally, and mail is actually routed as @other.domain) and 
authentication with private certs (which seem better than using an 
authentication table, as I’d have to create pairs for every machine, or share 
them, and they’d still have to be in plaintext).


PS Rereading this, perhaps a small example would be ideal: If I’m root on one 
of my little boxes, I would like to be email someb...@somewhere.com and have 
someb...@somewhere.com see it come from the email address I’m using here. :-). 
In addition, as I set up services on these little boxes, there’s a good chance 
I'll want those services to send email to somb...@somewhere.com.

Reply via email to