Hi all,
I've got a few silly questions regarding OpenSMTPD… I'd ask on the
opensmtpd misc mailing list, but my subscribe requests keep bouncing
after a few days. Since I'm running OpenSMTPD on OpenBSD, I figure
they're on-topic here too.
I have two servers (actually more than that, but two that are relevant
to this discussion). One is a Gentoo Linux machine with Postfix, which
acts as my primary MX. I keep it up to date, it's been a good
workhorse, and provided many years of service. No reason to change it
at this stage.
I have a VPS with a hosting provider (BinaryLane in Brisbane; they're
OpenStack/Xen-based), which runs OpenBSD 6.4. I primarily use this
machine as a slave DNS server (with nsd). I figure it'd be a nice idea
to use this machine as a backup MX.
Right now, OpenSMTPD is running there, and whilst it is not publicly
listening for SMTP traffic, it is configured to forward all *local* mail
to my primary MX (where it has a virtual domain configured) so I can
receive messages from `cron`, etc.
Aside from some hiccups with TLS verification which I worked around by
adding my custom CA to /etc/ssl/cert.pem, it all went smoothly. (I'd
prefer to have OpenSMTPD verify my home server's certificate against a
*specific* CA key, but at least it's working.)
First and foremost is the issue of backscatter-prevention. I would like
OpenSMTPD to validate the addresses passed to it before accepting them
for relay to my primary MX. In Postfix I can put
relay_recipient_maps = hash:/etc/postfix/valid_recipients
into /etc/postfix/main.cf and fill that valid_recipients file with
[email protected] x
[email protected] x
I can come up with a full list -- no problem, but the question is how do
I encode this list into the configuration of OpenSMTPD so that if the
list contained [email protected] and [email protected], but someone tries
sending to [email protected], that RCPT TO request is rejected before
the email delivery begins.
Second is about how to define custom mail transports. Rather than using
SMTP/SSL like I am now, I'd like the emails destined for relay to my
server, to be encrypted using a RSA key, (well, AES, then RSA encrypt
the AES key) then either:
- scp'd to a special spool directory on my Linux server… OR if it
happens to be down,
- placed in a special directory on the VPS for my server to later ciphon
down using `rsync --remove-source-files` over SSH. (Basically, a bit
like UUCP.)
The idea here is two-fold:
1. if someone gets even `root` access to the VPS (or mirrors the disk,
etc)… there's no copy of the private key needed to decrypt the files --
that is safely stored on my home server.
2. if say the NBN roll-out in my patch of Brisbane gets royally screwed
and I lose my static IPv4 address, I can make this server my primary MX
and have the old server just "poll" for new messages. (Outbound delivery
of mail will be a separate issue.)
Again, in Postfix I'd define a script to do the encryption/scp/etc in
/etc/postfix/master.cf, then set up transport_maps to direct the mail
there. Would the equivalent in OpenSMTPD be `mda` or is there some
other method?
--
Stuart Longland (aka Redhatter, VK4MSL)
I haven't lost my mind...
...it's backed up on a tape somewhere.
