Hi. I’ve been running my own mail servers since the early 90s, so I have a lot of familiarity with the concept (mostly on Sendmail, but I switch 100% to OpenBSD for mail a little over two years ago).
I set up things in the Pre 6.5 days with opensmtpd/dovecot/spamdb/spamd, and this are working well. Now I need to expand things a bit. First, I have to upgrade my machines to 6.6. and I plan on using gilles@ excellent https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/ for that. What I need a pointer to is setting up a smarthost on OpenBSD (not just an endpoint to send/receive mail). The issue I’m facing is this: I have 4-6 little OpenBSD boxes behind a dynamic address on a broadband connect that blocks port 25. There are only two accounts on these boxes, root and me (but it’s looking like there will be more). I want all root mail to go to me, but me on the smarthost, or (possibly) sent to j-random email address with the address coming from me@mydomain, but routed through the smarthost with authentication (I’m fine with using a Cert, but I can’t use a Let’s Encrypt cert because a) there’s no web browser running on these hosts, and b) they’re not accessible from the internet). I’d prefer to not have to listen on yet another port, since I’m already listening on 469 & 587 as well as 25, but if I have to do that specifically for relaying, I can, of course. In my sendmail days, we had masquarade, and everything was just using port 25 and allowing from particular IPs. When I set up my backup MX machine it, too, has a static IP so I can use the IP to accept mail from it. Moving forward, I’d like to have it use whatever I set up for the small boxes for authenticated relaying. I can (and will, if it comes to that) figure this all out myself, but I figure if anyone already knows where some of this might be presented much like the article referenced above, I’d sure appreciate a pointer to it. Particularly about masquarading as an arbitrary user@domain (taking all users and tacking on @domain) (for reasons, all my machines have foo.bar as their domain externally, int.foo.bar internally, and mail is actually routed as @other.domain) and authentication with private certs (which seem better than using an authentication table, as I’d have to create pairs for every machine, or share them, and they’d still have to be in plaintext). Sean PS Rereading this, perhaps a small example would be ideal: If I’m root on one of my little boxes, I would like to be email someb...@somewhere.com and have someb...@somewhere.com see it come from the email address I’m using here. :-). In addition, as I set up services on these little boxes, there’s a good chance I'll want those services to send email to somb...@somewhere.com.
