Re: Setting personal mailserver

[Archange]

This is not the 80–90’s anymore. Internet is not a friendly place, and 
the bulk of emails sent today are spams. So most actors are leveraging 
everything they can to reduce that, and a high entrance barrier to email 
sending is definitively part of this plan.


That’s why we have (fc)rDNS, SPF, DKIM… And regarding residential IPs, 
they are hosts of the biggest botnets in the world, so residential ISP 
tend to block port 25 outgoing by default to limit spam. Some provide 
you the option to disable the port blocking, but very rare are those 
that allow you setting the reverse.


On my receiving ends (plural, I handle multiple email servers of various 
sizes including some with thousands of users), cutting down non (fc)rDNS 
compliant senders kills 99+% of spam attempts and I’ve never been 
reached by someone having a false positive on that policy. I don’t see 
why anyone would want to not have this amazing first layer fence.


Regards.

Le 07/09/2023 à 13:12, Sagar Acharya a écrit :

Or maybe we can simplify mail systems more. If mail, a system used to send messages across computers cannot 
work on "residential" IPs, then we can make it work on "residential" network since most 
nodes are "residential". You can look at.

humaaraartha.in.           TXT

And you'll find spf records there. Maybe it's just time to say, reduce the 
requirements of mail hosting to just static ip and DNS in a world where most 
don't even have a static ip!
Thanking you
Sagar Acharya
https://humaaraartha.in

P.S. I see that you're talking substance and truth to some extent but 
discarding residential IPs and this need for reverse dns is outrageous! What is 
the point of reverse DNS in today's world?
7 Sept 2023, 14:25 by archa...@activis.me:


Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.

So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/,
 and get a better understanding of SMTP/MTA requirements.

A public IP is not enough, it has to be not residential or at least you of 
course need port 25 to be open towards the world, which is not your case, and 
you also need to be able to set the reverse for it, while currently

humaaraartha.in.    IN    A    182.59.136.243

but

243.136.59.182.in-addr.arpa.    IN    PTR static-mum-182.59.136.243.mtnl.net.in.

And I do not expect “Mahanagar Telephone Nigam Limited” to let you set that 
reverse.

So back to our options : either get a VPS or dedicated server somewhere that 
allow port 25 and setting reverse, or use an email service provider that would 
allow you to relay emails.

Actually I’m not even sure that your available SMTP options (Tutanota/GMail) 
would allow sending with an arbitrary MAIL FROM (i.e. one that is not 
@tutanota.tld or @gmail.com), and as I don’t have an account on either I cannot 
test that. So you would have to look into 
https://man.openbsd.org/smtpd.conf#host and 
https://man.openbsd.org/smtpd.conf#auth, and check whether any of your email 
providers allow you to send email as @humaaraartha.in (and then you might want 
to provide SPF records allowing them to do so).

Regards.

Le 06/09/2023 à 23:40, Sagar Acharya a écrit :


So what's the solution? I have a public ip. Can you suggest an edit?
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 00:43 by archa...@activis.me:


Hi,

Le 06/09/2023 à 22:40, Sagar Acharya a écrit :


I checked all network settings. They are perfect. Here is my conf below 
exactly. There's some issue with it.

== smtpd.conf ==
table aliases file:/etc/smtpd/aliases
table whitelist file:/etc/smtpd/whitelist

pki humaaraartha.in cert "path_to_fullchain"
pki humaaraartha.in key "path_to_privkey"

listen on 0.0.0.0 tls pki humaaraartha.in
listen on 0.0.0.0 smtps pki humaaraartha.in

action "local" maildir alias 
action "relay" relay host "smtps://humaaraartha.in" mail-from "@humaaraartha.in"


This line cannot work. You are asking to relay outgoing emails to your own 
server (host is the destination host — Jarod just linked the doc while I was 
writing). They won’t go anywhere. You cannot workaround port 25 being blocked 
by using another port, else port 25 would not be blocked anywhere. You have to 
use an external relay that will accept submission from you on port 465 (smtps) 
or 587 (submission) and then relay on port 25 to the world. That will likely 
have to be one you have an account on (gmail or tutatnota).

Regards.

Re: Setting personal mailserver

[Archange]

Learn the basics. Unfortunately, you do not seem to understand MTA/SMTP.

So read maybe https://github.com/poolpOrg/OpenSMTPD-book, also 
https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/, 
and get a better understanding of SMTP/MTA requirements.


A public IP is not enough, it has to be not residential or at least you 
of course need port 25 to be open towards the world, which is not your 
case, and you also need to be able to set the reverse for it, while 
currently


humaaraartha.in.    IN    A    182.59.136.243

but

243.136.59.182.in-addr.arpa.    IN    PTR 
static-mum-182.59.136.243.mtnl.net.in.


And I do not expect “Mahanagar Telephone Nigam Limited” to let you set 
that reverse.


So back to our options : either get a VPS or dedicated server somewhere 
that allow port 25 and setting reverse, or use an email service provider 
that would allow you to relay emails.


Actually I’m not even sure that your available SMTP options 
(Tutanota/GMail) would allow sending with an arbitrary MAIL FROM (i.e. 
one that is not @tutanota.tld or @gmail.com), and as I don’t have an 
account on either I cannot test that. So you would have to look into 
https://man.openbsd.org/smtpd.conf#host and 
https://man.openbsd.org/smtpd.conf#auth, and check whether any of your 
email providers allow you to send email as @humaaraartha.in (and then 
you might want to provide SPF records allowing them to do so).


Regards.

Le 06/09/2023 à 23:40, Sagar Acharya a écrit :

So what's the solution? I have a public ip. Can you suggest an edit?
Thanking you
Sagar Acharya
https://humaaraartha.in



7 Sept 2023, 00:43 by archa...@activis.me:


Hi,

Le 06/09/2023 à 22:40, Sagar Acharya a écrit :


I checked all network settings. They are perfect. Here is my conf below 
exactly. There's some issue with it.

== smtpd.conf ==
table aliases file:/etc/smtpd/aliases
table whitelist file:/etc/smtpd/whitelist

pki humaaraartha.in cert "path_to_fullchain"
pki humaaraartha.in key "path_to_privkey"

listen on 0.0.0.0 tls pki humaaraartha.in
listen on 0.0.0.0 smtps pki humaaraartha.in

action "local" maildir alias 
action "relay" relay host "smtps://humaaraartha.in" mail-from "@humaaraartha.in"


This line cannot work. You are asking to relay outgoing emails to your own 
server (host is the destination host — Jarod just linked the doc while I was 
writing). They won’t go anywhere. You cannot workaround port 25 being blocked 
by using another port, else port 25 would not be blocked anywhere. You have to 
use an external relay that will accept submission from you on port 465 (smtps) 
or 587 (submission) and then relay on port 25 to the world. That will likely 
have to be one you have an account on (gmail or tutatnota).

Regards.

Re: Setting personal mailserver

[Archange]

Hi,

Le 06/09/2023 à 22:40, Sagar Acharya a écrit :

I checked all network settings. They are perfect. Here is my conf below 
exactly. There's some issue with it.

== smtpd.conf ==
table aliases file:/etc/smtpd/aliases
table whitelist file:/etc/smtpd/whitelist

pki humaaraartha.in cert "path_to_fullchain"
pki humaaraartha.in key "path_to_privkey"

listen on 0.0.0.0 tls pki humaaraartha.in
listen on 0.0.0.0 smtps pki humaaraartha.in

action "local" maildir alias 
action "relay" relay host "smtps://humaaraartha.in" mail-from "@humaaraartha.in"


This line cannot work. You are asking to relay outgoing emails to your 
own server (host is the destination host — Jarod just linked the doc 
while I was writing). They won’t go anywhere. You cannot workaround port 
25 being blocked by using another port, else port 25 would not be 
blocked anywhere. You have to use an external relay that will accept 
submission from you on port 465 (smtps) or 587 (submission) and then 
relay on port 25 to the world. That will likely have to be one you have 
an account on (gmail or tutatnota).


Regards.

Re: Strange timeout issue

[Archange]

Le 07/08/2023 à 00:00, Tobias Fiebig a écrit :

Heho,

On Sun, 2023-08-06 at 22:58 +0400, Archange wrote:

isis.lip6.fr

This host has an IPv4 and IPv6 address. If you use the v4 addr.
verbatim, the connection fails. If you use the FQDN, you use the v6
addr, the connection works.


I feel silly now. ^^


Works:

openssl s_client -connect \[2001:660:3302:283c::2\]:25 -servername
isis.lip6.fr -starttls smtp

openssl s_client -connect isis.lip6.fr:25 -servername isis.lip6.fr -
starttls smtp


Does not work:

openssl s_client -connect 131.227.60.2:25 -servername isis.lip6.fr -
starttls smtp

Best guess:

The IPv4 address for this host (132.227.60.2) seems to have (i guess)
MTU issues (at least for me); From my homebox (mtu <1500 on-path) i
cannot connect via v4 on tcp/25, from another host in the same /24
(same routing policy) but 1500mtu on the whole path i can with the
s_client line noted as 'does not work' above.

Alternatively, they might be doing something else 'somewhat funny'. Not
easy to guess, though, without sinking a lot of time, but this really
smells like a them-issue to me.

Solution:

Make lip6.fr fix their stuff.


Or fix my provider not allocating (enough) IPv6 to me (they gave a /128, 
and I already have another domain sending from that one)…


Thanks for your analysis, I’ll try to reach someone there (lip6) to see 
what can be done.

Strange timeout issue

[Archange]

Hi there,

On one of the server I’m managing, they are some emails stuck in queue 
because smtpd cannot reach the destination servers.


My log is filled with:
```
smtp-out: Enabling route  <-> 132.227.60.30 (osiris.lip6.fr)
 mta connecting address=smtp://132.227.60.30:25 host=osiris.lip6.fr
 mta error reason=Connection timeout
smtp-out: Disabling route  <-> 132.227.60.30 (osiris.lip6.fr) 
for 15s

smtp-out: Enabling route  <-> 132.227.60.2 (isis.lip6.fr)
 mta connecting address=smtp://132.227.60.2:25 host=isis.lip6.fr
 mta error reason=Connection timeout
smtp-out: Disabling route  <-> 132.227.60.2 (isis.lip6.fr) for 15s
```

Trying to debug this, I’ve figured out that
```
openssl s_client -connect isis.lip6.fr:25 -starttls smtp
```
works, but
```
openssl s_client -connect 131.227.60.2:25 -servername isis.lip6.fr 
-starttls smtp

```
does not (while for instance both work on my own servers).

So it seems smtpd is trying to connect by ip rather than hostname, and 
that for some reason this does not work here? Is this an issue to be 
fixed in opensmtpd, in the underlying ssl library (I could try libressl 
to see if that changes anything) or on (somewhere on the path to) the 
lip6.fr servers?

Re: List expansion problem

[Archange]

Le 03/08/2023 à 20:55, Archange a écrit :

Hi there,

I don’t know if you’ve got an answer off-list or fixed your issue, but 
here is my quick analysis.


Le 09/07/2023 à 03:10, Andrea D'Amore a écrit :

Hello,
I am using a opensmtpd 7.3.0 instance to collect and forward email 
from my

domains toward a gmail account.

[…]

What is wrong in my config?

What's so special about the plus sign?


The problem is in your aliases table. As per 
https://man.openbsd.org/aliases.5, the + part is removed by smtpd for 
matching user-part in the table, but other symbols are not. I think 
you need virtual table instead 
(https://man.openbsd.org/smtpd.conf#virtual) and catch-all (see 
https://man.openbsd.org/table.5#Aliasing_tables) if that’s suitable 
for you (as you will already have filtered before).


Further reading the docs, there might be a better option: sub-addr-delim 
(https://man.openbsd.org/smtpd.conf#smtp~3).

Re: List expansion problem

[Archange]

Hi there,

I don’t know if you’ve got an answer off-list or fixed your issue, but 
here is my quick analysis.


Le 09/07/2023 à 03:10, Andrea D'Amore a écrit :

Hello,
I am using a opensmtpd 7.3.0 instance to collect and forward email from my
domains toward a gmail account.

My stripped down config is:


 table aliases { test=mynicef...@gmail.com.invalid }
 table addresses { "test[-+]?[0-9]*@mydomain\.net" }
 table forwardedrecipients { mynicef...@gmail.com.invalid }

 pki "mydomain.net" cert "/etc/letsencrypt/live/mydomain.net/fullchain.pem"
 pki "mydomain.net" key "/etc/letsencrypt/live/mydomain.net/privkey.pem"

 srs key "Ku2PP9TZm3DtWS+fak7wQNu6mPiLpV6aRyuUF7uq"

 filter   "rdns" phase connect match   !rdns disconnect "550 DNS error"
 filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
 filter "rspamd" proc-exec "/usr/libexec/opensmtpd/filter-rspamd"

 listen on eth0 port 25 tls pki "mydomain.net" filter { "rdns",
"fcrdns", "rspamd" }

 action "relay" relay srs
 action "aliasedrelay" forward-only virtual 

 match from any for rcpt-to regex  action "aliasedrelay"
 match from local for any action "relay"

in this example I am catching (rather trying to catch) everything
toward test*@mydomain.net and forward that to mynicefake gmail
mailbox.

My previous regex was "test(\+[a-zA-Z0-9_.-]*)?@mydomain\.net",
mimicking Gmail's `user+tag@` feature.
Now I am trying to expand that to allow dash and to use arbitrary
characters after, I am using 0-9 for the tests, once it work I'll add
the alphas.

The config I pasted works fine for messages addressed to   test+123
@mydomain.net or  test @mydomain.net  but fails if I use a dash in
place of plus sign, or remove the sign at all, in that case I get

 result="524 5.2.4 Mailing list expansion problem: "

whereas using the plus sign I get a nice SRS forwarding.

I am attaching config and logs since Gmail's web is breaking line length.


What is wrong in my config?

What's so special about the plus sign?


The problem is in your aliases table. As per 
https://man.openbsd.org/aliases.5, the + part is removed by smtpd for 
matching user-part in the table, but other symbols are not. I think you 
need virtual table instead (https://man.openbsd.org/smtpd.conf#virtual) 
and catch-all (see https://man.openbsd.org/table.5#Aliasing_tables) if 
that’s suitable for you (as you will already have filtered before).


Regards.

Re: Multiple dkim key with filter-dkimsign

[Archange]

Le 19/10/2022 à 09:10, Martijn van Duren a écrit :

On Wed, 2022-10-19 at 00:23 +0400, Archange wrote:

Le 19/10/2022 à 00:07, Martijn van Duren a écrit :

On Wed, 2022-10-19 at 00:02 +0400, Archange wrote:

Hi there,

Due to an issue with the rspamd filter running against rspamd 3.3
(https://github.com/poolpOrg/filter-rspamd/issues/41), I’m looking at
migrating my main server to dkimsign. I’m already using it on several
servers, but they all handle only one domain, and I’m now in need to
handle several domains (all incoming on the same interface).

Those might have different selectors, different keys… Is there a way to
specify those, or the only option is to have the same key and selector
for all domains?

Regards.


It's as you said, only a single key and selector can be used per
dkimsign instance. If I would allow multiple selectors/keys it would
require making the config a lot more complex without any additional
benefit that I can see at the time.

Not necessarily much more complex. I would just ditch -s/-k and make -d
accept domain:selector:keyfile triplets.

Why not take a step further?
domain:selector:keyfile:algorithm:canonicalization:headers

It opens the door to all kind of weirdness for which no real use case
has been presented yet.


You’re right.


This is probably not a good practice (e.g. I should likely have
different selector and dkim keys per server), but currently some domains
are shared with other servers and owners, and so is the dkim key for
those domains. I don’t want that key to be valid for other domains.

Bottom line, dkim is nothing more than "this entity" has seen this mail
in it's current form as long as the signature passes. The only reason
for adding support for multiple domains was because of dmarc, which
combines it with the question if the domain in the from-header matches
with the domain in the signature.

Bottom line is that it's not the domain that manages the key, but the
server and the domain only says that it trusts the server by handling
the public component.


Yeah, that is basically what I came to realize with this issue.


I guess the solution is indeed to switch to different keys per server
instead of per domain.

I'm not setting this in stone, but I need a little more then personal
preferences for adding more complexity to this piece of code which I
already consider quite the monster.

If you really want this you could probably redirect the mail back into
itself but on different ports and let every port have their own
dkimsign instance, similar to how the old dkimproxy setups would work:
https://myconan.net/blog/posts/4567/


I tried something like that in the first place but I was trying to do 
things at the filters level and couldn’t find a way. Thanks for pointing 
me towards the right direction, so for now (as it was easier to fix in 
place rather than switch the whole setup) I ended up using `mail-from 
regex "^.*@domain$"` to redirect on several local ports based on domain, 
and then filtering to dkimsign for each.

Re: New config fails

[Archange]

Le 07/11/2021 à 01:53, Rodolphe Bréard a écrit :


On 06/11/2021 22:49, Matthieu C wrote:

Hi!

>

Hi!

On 06/11/2021 22:49, Matthieu C wrote:
However, my opensmtpd service fails to start (even manually) with 
this error:

smtpd[2160]: pony express: smtpd: bind: Cannot assign requested address
smtpd[2156]: smtpd: process pony socket closed



Seems like you kept the example IPv6 from the tutorial, therefore 
OpenSMTPD cannot listen on it.


No, he commented those lines. ;)

Re: New config fails

[Archange]

Le 07/11/2021 à 01:49, Matthieu C a écrit :

Hi!
I just setup a fresh install with opensmtpd and dovecot on my Ubuntu 
server with the help of this tutorial: 
https://rodolphe.breard.tf/en/article/how-to-deploy-a-personal-email-server/


However, my opensmtpd service fails to start (even manually) with this 
error:

smtpd[2160]: pony express: smtpd: bind: Cannot assign requested address
smtpd[2156]: smtpd: process pony socket closed

Here is my smtpd.conf (strangely located at /etc/ instead of 
/etc/smtpd/) : https://pastebin.com/SXJkLNrY
Do you have an idea of the source of the problem? Another toturial 
mentioned adding 127.0.0.1 mail.myhostname.fr 
 to /etc/hosts, but then I removed it.


I think the problem is here:

listen on 127.0.0.1 port 25 tls pki myhostname.fr hostname 
mail.myhostname.fr


listen on ::1 tls pki myhostname.fr hostname mail.myhostname.fr

On most modern Linux, ::1 implies 127.0.0.1. I would juste replace both with

listen on lo port 25 hostname mail.myhostname.fr

(No need for tls internally)

Re: Misunderstanding and/or possible bug regarding SNI

[Archange]

Le 26/07/2021 à 13:24, papush a écrit :

Hello,
I'm having issues getting SNI to work, or maybe I'm misunderstanding
its purpose. I have three domains, all pointing to the same server, and
would like opensmtpd to serve the right certificate depending on which
one was used for the connection. The manpage mentions using "*" as a
pki name for SNI, so my first attempt was something like:

pki "*" cert "/etc/certs/domain1/fullchain.pem"
pki "*" key "/etc/certs/domain1/privkey.pem"
pki "*" cert "/etc/certs/domain2/fullchain.pem"
pki "*" key "/etc/certs/domain2/privkey.pem"
...
listen on 0.0.0.0 tls pki "*"


I wasn’t aware of that, and I don’t use it. But I don’t think you should 
have a `pki` on the `listen on` directive in this case.



However that lead to the last pki cert/key defined always being used.
Looking at the archive of this mailing list it seems what I should be
doing is:

pki domain1 cert "/etc/certs/domain1/fullchain.pem"
pki domain1 key "/etc/certs/domain1/privkey.pem"
pki domain2 cert "/etc/certs/domain2/fullchain.pem"
pki domain2 key "/etc/certs/domain2/privkey.pem"
...
listen on 0.0.0.0 tls

leaving out the pki option of the listen directive, but that didn't
work, the debug output of smtpd saying that it is 'looking up pki
"okanieba"' (my hostname) followed by a disconnection "reason=ca-
failure".


That does work for me, although note that I specify a `hostname 
myhostname.domain.name` in the listen directive which might make a 
difference.



Wanting my server to get back to a "working" state where it simply
serves the wrong certificate but proceeds happily if the client doesn't
mind, i changed the listen directive to 'listen on 0.0.0.0 tls pki
domain1', and to my surprise that also made SNI work? The debug output
always says it looks up domain1's pki, but when supplying domain2 as
server name on connection it serves domain2's certificate.

Is this expected behavior? Also, what is the purpose of "*" then?


Which smtpd version do you have?

In 6.9, the man page changed and `*` is not mentioned anymore, and 
instead the `pki` option of `listen` says this:


> This option can be used multiple times to provide alternate 
certificates for SNI.


So not sure what was the expected behaviour before, but it does work for 
me without `*` nor `pki` option on `listen` directives.

Re: Misunderstanding and/or possible bug regarding SNI

[Archange]

Le 26/07/2021 à 13:43, Chris Brannon a écrit :

papush  writes:


Hello,
I'm having issues getting SNI to work, or maybe I'm misunderstanding
its purpose.

You don't need SNI just to host mail for multiple domains, though maybe
there are other reasons you might want it.  I host multiple domains on
my mail server hurricane.the-brannons.com.  Two of them are
the-brannons.com and blvuug.org.
Both of those domains just have an MX record pointing to
hurricane.the-brannons.com, so a certificate for
hurricane.the-brannons.com is good enough to authenticate the MX for all
of those domains.


That does not answer the question though. I don’t want to tell my users 
that they need to setup hurricane.the-brannons.com as smtp for their 
blvuug.org account for instance. So SNI is nice in this case. ;)

Re: Filter issue

[Archange]

Le 04/06/2021 à 13:58, Pete a écrit :

It seems that the reality is "Finally, a number of decisions must

(mandatory) be taken:"

Well sure. A decison has to be made.



filter whitelist \
   chain { test-rdns , test-fcrdns } \
   bypass

Is this even valid syntax? AFAIR the decision needs to be specified with the 
filter.

I think it should be something along those lines:
filter "white-rdns" phase connect match rdns  bypass
filter "white-fcrdns" phase connect match fcrdns bypass


That’s not the same thing though. I did not reply earlier because I 
could not find a solution, but actually I don’t think there is one.


Indeed, François wants bypass only if both rdns and fcrdns matches, not 
if either of them does. Hence why he tries to test both at once, but I 
don’t think there is a way to do this.


Anyway, as shown in the last emails in this thread the issue is broken 
headers on the sender side, and rspamd tagging as spam. So whitelist 
should occur at rspamd level eventually, while the best thing would 
indeed be fixing broken headers.


Regards.

Re: relays - port configuration

[Archange]

Le 23 avril 2021 11:11:56 GMT+04:00, Sean Kamath  a 
écrit :
>> On Apr 22, 2021, at 13:01, ED Fochler  wrote:
>> 
>> No.
>> 
>> You're only trying to send mail.  Your ISP is only trying to stop you from 
>> sending mail.
>> 
>> Mail delivery is meant to be very well defined and easy to identify.  If 
>> your ISP is blocking connections to port 25 then they are blocking all mail, 
>> spam and otherwise.  The solution is to set up a mail server on a network 
>> that allows mail.  This can be a $5/mo cloud server.  You can then 'submit' 
>> mail to your mail server using other ports, but the mail server will talk to 
>> other mail servers on standard ports, primarily port 25.
>
>So, I actually have this same problem.
>
>I do have a VPS, which is my mail server (and have no problems sending mail, 
>such as this one, using my MUA to connect to the VPS-based MTA).  I have about 
>8 little PCEngines Alix and APU devices, all sitting at home, with an ISP that 
>blocks port 25 (and lord do I wish I had the option for another ISP).  They 
>all run OpenBSD/OpenSMTP.
>
>The problem I’ve run into is I’m not sure how to use the submission port to 
>“submit” mail to my mail server.  Since I have the cron emails being sent, how 
>do I get those routed to the VPS?  How do I get basically all the emails for a 
>couple of users forwarded to the VPS without, you know, relaying mail?
>
>Do I set up an account on the VPS, and tell SMTPD to relay all mail to my 
>domain to that submission port?  That sounds like relaying, and, as stated 
>elsewhere in this thread, "Emails must be relayed on port 25.”

But relaying to a controlled host, which is nothing like the original issue.

>Back in the before-times, I used sendmail’s concept of a smarthost, and just 
>pointed it at that host, and could also tell it what port to connect on.
>
>I’m fine with “you can’t relay on any port other than 25”, but then how do I 
>get the mails the system generates to my mailserver running on the VPS?  
>Frankly, I think it’s kinda an odd restriction that you MUST use port 25 to 
>relay mail between hosts if you own both hosts.

Yes that would be odd, but this restriction does not exists thanksfully.

>If I want to use port 2525, I should be able to the one MTA to relay to the 
>other MTA on this IP:port combination.  I get that OpenSMTPD doesn’t have this 
>ability, but I don’t see what this breaks if it’s allowed.

OpenSMTPD does have this ability, as Demi Marie Obenour pointed out. ;)

Re: relays - port configuration

[Archange]

Le 23 avril 2021 01:24:03 GMT+04:00, ni...@hush.ai a écrit :
>> Emails must be relayed on port 25.
>
>Thanks guys. This is the confirmation I needed. So then it's a limitation due 
>to protocol specs as opposed to smtpd, yes?

It’s a limitation due to the fact most servers listen on port 25 because this 
is the standard and expected configuration (don’t even remember if there is a 
mecanism in DNS to specify a non-default port for MTA).

Re: relays - port configuration

[Archange]

Hi,

Le 23/04/2021 à 00:52, ni...@hush.ai a écrit :
Hello, ED. From your response, I'm not entirely sure if I explained my 
intent properly.


It was very clear.

Sorry if I'm just being dumb, but to clarify: I'm running OpenBSD in a 
VM on my home machine in hopes of getting better acquainted with the 
OS for later use in a VPS hopefully. From the VM, I'm trying to send a 
basic test mail to, for example, any Gmail address. I'm not expecting 
any inbound mails to the VM (i.e. a "do-not-reply", outbound-only 
mailer). I'm using the default smtpd.conf file, so if I've understood 
the documentation correctly, it should be trying to perform MX lookups 
instead of relying on an external SMTP service, right?


Yes, and it likely did. But then it tried to reach them on port 25, and 
failed.


I've read that this should be doable anyway? Albeit higher risk of 
being flagged as spam.


When sending from home, yes. Some people even totally block IP coming 
from “home ISP”. The reason why your ISP is blocking port 25 and people 
do this, is that most emails coming from those kinds of hosts are in 
fact botnets.


So, theoretically, if my ISP did not block port 25, would I then be 
able to send a mail without the need for an external SMTP service? Or 
would I likely be getting other errors?


It should work. But since your ISP *is* blocking port 25, it won’t. 
Emails must be relayed on port 25.


If you cannot unblock it from your ISP, then the solution is indeed a 
VPS somewhere in a proper data center. Might not even be 5$/month, VPS 
start event at 1$/month if you have very low needs (in this case just 
relaying emails). And in any case, I would advise this over trying to 
set it up at home.


Regards,
Archange

Re: Handling a mail alias for another domain

[Archange]

Hi,

Le 14/10/2020 à 14:10, Christian Kellermann a écrit :
> Dear list,
>
> I have setup opensmtpd for my domain, say 'example.com' that
> has virtual users and a typical spampd / dkim / dovecot setup.
>
> The current config is here: https://termbin.com/jyfe
>
> Now I'd like to add handling of another domain, specifically
> expansion of an alias of that. Say I have an MX entry on
> anotherdomain.com for example.com and want to expand
> mails to peo...@anotherdomain.com to a dozen external addresses.

Just to be sure of what you’re trying to do, it is some kind of mailing
list of the poor, right? If so I might have a solution, since I used to
do that in the past (but now that has moved to a proper mailing list, so
I would need to find back what I did).

Regards,
Archange

Re: issue with 'smtpctl encrypt'

[Archange]

Hi,

Le 29/09/2020 à 20:26, Kai Peter a écrit :
> Hi,
>
> I wanted to set a new password on FreeBSD 12.1 but the encrypt command
> failed:
>
> $> smtpctl encrypt newpassword
> usage: encrypt 
>
> Any syntax variations of "newpassword" did fail. Any ideas?

https://github.com/OpenSMTPD/OpenSMTPD/issues/1069 and
https://github.com/OpenSMTPD/OpenSMTPD/pull/1073

Workaround until this get released: /usr/lib/smtpd/opensmtpd/encrypt
newpassword

Regards,
Archange

Re: Simple virtual user setup with multiple domains

[Archange]

Le 24/09/2020 à 17:03, Unicorn a écrit :
>> You can use a virtual user table, but you will have to split your
>> "deliver_local" table. As Uwe suggested, I would use lmtp for that:
>>
>> action "inbox" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 
>>
>> In that case, vusers is defined here:
>>
>> table vusersfile:/etc/smtpd/vusers
>>
>> And its content:
>>
>> postmaster  mainu...@maindomain.tld
>> abuse   mainu...@maindomain.tld
>> rootmainu...@maindomain.tld
>> contact mainu...@maindomain.tld
>> mainu...@maindomain.tld vmail
>> someotheru...@somedomain.tldvmail
>> someal...@somedomain.tldmainu...@maindomain.tld
>>
>> And so on…
> Thank you both Uwe and Archange for the pointer to lmtp, I was not
> familiar with that!
>
> I enabled lmtp according to what I read online by adding lmtp to the
> protocols
>
> Regarding the example contents of the vusers table you suggested
> Archange, the first 4 lines would only ever be active for local mail,
> correct? Would this eg. send the daily output and insecurity output to
> mainu...@maindomain.tld?

No, it means that unless there is a more specific alias before, all
those 4 aliases, whatever is the domain part amongst the domains you
receive for, will be delivered to mainu...@maindomain.tld

> Regarding the 5th and 6th line of your example table, wouldn't that
> just deliver to the Maildir of the user vmail? Would there ever be a
> case where I would want this? Just asking to confirm in case I do not
> understand. :)

No, you need to deliver to vmail for all users, Dovecot will be
responsible for placing emails into the right folders.

> Lastly, if I map someal...@somedomain.tld to 
> mainuser+spec...@maindomain.tld, would it end up in the Maildir of 
> mainu...@maindomain.tld in the folder "special"? Or do I need to do
> any extra configuration on the side of dovecot to make this happen?

Yes, you will need Sieve rules in Dovecot (using Pigeon). By default,
smtpd will deliver mainuser+special to mainuser, and Dovecot will handle
it like this. You must add a Sieve rule matching the To: to make it
deliver to a specific folder.

>>> ##
>>> allow_username_mismatch = true;
>>>
>>> domain {
>>> firstdomain.tld {
>>> path = "/etc/mail/dkim/firstdomain.tld.key";
>>> selector = "blah";
>>> }
>>> }
>>> ##
>>>
>>> Will it work automatically by simply entering eg.
>>> 'seconddomain.tld
>>> {...}' with its respective keyfile and selector?
>> Yes. And if you use sensible file names like me, you can even do
>> this:
>>
>> path = "/etc/mail/dkim/$domain.$selector.key";
>>
>> Regards,
>> Archange
> I am glad to hear that this will work!
>
> Since I assume that the users will now have to authenticate with their
> full u...@domain.tld, can I remove 'allow_username_mismatch = true;'
> from the config? Iirc it was necessary before because users would just
> authenticate with their username.

Not necessarily, your users can still authenticate with their username,
it depends on your configuration. That’s what I do, of course it means I
cannot allow the same username for two different domains (but that’s not
an issue in my case). But if you move to usern...@domain.tld, yes,
`allow_username_mismatch = true;` will likely not be required anymore
(but you should test, since I did not run such a setup myself).

Regards,
Archange

Re: Simple virtual user setup with multiple domains

[Archange]

Le 24/09/2020 à 14:42, Uwe Werler a écrit :
> On 24 Sep 11:33, Unicorn wrote:
>> Also, how does dkim signing with rspamd work for multiple domains?
>> Right now my /etc/rspamd/local.d/dkim-signing.conf looks like this:
>>
>> ##
>> allow_username_mismatch = true;
>>
>> domain {
>> firstdomain.tld {
>> path = "/etc/mail/dkim/firstdomain.tld.key";
>> selector = "blah";
>> }
>> }
>> ##
>>
>> Will it work automatically by simply entering eg. 'seconddomain.tld
>> {...}' with its respective keyfile and selector?
> You need a current filter for that. I have:
>
> filter "dkimsign" proc-exec "filter-dkimsign -d domain1.tld -d domain2.tld \
> -d domain3.tld -s dkim_selector -k /etc/mail/dkim/dkim.key" \
> user _dkimsign group _dkimsign
>
> Note that you can specify the selector only once.
>
> See: https://undeadly.org/cgi?action=article;sid=20200920073933
Or you can just keep rspamd and do as you intended. See in my post for
another rspamd option.

Re: Simple virtual user setup with multiple domains

[Archange]

Hi there,

Le 24/09/2020 à 13:33, Unicorn a écrit :
> Hello everyone,
>
> I apologize in advance if these seem like a trivial question, I am
> quite new to this and the amount of config files and options is a
> little overwhelming. :)
>
> I am currently running three mailservers that each serve one domain
> with real user accounts, which is quite a pain to manage. I would like
> to instead have one server be the MX for all of my domains, with
> virtual users and their maildirs in a strucure like
> /home/vmail/domain/user/Maildir.
>
> In the process of writing my email I have written all my
> configurations to the best of my ability, but I would appreciate your
> feedback on any errors or suggestions for improvements, especially
> since I intend to eventually make this into a guide:
>
>
>  /etc/mail/smtpd.conf ###
> pki mx.maildomain.tld cert "/etc/ssl/mx.maildomain.tld.fullchain.pem"
> pki mx.maildomain.tld key "/etc/ssl/private/mx.maildomain.tld.key"
>
> # Junk filters, rspamd also for DKIM signing
> filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*',
> '.*\.dsl\..*' } junk
> filter check_rdns phase connect match !rdns junk
> filter check_fcrdns phase connect match !fcrdns junk
> filter rspamd proc-exec "filter-rspamd"
>
> # Tables
> table aliases file:/etc/mail/custom_aliases
> table accounts file:/etc/mail/accounts
> table domains {firstdomain.tld, seconddomain.tld, maildomain.tld}
>
> # Listen for incoming mail and send through filters
> listen on all tls pki mail.regrow.earth filter { check_dyndns,
> check_rdns, check_fcrdns, rspamd }
>
> # Listen for, authenticate and DKIM-sign outgoing mail requests
> listen on all port submission tls-require pki mx.maildomain.tld auth
>  filter rspamd
>
> action "deliver_local" maildir
> /home/vmail/{%dest.domain}/{%dest.user}/Maildir junk alias 
> user vmail
> action "outbound" relay helo mx.maildomain.tld
>
> # Match incoming mail
> match from any for domain  action "deliver_local"
> match for local action "deliver_local"
>
> # Match outgoing mail
> match from any auth for any action "outbound"
> match for any action "outbound"
> #
>
>
>  /etc/dovecot/conf.d/10-auth.conf ###
> passdb {
>   driver = passwd-file
>   args = scheme=BLF-CRYPT /etc/mail/accounts
> }
> userdb {
>   driver = static
>   args = uid=vmail gid=vmail home=/home/vmail/%d/%u
> }
> #
>
>
>  /etc/mail/accounts #
> ad...@fistdomain.tld:passwordhashfromsmtpctl
> ad...@seconddomain.tld:passwordhashfromsmtpctl
> unic...@seconddomain.tld:passwordhashfromsmtpctl
> #
>
> Is it possible to combine virtual users with an alias table as I have
> in action "deliver_local"?
>
> Example entry in alias table:
> cont...@firstdomain.tld: admin+cont...@firstdomain.tld
>
> Will this deliver to the folder "contact" of ad...@firstdomain.tld?
> In 'action "deliver_local"', is it correct to use {%dest.user} for
> this purpose?

You can use a virtual user table, but you will have to split your
"deliver_local" table. As Uwe suggested, I would use lmtp for that:

action "inbox" lmtp "/var/run/dovecot/lmtp" rcpt-to virtual 

In that case, vusers is defined here:

table vusers    file:/etc/smtpd/vusers

And its content:

postmaster  mainu...@maindomain.tld
abuse   mainu...@maindomain.tld
root    mainu...@maindomain.tld
contact mainu...@maindomain.tld
mainu...@maindomain.tld vmail
someotheru...@somedomain.tld   vmail
someal...@somedomain.tld  mainu...@maindomain.tld

And so on…

> Also, how does dkim signing with rspamd work for multiple domains?
> Right now my /etc/rspamd/local.d/dkim-signing.conf looks like this:
>
> ##
> allow_username_mismatch = true;
>
> domain {
> firstdomain.tld {
> path = "/etc/mail/dkim/firstdomain.tld.key";
> selector = "blah";
> }
> }
> ##
>
> Will it work automatically by simply entering eg. 'seconddomain.tld
> {...}' with its respective keyfile and selector?

Yes. And if you use sensible file names like me, you can even do this:

path = "/etc/mail/dkim/$domain.$selector.key";

Regards,
Archange

Re: requesting help with smtpd relay

[Archange]

Le 20/09/2020 à 04:42, Hakan E. Duran a écrit :
> And on sterr "smtp_cert_verify_cb: no-client-cert
> no rule matched"
>
> I wonder if this is somehow related to ipv6. It is a wild guess but I cannot 
> explain why there wouldn't be any client certificate, assuming the client is 
> gmail in this case.

I’m not sure but I think the client certificate is you not presenting a
client certificate for authenticating, but that is kind of expected
(it’s a rare setup). So I don’t think this is the actual issue.

But I’m puzzled, because I can’t see anything wrong in your
configuration at this point…

Archange

Re: requesting help with smtpd relay

[Archange]

Hi,

Just to check something, how are you identifying to the server? Your
current setup implies it is using a system user and password, is that
the case?

Other than that, you’re configuration looks very similar to mine. The
other difference I can see is that I know use the more compact `from
auth` instead of `from any auth`, and I seem to remember my former
syntax to be `auth from any` and not `from any auth`, so maybe you could
try one of my two versions?

Regards,
Archange

Le 20/09/2020 à 02:39, Hakan E. Duran a écrit :
> I played around a little bit more and was able to get this error message with 
> the command `doas smtpd -d -T rules -v`, which may be a little more 
> informative:
>
>
>
>
> 798b98fc3686a31c smtp connected address=111.11.1.111 
> host=111-11-1-111.client.something.com
> debug: looking up pki "mail.name.com"
> debug: session_start_ssl: switching to SSL
> debug: pony: rsae_priv_enc
> 798b98fc3686a31c smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
> smtp: 0x184169a23000: smtp_cert_verify_cb: no-client-cert
> no rule matched
> 798b98fc3686a31c smtp failed-command command="RCPT TO:" 
> result="550 Invalid recipient: "
> 798b98fc3686a31c smtp disconnected reason=disconnect
>
> Please notice the more informative line stating: *smtp_cert_verify_cb: 
> no-client-cert*
>
> The certificate of concern here cannot be the server's certificate, because 
> they are in the right place where smtpd.conf points to. It cannot possibly be 
> gmail's certificate either, but that is the client, isn't it? It feels like I 
> am hitting a bug here.
>
> Hakan
>
>
>
> On Sat, 19 Sep 2020 12:35:41 -0500
> "Hakan E. Duran"  wrote:
>
>> Thank you so much Bryan for your reply. I tried doing it and received a 
>> response indicating no rule matched. What am I missing? Here is the complete 
>> output of `doas smtpd -d -T rules`:
>>
>>
>>
>>
>> 99d03ce4cb968916 smtp connected address=111.11.1.111 
>> host=111-11-1-111.client.something.com
>> 99d03ce4cb968916 smtp tls ciphers=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
>> no rule matched
>> 99d03ce4cb968916 smtp failed-command command="RCPT TO:" 
>> result="550 Invalid recipient: "
>> 99d03ce4cb968916 smtp disconnected reason=disconnect
>>
>> Thanks again for brainstorming with me.
>>
>> Hakan
>>
>>
>> On Sat, 19 Sep 2020 12:13:06 +
>> br...@sally.org.il wrote:
>>
>>> Hello,
>>>
>>> Maybe I'm crazy but do you want to trace the rules instead of the lookup?
>>>
>>> V/r,
>>> Bryan
>>> September 18, 2020 11:30 PM, "Eyüp Hakan Duran" >> (mailto:ehakandu...@gmail.com?to=%22Ey%C3%BCp%20Hakan%20Duran%22%20)>
>>>  wrote:
>>> Dear all,
>>>
>>> I am aware that this is most probably a silly oversight on my part but I 
>>> would really appreciate gentle guidance to the right direction to overcome 
>>> this impasse. I truly appreciate your time.
>>>
>>> I rented a VPS, installed OpenBSD 6.7 and set up a mail server as described 
>>> here 
>>> (https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/).
>>>  I double and triple checked all the settings, including MX records, 
>>> reverse DNS, etc. and confirmed everything is resolving. Here is my 
>>> redacted smtpd.conf:
>>>
>>> 
>>> pki mail.name.com (http://mail.name.com) cert 
>>> "/etc/ssl/mail.name.com.fullchain.pem"
>>> pki mail.name.com (http://mail.name.com) key 
>>> "/etc/ssl/private/mail.name.com.key"
>>>
>>> filter check_dyndns phase connect match rdns regex { '.*.dyn..*', 
>>> '.*.dsl..*' } junk
>>>
>>> filter check_rdns phase connect match !rdns junk
>>>
>>> filter check_fcrdns phase connect match !fcrdns junk
>>>
>>> filter senderscore 
>>> proc-exec "filter-senderscore -junkBelow 70 -slowFactor 5000"
>>>
>>> filter rspamd proc-exec "filter-rspamd"
>>> table aliases file:/etc/mail/aliases
>>>
>>> listen on all tls pki mail.kumru.club 
>>> filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }
>>>
>>> listen on all port submission tls-require pki mail.name.com 
>>> (http://mail.name.com) auth filter rspamd
>>>
>>> action "local_mail" maildir junk alias 
>>> action "outbound" relay helo mail.name.com (http://mail.name.com)
>>>
>>

Re: Converting from old format to new format

[Archange]

Le 22/08/2020 à 22:23, Mik J a écrit :
> In old format I had
> accept tagged CLAM_IN for domain  virtual 
> deliver to maildir
> "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
>
> In new format I wrote
> action DELIVRE_VIRTUELS maildir
> "/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"
> match tag CLAM_IN for domain  rcpt-to  action
> DELIVRE_VIRTUELS
>
> The table  points to a file that looks like this
> domain1.org
> *.domain2.org
>
> The table  points to a file that looks like this
> i...@domain1.org    myu...@domain1.org
> myu...@domain1.org    _vmail
> The error message displayed is
> /etc/mail/smtpd.conf:64: table "utilisateurs" may not be used for
> rcpt-to lookups

Your config should read:

action DELIVRE_VIRTUELS maildir
"/home/mail/%{dest.domain:lowercase}/%{dest.user:lowercase}/Maildir"rcpt-to
virtual 
match tag CLAM_IN for domain  action DELIVRE_VIRTUELS

Re: request (privately) for maillog

[Archange]

Hi,

Le 24/02/2020 à 18:41, Peter J. Philipp a écrit :
> Hi,
>
> I got another "bouncing messages from misc@opensmtpd.org" message.  The
> particular message was 4669 that bounced.  Yet I have no record of this in
> my maillog, so I suspect a DNS fault.

The exact same one bounced for me, and I also do not have traces of it…
And I can’t find which one that could be by looking at the list archives.

Regards.

Re: Enforce outgoing mail to always use TLS

[Archange]

Re,

Le 22/02/2020 à 21:25, Søren Aurehøj a écrit :
>> Den 22. feb. 2020 kl. 20.01 skrev Archange > <mailto:archa...@activis.me>>:
>> Le 22/02/2020 à 19:55, Søren Aurehøj a écrit :
>>> Hi Misc
>>>
>>> I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable
>>>
>>> Currently I’m using the tls-require option in order to get mandatory
>>> TLS on outgoing mail, but with that follows the normal time-out
>>> values regarding bounce intervals.
>>> Because of greylisting, I’m not sure that adjusting these time-out
>>> values is the best way around this problem.
>>
>> I’m not sure how greylisting is involved here. Can you elaborate?
>>
> I was lowering bounce warn-interval as an interim measure to speed up
> non-deliveries due to missing TLS - that could collide with
> greylisting intervals if lowered the warn-interval to much.

OK I see, and indeed that’s not a good idea to lower this interval to a
too low value.

>>> I have tested the scenario with a mailserver which is unable to use
>>> TLS, by sending mail to mailnesia.com <http://mailnesia.com/>. 
>>> This gives the expected result - "mta event=error reason=TLS
>>> required but not supported by remote host” in the maillog.
>>>
>>> My mailserver recognizes when it is unable to continue the
>>> delivery due to a configuration setting on my mailserver. 
>>> But instead of bouncing the mail immediately, it is queued anyway
>>> for later delivery.
>>>
>>> Is it possible to enforce outgoing mail to always use TLS - and
>>> bounce more or less immediately, 
>>> if the sending mailserver registers that the receiving mailserver is
>>> unable to meet our requirements regarding TLS?
>>
>> I don’t know, but it seems a bad idea: what about a transient
>> failure? The mail systems expect you to keep retrying to deliver for
>> some time. They are several reasons that could lead to your email
>> being temporarily rejected because your MTA was unable to establish a
>> correct TLS session, but still succeed some time after that.
>>
> That’s a risk I am ready to accept - sending with TLS is mandatory
> according to our data protection officer, citing GDPR and the
> sensitivity of the emails sent.

I agree that sending with TLS should be mandatory (though that’s not
enough without a good TLS configuration and DANE+DNSSEC according to
me…). But that’s not the point.

I’m not saying you should still send if TLS is not available. I’m saying
that it could be only temporarily unavailable on the receiving end (like
say for some hours or one day), and be back right after. Because for
instance someone on the other side misconfigured their service after an
update, and they will fix it the next day after realizing it. ;)

So they are two possibilities in my opinion:

1. Either your care a lot about delivering delay, and you should lower
the bounce interval —but to something that let greylisting work— in
order to fail early in ALL cases (and not just TLS being unavailable).
2. Or you don’t care that much, and you should leave things untouched:
if TLS really isn’t available on the receiving end, your delivery will
fail after the bounce interval, but if ever TLS becomes available
(again) on the receiving end in the mean time, you will successfully
deliver (and over TLS of course).

Regards,
Archange

Re: Enforce outgoing mail to always use TLS

[Archange]

Hi,

Le 22/02/2020 à 19:55, Søren Aurehøj a écrit :
> Hi Misc
>
> I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable
>
> Currently I’m using the tls-require option in order to get mandatory
> TLS on outgoing mail, but with that follows the normal time-out values
> regarding bounce intervals.
> Because of greylisting, I’m not sure that adjusting these time-out
> values is the best way around this problem.

I’m not sure how greylisting is involved here. Can you elaborate?

> I have tested the scenario with a mailserver which is unable to use
> TLS, by sending mail to mailnesia.com <http://mailnesia.com>. 
> This gives the expected result - "mta event=error reason=TLS required
> but not supported by remote host” in the maillog.
>
> My mailserver recognizes when it is unable to continue the
> delivery due to a configuration setting on my mailserver. 
> But instead of bouncing the mail immediately, it is queued anyway for
> later delivery.
>
> Is it possible to enforce outgoing mail to always use TLS - and bounce
> more or less immediately, 
> if the sending mailserver registers that the receiving mailserver is
> unable to meet our requirements regarding TLS?

I don’t know, but it seems a bad idea: what about a transient failure?
The mail systems expect you to keep retrying to deliver for some time.
They are several reasons that could lead to your email being temporarily
rejected because your MTA was unable to establish a correct TLS session,
but still succeed some time after that.

Regards,
Archange

Translate `relay as` rule?

[Archange]

Hi there,

In OpenSMTPD prior to 6.4, one could had a rule like this:

accept for any relay via "smtp://smtp.foo.bar" as "@foo.bar"

It seems the `as` keyword disappeared in the new syntax, and was
partially replaced with `mail-from mailaddr`, but that last one seems
way less powerful. Indeed, compare both man entries:

“If the |as| parameter is specified, smtpd(8)
<https://man.openbsd.org/OpenBSD-6.3/smtpd.8> will rewrite the sender
advertised in the SMTP session. address may be a user, a domain prefixed
with ‘@’, or an email address, causing smtpd(8)
<https://man.openbsd.org/OpenBSD-6.3/smtpd.8> to rewrite the user-part,
the domain-part, or the entire address, respectively.”

”Use mailaddr as the MAIL FROM address within the SMTP transaction.”

Is there anyway to recover old behaviour?

Regards,
Archange