Re: How to have two different policies to send emails

[Olivier Burelli]

On Fri, 29 Jul 2016 13:02:58 + (UTC)
Mik J  wrote:

Hello Mik J.

egress is the routed interface.

If i understood your case you have to :

_ configure PF (with divert-to) for your specifics requirements
_ configure opensmtpd to define your policies.

(you can also use specific tag and redirection for it)

I added in attachment an overview of my implementation of opensmtpd + spamd + 
clamav & spamassassin (via filter) + bgpd + ...

And sorry i am not a designer, the picture reflects only my understanding. I 
guess i did not error.


> Hello,
> I would like to have two different policies for clients (MUA) that send 
> mails.- Clients (applications) that send mails without authentication, they 
> have a specific IP address
> - Clients (users) that send mails with an authentication, I don't know their 
> IP address
> For case 1, it workslisten on 10.1.1.1
> accept from source  for any relay
> For case 2, there are examples in the man (I know that authenticated users 
> are considered local)

depends if they are defined as virtual or not. However for my point of view an 
user has to be provides always an authentication.

For my point of view, MTA has to knocks on the door and has to try in first to 
open a TLS exchange.

> listen on egress tls pki mail.example.com authaccept for any relay

if you perform netstat -na -f inet you will see that you request to opensmtpd 
to listen on a specific port.

For example :
###
#
## Deliver : treatment depends from the flow () 
#
# Manage flow
listen on lo0 port 10030 tag DKIM_OUT   # outgoing email to another MTA 
#
# Inbound
listen on lo0 port 25 filter sub 
listen on egress port 25 filter all hostname daenerys.burelli.fr tls pki 
daenerys.burelli.fr auth-optional 
listen on egress port 587 filter sub hostname daenerys.burelli.fr tls-require 
pki daenerys.burelli.fr auth 


netstat -na -f inet :

tcp  0  0  127.0.0.1.10030*.*LISTEN
tcp  0  0  127.0.0.1.25   *.*LISTEN
tcp  0  0  95.130.9.14.25 *.*LISTEN
tcp  0  0  95.130.9.14.587*.*LISTEN
tcp  0  0  127.0.0.1.10029*.*LISTEN
tcp  0  0  127.0.0.1.783  *.*LISTEN
tcp  0  0  127.0.0.1.8026 *.*LISTEN
tcp  0  0  127.0.0.1.8025 *.*LISTEN


You have also to indicate the flow with.

###
#
## Allow to deliver
#
accept from any for domain  virtual  deliver to lmtp 
"/var/dovecot/lmtp" rcpt-to # deliver via lmtp
accept for local alias  deliver to mbox
###
#
## Relay
#
# Tagged mail returned from DKIM
accept tagged DKIM_OUT for any relay
#
# Start here (inbound)
accept from local for any relay via smtp://127.0.0.1:10029 # to DKIM_OUT



> I don't understand fully the linelisten on egress tls pki mail.example.com 
> authbecause in the man page, the egress word is not definedOpenBSD manual 
> pagesTo what correspond the egress word ?
> Regarding case 1 + case 2 I'm afraid there could be a conflict between listen 
> on 10.1.1.1 and listen on egress...
> Do you have any idea on how to reach this ?
> 


-- 
regards,
Olivier


opensmtpd-overview.png
Description: Binary data

Start Opensmtpd with a key protected by password

[Mik J]

Hello,
I'm able to start opensmtpd manually as it prompts me the password for the 
private keyHowever don't know how to do this automatically so opensmtpd starts 
at boot.
# /etc/rc.d/smtpd start
smtpdpassphrase for hostname.org:
I looked at the man but didn't find any directive.
Regards