Hacker News new | past | comments | ask | show | jobs | submit login
OpenBSD Mail Server Intro (technoquarter.blogspot.com)
64 points by protomyth on Feb 14, 2015 | hide | past | favorite | 28 comments

I wish the email stack was simpler.

While working on a project to learn go, I was using postfix to pipe email directly to a Go program, that then sent them as an SMS. I couldn't help but thinking how old and clunky the software I was using felt. The Go ended up being done in an hour and the postfix part took me 2 nights.

The same goes for all of the other email protocols and software. It's all big, bulky, and complicated. especially considering how much of a backbone email is to business today.

I know of the mailinabox project that was meant to package and abstract out a lot of the difficulties, but found that even that was too complicated.

Does anyone know of any projects meant to simplify the email stack?

I'm biased but as far as SMTP is concerned, you can hardly find something simpler than OpenSMTPD: pretty much any configuration can be described in less than 10 lines of config.

Here's my configuration on this desktop:

listen on all

accept from any for domain debug.poolp.org deliver to maildir

accept from local for any relay

I am making my living from administring linux/bsd boxes for small business or ISPs. I installed couple of full featured mailserver over time ...and i can tell, its not getting any better. It is strange area where technology moves much more slower and it is impossible to setup the full stack without bugs in first day for unskilled person. Even for me its not fun work to install and then maintain. (little self-promo here, i am trying to "start up" with http://poste.io )

Not what you are asking for, but possibly another approach to consider - https://bitbucket.org/chrj/smtpd.

Opensmtpd is really simple, and you might want to explore some of the programmability of the project. I think your looking for something like http://lamsonproject.org Lamson. I'm not sure it's maintained anymore, but it was an idea in that direction. For utter simplicity opensmtpd really is good.

Also check this by the author of "The Book of PF": http://home.nuug.no/~peter/pf/en/spamd.setup.html

- isn't SpamAssassin too big, too old and too ugly considering it, according to the author, only stands for 5% of the anti-spam?

- can ClamAV really catch modern malware or are we just talking legacy viruses from the 90s and 2000s?

I use SA on my own domains and I feel it is as efficient as Google's own spam detection. Although no spam mails slipped through in months, a few legit got caught due to their incompetence in html-emails.

As for ClamAV, their database is updated frequently. It's probably not as good as commercial vendors such as Symantec, NOD32 and so on (can't compare because I haven't used them for years), but I feel it offers some protection.

At this point I consider myself a competent SA admin. I've got one particular box with a domain going back to at least 1998 that I can't block enough spam, too much still gets through. SpamAssassin is great, but I've been using GMail since the beta and spam almost never gets through, like single digits for me in all that time.

What would you suggest as alternatives for viruses and spam detection?

While I've got a soft spot for SpamAssassin, bogofilter's good and at least by my recollection far less resource-intensive.

available in the ports as mail/bogofilter

Might be a bit more work than SpamAssassin for MTA use as it seems to concentrate on single user use.

For small but multi-user sites, a standard system for incorporating per-user or all-user filtering preferences would be useful....

I'm not aware of such a setup. The article here is useful in that it does at least suggest one mailstream flow. Though yes, it's complex as hell.

Hands down, the configuration file for opensmtpd is the best I've ever seen. It's easy to grok and its declarative style beats Postfix's plethora of flags anyday. Looking forward to it making its way into the standard Linux distros.


thanks ;-)

It is already available as a package on various Linux distros: Gentoo, Arch, Fedora, ... as well as all BSD variants.

This is an 8-part series of posts by the same author, the link at the top of the page.


Hey, I'm trying to use this guide, do you know why you enable ssh in pf.conf?

Edit: oh dear, now I'm downloading the source for every program including ports.

What you mean by 'enable ssh in pf.conf'? What are you referring to?

Ok, found: pass in on egress proto tcp to any port ssh

It means that you need to open port 22 (ssh) in order to be able to log in as recommended firewall setting is to 'deny all' by default.

Thanks. That's weird, because I can already log in with ssh on port 22. I was asking because I didn't realize how it was related to a mail server. Now I understand you might want to log in remotely.

If doing this read the update in "OpenBSD Mail Server - Part 4, SpamAssassin and SpamPD".

Nice find. I setup a Kolab + Ubuntu server based email for myself and family a few months ago and it has been running great. If anyone would be interested in a writeup let me know.

Why did you decide to use Kolab?

Because it has a good suite of tools that work out of the box. There's LDAP, webmail, webDav/calDav/cardDav, admin interface, antivirus, anti-spam, etc. It integrates well with OwnCloud too which is a nice plus.

When I was looking to move away from gmail, my requirements where security and privacy and Kolabsys was one of the first services that popped up as a viable alternative.

The thing is, I was also looking for a reason to try out AWS and get back to using linux after years of powerpoint and archimate _poisoning_ so everything came together like that.

I highly recommend it, even if it took me about 5 working days to get spamassassin, openDKIM, ciphermail and TLS working for all components. But hey, now I get a 94% grade on www.emailsecuritygrader.com and a A+ on SSL Labs's test so hurray for me.

Tutorials like this are good for learning, but since computers are great tools which can help to prevent repetitive work it would be great if the author published a virtual machine image or, even better, some saltstack or ansible recipes to build this on github, so it could be improved and maintained by everybody.

Hint to authors of similar tutorials: yes, just release the scripts to build the vm or docker image. This is 2015, it hurts to see 100 of people manually copy pasting things.

You're not going to learn anything from a premade docker image, or from ansible playbooks.

At that point, there's no need to provide a tutorial at all.

The tutorial would provide the reasoning behind why the decisions in the script have been made, allowing people to adapt it to their own needs.

I don't think docker runs on OpenBSD. Ansible does though.

I'll translate what you said.

"Please dear sir, hold my hand in everything I do."

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact