1. 11

  2. 2

    I just switched to OpenBSD for e-mail using the following stack:

    Inbound: opensmtpd -> spampd(tag) -> opensmtpd -> clamsmtpd(tag) -> opensmtpd -> procmail -> dovecot(Maildir) outbound: opensmtpd -> dkim_proxy -> opensmtpd(relay)

    I don’t use the spamd/grey listing up front like a lot of tutorials suggest, but spampd(spam assistant) seems to get the majority of it.

    My old stack was similar, but used postfix on opensuse. I really like the opensmtpd configuration; loads simpler than postfix. However I wish it supporter filters that the other MTAs do. It had filter support for a bit, but was clunky and subsequently removed. It makes it difficult (impossible?) to run things like rspam.

    1. 5

      rspamd has an MDA mode, so you can do like

      accept from any for local virtual { "@" => mike } deliver to mda "rspamc --mime --ucl --exec /usr/loca
      l/bin/dovecot-lda-mike" as mike

      and dovecot-lda-mike is

      #! /bin/sh
      exec /usr/local/libexec/dovecot/dovecot-lda -d mike

      smtpd is really really really good. For some reason the email software ecosystem is a mess of insane configs and horrible scripts, but my smtpd.conf is 12 lines and the only script I use (that rspamd one) is going to go away when filters come back. smtpd is so good I went with an MDA instead of a web app to handle photo uploads to my VPS. It’s one line in smtpd.conf and ~70 lines of python, and I don’t have to deal with fcgi or anything like that.

      1. 1

        smtpd is so good I went with an MDA instead of a web app to handle photo uploads to my VPS

        Oh that’s a clever idea. I’ve been using ssh (via termux) on my phone but that is so clumsy.

      2. 5

        I do greylisting on my email server [1] and I’ve found that it reduces the incoming email by 50% up front—there are a lot of poorly written spam bots out there. Greylisting up front will reduce the load that your spam system will have to slog through, for very little cost.

        [1] Yes, I run my own. Been doing it nearly 20 years now (well over 10 at its current location) so I have it easier than someone starting out now. Clean IP, full control over DNS (I run my own DNS server; I also have access to modify the PTR record if I need to) and it’s just me—no one else receives email from my server.

        1. 2

          I’m the author/presenter of the tutorial. If I may, I suggest looking at my talk this year at BSDCan: Fighting Spam at the Frontline: Using DNS, Log Files and Other Tools in the Fight Against Spam. In those slides I talk about using spf records (spf_fetch, smtpctl spfwalk, spfwalk standalone) to whitelist IPs and mining httpd and sshd logs for bad actors and actively blacklisting them.

          For those who find blacklisting a terrifying idea, in the presentation I suggest configuring your firewall rules so that your whitelists always win. That way, if Google somehow get added to your blacklists, the whitelist rule will ensure Gmail can still connect.

          I also discuss ways to capture send-to domains and add them to your whitelists so you don’t have to wait hours for them to escape the greylists.

          1. 1

            I didn’t find SPF to be all that great, and it was the nearly the same three years earlier. Even the RBL were problematic, but that was three years ago.

            As for greylisting, I currently hold them for 25 minutes, and that might be 20 minutes longer than absolutely required.

          2. 1

            Greylisting is the best. Back when my mailserver was just on a VPS it was the difference between spamd eating 100% CPU and a usable system.