Open-source Mail Server: Hi, OpenSMTPD!
We used AI while writing this content.
Many cloud providers block port 25 on their cloud servers, which effectively block OpenSMTPD. You may need your own server to run SMTPD.
OpenSMTPD?
| Open-source? | โ |
| Cost estimation | ๐ |
| Author | OpenBSD Project & Gilles Chehade |
| Usage Case | Mail Transfer Agent (MTA) for sending/receiving emails |
| Dependency | Linux/BSD Server, Domain Name, Static IP |
Advantages
โข Lightweight and resource-efficient
โข Security-focused design (from OpenBSD)
โข Simple, human-readable configuration
โข Free and open-source
โข Built-in SPF, DKIM, and spam filtering support
โข Modern SMTP standards compliance
โข Active development and community
โข Minimal attack surface
Platforms supported
| Linux | OpenBSD | FreeBSD | macOS | Windows | |
|---|---|---|---|---|---|
| Availability | โ | โ | โ | โ | โ |
| Open-source | โ | โ | โ | โ | N/A |
| Price | ๐ | ๐ | ๐ | ๐ | N/A |
โ ๏ธ OpenSMTPD is a Unix-based mail server. Windows users should run it in WSL2 or a Linux VM, though this is not recommended for production use.
Case for OpenSMTPD
If you send emails from your own domainโwhether for personal correspondence, a small business, or web applicationsโyou face the challenge of email delivery.
Solutions there are plenty:
| Cloud Email (Gmail, Outlook) | Transactional Email APIs (SendGrid, Mailgun) | Shared Hosting Email | Self-hosted (Postfix) | Self-hosted (OpenSMTPD) | |
|---|---|---|---|---|---|
| Min Price | ๐ (limited) | ๐ฐ ($0.01/email) | ๐ฐ (hosting fee) | ๐ | ๐ |
| Open-source | โ | โ | Varies | โ | โ |
| Advantages | Easy, reliable, spam filtering | Developer-friendly APIs, delivery analytics | Included with hosting | Full control, mature | Simple config, lightweight, secure |
| Disadvantages | Privacy concerns, vendor lock-in | Costly at scale, limited customization | Poor deliverability, limited features | Complex configuration, bloated | Smaller community than Postfix |
The Email Delivery Problem
The most convenient solution is using cloud email providers like Gmail or Outlook. However, there are several issues:
โข Privacy concerns: Your emails are scanned for advertising and data mining purposes
โข Vendor lock-in: You're dependent on a third party's policies and pricing
โข Limited customization: Can't integrate deeply with your own infrastructure
โข Account suspension risk: Accounts can be suspended without warning, losing access to critical communications
Why Not Transactional Email APIs?
Services like SendGrid, Mailgun, or Amazon SES solve the technical challenges of email delivery but introduce their own problems:
โข Cost: Prices add up quickly (typically $0.001-$0.01 per email). Sending 100,000 emails/month = $100-$1,000/month
โข Data privacy: Your emails pass through third-party servers
โข Rate limits: Subject to arbitrary sending limits
โข Vendor dependency: API changes or service outages can break your application
โข Overkill for simple needs: You're paying for features you may not need
Why Not Postfix?
Postfix has been the gold standard for self-hosted email for decades. It's mature, battle-tested, and extremely powerful. However:
โข Complexity: Configuration involves dozens of files with cryptic syntax
โข Steep learning curve: Takes days or weeks to properly configure
โข Bloat: Includes many features most users don't need
โข Security: Large codebase = larger attack surface
Here's a typical Postfix configuration snippet:
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, example.com, mail.example.com, localhost.example.com, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
Compare this to OpenSMTPD's equivalent:
pki mail.example.com cert "/etc/ssl/certs/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
table aliases file:/etc/smtpd/aliases
listen on eth0 tls pki mail.example.com
listen on lo
action "local" maildir alias <aliases>
action "relay" relay
match from local for local action "local"
match from local for any action "relay"
Much cleaner, no?
Why OpenSMTPD?
OpenSMTPD is a modern mail server designed with security and simplicity as top priorities. Born from the OpenBSD project (known for security-first philosophy), OpenSMTPD aims to be:
โข Secure by default: Minimal attack surface, privilege separation, sandboxing
โข Simple to configure: Human-readable configuration file
โข Lightweight: Low memory footprint (~10-20 MB RAM vs Postfix's ~50-100 MB)
โข Standards-compliant: Supports all modern SMTP standards (TLS, SPF, DKIM, etc.)
How OpenSMTPD Works
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Internet (Port 25/587) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโ
โ OpenSMTPD Server โ
โ โ
โ โโโโโโโโโโโโโโโโ โ
โ โ smtp_in โ โ โ Receives incoming mail
โ โโโโโโโโฌโโโโโโโโ โ
โ โ โ
โ โโโโโโโโผโโโโโโโโ โ
โ โ Queue โ โ โ Stores messages temporarily
โ โโโโโโโโฌโโโโโโโโ โ
โ โ โ
โ โโโโโโโโผโโโโโโโโ โ
โ โ smtp_out โ โ โ Delivers outgoing mail
โ โโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโ
โผ โผ
โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
โ Local Mailbox โ โ Remote Server โ
โ (/var/mail/) โ โ (Gmail, etc.) โ
โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
When an email is sent through OpenSMTPD:
- Client connects to OpenSMTPD via SMTP (port 25 or 587)
- Authentication (if required) verifies the sender
- Message accepted and placed in queue
- OpenSMTPD processes the message (checks SPF, signs with DKIM, etc.)
- Delivery attempt to recipient's mail server
- Retry on failure with exponential backoff (up to 4 days by default)
Real-World Benefits
For a small organization or individual:
โข Cost savings: No monthly fees for transactional email services
โข Privacy: Your emails stay on your server, no third-party scanning
โข Control: Full customization of email policies and routing
โข Learning: Understanding email infrastructure is valuable knowledge
โข Reliability: No dependency on external services (except DNS)
Limitations
OpenSMTPD is not perfect for everyone:
โข Deliverability challenges: Self-hosted mail often ends up in spam folders without proper configuration (SPF, DKIM, DMARC, IP reputation)
โข Maintenance overhead: You're responsible for security updates and monitoring
โข Spam management: Requires additional tools like rspamd or SpamAssassin
โข Blacklist risk: If your server is compromised or misconfigured, your IP can be blacklisted
โข Smaller ecosystem: Fewer tutorials and third-party tools compared to Postfix
๐ Reality check: Running your own mail server is not trivial. Expect to invest 4-8 hours for initial setup and ongoing maintenance. If you just need to send a few emails per day, a transactional email API might be simpler.
If you value privacy, control, and learning, and you're willing to invest the time, OpenSMTPD is THE solution for self-hosted email.
Setup
Prerequisites
Before installing OpenSMTPD, ensure you have:
1. A Server
โข Linux VPS or dedicated server with at least:
- 1 CPU core
- 512 MB RAM (1 GB recommended)
- 10 GB disk space
- Static IP address
2. A Domain Name
โข Register a domain (e.g., example.com)
โข You'll use a subdomain like mail.example.com for your mail server
3. DNS Records Configured
You must configure these DNS records BEFORE setting up OpenSMTPD:
# A Record - points your mail server subdomain to your server IP
mail.example.com. IN A 203.0.113.10
# MX Record - tells other mail servers where to send emails for your domain
example.com. IN MX 10 mail.example.com.
# SPF Record - specifies which servers can send email for your domain
example.com. IN TXT "v=spf1 mx ~all"
# DMARC Record - email authentication policy
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@example.com"
PTR Record Configured (reverse DNS)
PTR is essentially the reverse of DNS that allows the resolution of a domain name from an IP adress.
10.113.0.203.in-addr.arpa. IN PTR mail.example.com.
โ ๏ธ Critical: Without proper PTR (reverse DNS), most mail servers will reject your emails as spam.
Contact your VPS provider to configure this, as PTR records must be set by the IP address owner. As this is a relatively common demand, many providers have an established procedure and would be happy to set it up for you quickly.
For Oracle, use this link
You'll configure DKIM later after OpenSMTPD is installed.
4. Open Firewall Ports
# Allow SMTP (incoming mail)
sudo ufw allow 25/tcp
# Allow submission (authenticated mail sending)
sudo ufw allow 587/tcp
# Optional: SMTPS (legacy secure SMTP)
sudo ufw allow 465/tcp
Than verify the accessibility of those ports
If the ports still appear blocked, see this.
Installation (Ubuntu/Debian)
# Update system
sudo apt update && sudo apt upgrade -y
# Install OpenSMTPD
sudo apt install -y opensmtpd
# Verify installation
smtpd -h
Installation (Fedora/RHEL/CentOS)
# Update system
sudo dnf update -y
# Install OpenSMTPD
sudo dnf install -y opensmtpd
# Enable and start the service
sudo systemctl enable opensmtpd
sudo systemctl start opensmtpd
Installation (OpenBSD)
OpenSMTPD is included by default in OpenBSD:
# Enable and start the service
rcctl enable smtpd
rcctl start smtpd
Basic Configuration
OpenSMTPD's main configuration file is /etc/smtpd.conf (or /etc/mail/smtpd.conf on some systems).
Here's a minimal configuration for sending and receiving mail:
# Edit the configuration file
sudo nano /etc/smtpd.conf
Minimal Configuration (for receiving and sending mail):
# Define SSL certificate and key
pki mail.example.com cert "/etc/ssl/certs/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
# Define local aliases (optional)
table aliases file:/etc/aliases
# Listen on all interfaces with TLS
listen on eth0 tls pki mail.example.com
listen on eth0 port 587 tls-require pki mail.example.com auth
# Listen on localhost (for local applications to send mail)
listen on lo
# Define actions
action "local" maildir alias <aliases>
action "relay" relay
# Define matching rules
match from any for domain "example.com" action "local"
match from local for any action "relay"
match auth from any for any action "relay"
Explanation:
โข pki mail.example.com cert/key: Points to your SSL certificate (we'll set this up next)
โข listen on eth0 tls: Accept incoming mail on port 25 with TLS support
โข listen on eth0 port 587 tls-require auth: Accept authenticated submission on port 587
โข action "local" maildir: Deliver local mail to maildir format in /home/user/Maildir/
โข action "relay" relay: Relay (send) mail to external servers
โข match from any for domain "example.com": Accept mail destined for your domain
โข match from local for any: Allow local applications to send mail
โข match auth from any for any: Allow authenticated users to send mail
SSL Certificate Setup
You need an SSL certificate for secure email transmission. We'll use Let's Encrypt (free):
# Install Certbot
sudo apt install -y certbot
# Ensure that certbot's http-based automatic verifications can succeed
sudo ufw allow 80/tcp
# Request a certificate for your mail domain
sudo certbot certonly --standalone -d mail.example.com
# Certificates will be placed in:
# /etc/letsencrypt/live/mail.example.com/fullchain.pem
# /etc/letsencrypt/live/mail.example.com/privkey.pem
# Create symbolic links for OpenSMTPD
sudo ln -s /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/ssl/certs/mail.example.com.crt
sudo ln -s /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/ssl/private/mail.example.com.key
# Set permissions
sudo chmod 644 /etc/ssl/certs/mail.example.com.crt
sudo chmod 600 /etc/ssl/private/mail.example.com.key
๐ก Tip: Set up automatic certificate renewal:
sudo certbot renew --dry-run # Test renewal sudo systemctl enable certbot.timer # Enable auto-renewal
Verify Configuration
# Check configuration syntax
sudo smtpd -n
# If no errors, restart OpenSMTPD
sudo systemctl restart opensmtpd
# Check status
sudo systemctl status opensmtpd
Create User Mailboxes
OpenSMTPD delivers mail to user mailboxes. Create a user:
# Create a new user (or use an existing user)
sudo useradd -m -s /bin/bash alice
sudo passwd alice
# Create Maildir directory
sudo mkdir -p /home/alice/Maildir/{new,cur,tmp}
sudo chown -R alice:alice /home/alice/Maildir
Test Sending Mail
Test sending an email from the server:
# Send a test email
echo "This is a test email from OpenSMTPD" | mail -s "Test Email" you@example.com
Check the queue:
# View mail queue
sudo smtpctl show queue
Check logs for delivery status:
# View logs (Ubuntu/Debian)
sudo tail -f /var/log/mail.log
# View logs (systemd-based systems)
sudo journalctl -u smtpd -f
Test Receiving Mail
Send an email to alice@example.com from an external email provider (Gmail, Outlook, etc.).
Check if the mail was received:
# Check Alice's mailbox
sudo ls -la /home/alice/Maildir/new/
# Read the email
sudo cat /home/alice/Maildir/new/*
After Installation
Set Up DKIM Signing
DKIM (DomainKeys Identified Mail) cryptographically signs your emails to prove they're legitimate.
Install OpenDKIM
# Ubuntu/Debian
sudo apt install -y opendkim opendkim-tools
# Fedora/RHEL
sudo dnf install -y opendkim
Generate DKIM Keys
# Create directory for keys
sudo mkdir -p /etc/opendkim/keys/example.com
cd /etc/opendkim/keys/example.com
# Generate key pair
sudo opendkim-genkey -s mail -d example.com
# Set permissions
sudo chown opendkim:opendkim mail.private
sudo chmod 600 mail.private
Configure OpenDKIM
Edit /etc/opendkim.conf:
# Basic settings
Domain example.com
KeyFile /etc/opendkim/keys/example.com/mail.private
Selector mail
Socket inet:8891@localhost
Edit /etc/default/opendkim (Ubuntu/Debian):
SOCKET="inet:8891@localhost"
Configure OpenSMTPD to Use OpenDKIM
Add to /etc/smtpd.conf:
filter "dkim" proc-exec "filter-dkimsign -d example.com -s mail -k /etc/opendkim/keys/example.com/mail.private"
listen on eth0 tls pki mail.example.com filter "dkim"
๐ Note: The
filter-dkimsignutility may need to be installed separately or configured differently depending on your OpenSMTPD version. Consult the documentation for your specific version.
Add DKIM DNS Record
Extract the public key:
sudo cat /etc/opendkim/keys/example.com/mail.txt
You'll see something like:
mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Add this as a TXT record in your DNS:
mail._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
Verify the record:
dig TXT mail._domainkey.example.com
Set Up Authentication (SASL)
To allow users to send mail from email clients (Thunderbird, Outlook, etc.), set up SASL authentication.
Create auth_table at /etc/mail/auth :
# /etc/mail/auth
user1@example.com password1
user2@example.com password2
Update /etc/smtpd.conf:
table auth_table file:/etc/mail/auth
listen on eth0 port 587 tls-require pki mail.example.com auth <auth_table>
Then from another device :
swaks \
--server <server-ip-address> \
--port 587 \
--tls \
--auth LOGIN \
--auth-user <user-name> \
--auth-password '<password>' \
--from <address> \
--to <receipient address> \
--header "Subject: Test OpenSMTPD" \
--body "Hello World !"
Set Up Spam Filtering (Optional)
Install rspamd for spam filtering:
# Ubuntu/Debian
sudo apt install -y rspamd
# Configure OpenSMTPD to use rspamd
sudo nano /etc/smtpd.conf
Add rspamd filter:
filter "rspamd" proc-exec "filter-rspamd"
listen on eth0 tls pki mail.example.com filter { "dkim", "rspamd" }
Set Up Aliases
Define email aliases in /etc/aliases:
# Redirect root's mail to admin
root: admin@example.com
# Create mailing lists
support: alice@example.com, bob@example.com
# Forward to external email
webmaster: external@gmail.com
Update the aliases database:
sudo newaliases
Monitor Mail Queue
Check the mail queue regularly:
# View queue
sudo smtpctl show queue
# View message details
sudo smtpctl show message <message_id>
# Remove a message from queue
sudo smtpctl remove <message_id>
# Flush the queue (retry all messages)
sudo smtpctl schedule all
Set Up Logging
OpenSMTPD logs to syslog. Configure log rotation:
# Create log rotation config
sudo nano /etc/logrotate.d/smtpd
Add:
/var/log/mail.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
Practical Tips
Test Email Deliverability
Use online tools to test your configuration:
โข MXToolbox: https://mxtoolbox.com/SuperTool.aspx
โข Mail-tester: https://www.mail-tester.com/
โข DKIM Validator: https://dkimvalidator.com/
Send a test email to these services and check your score (aim for 10/10).
Monitor Blacklists
Check if your IP is blacklisted:
# Manual check
host 10.113.0.203.zen.spamhaus.org
# Use MXToolbox
# Visit: https://mxtoolbox.com/blacklists.aspx
If blacklisted, follow the delisting procedure for each blacklist.
Improve Deliverability
โข Warm up your IP: Start by sending small volumes and gradually increase
โข Keep bounce rates low: Remove invalid email addresses promptly
โข Authenticate all emails: Ensure SPF, DKIM, and DMARC are properly configured
โข Avoid spam triggers: Don't send unsolicited emails, use clear unsubscribe links
โข Monitor reputation: Use tools like Google Postmaster Tools
Backup Configuration
# Backup configuration and keys
sudo tar -czf opensmtpd-backup-$(date +%F).tar.gz \
/etc/smtpd.conf \
/etc/aliases \
/etc/opendkim/keys/ \
/etc/ssl/certs/mail.example.com.crt \
/etc/ssl/private/mail.example.com.key
Security Hardening
โข Disable open relay: Ensure your configuration doesn't allow relaying for anyone
โข Rate limiting: Implement rate limits to prevent spam:
limit session 100 from any
limit message 500 from any
โข Use strong authentication: Require TLS for all authenticated sessions
โข Keep software updated: Regularly update OpenSMTPD and dependencies
โข Monitor logs: Set up log monitoring (e.g., fail2ban) to detect abuse
Troubleshooting
"Connection refused" when sending mail
Problem: Can't connect to port 25 or 587
Solution:
# Check if OpenSMTPD is running
sudo systemctl status smtpd
# Check firewall rules
sudo ufw status
# Verify ports are listening
sudo netstat -tlnp | grep smtpd
Emails going to spam
Problem: Sent emails end up in recipient's spam folder
Solution:
โข Verify SPF, DKIM, and DMARC are configured correctly
โข Check if your IP is blacklisted
โข Ensure reverse DNS (PTR) is set up
โข Test with mail-tester.com and fix reported issues
"Relay access denied"
Problem: Can't send mail to external domains
Solution:
Check your /etc/smtpd.conf has relay rules:
match from local for any action "relay"
match auth from any for any action "relay"
Mail stuck in queue
Problem: Messages remain in queue without delivery
Solution:
# Check queue
sudo smtpctl show queue
# View logs for errors
sudo journalctl -u smtpd -f
# Manually retry delivery
sudo smtpctl schedule all
# Remove stuck message
sudo smtpctl remove <message_id>
SSL certificate errors
Problem: "TLS handshake failed" errors
Solution:
# Verify certificate files exist and are readable
sudo ls -la /etc/ssl/certs/mail.example.com.crt
sudo ls -la /etc/ssl/private/mail.example.com.key
# Test certificate
openssl s_client -connect mail.example.com:25 -starttls smtp
# Renew Let's Encrypt certificate
sudo certbot renew
Conclusion
OpenSMTPD provides a lightweight, secure, and simple alternative to complex mail servers like Postfix. For individuals and small organizations who value:
โ
Privacy and data sovereignty
โ
Simplicity and maintainability
โ
Low resource usage
โ
Security-first design
โ
Freedom from vendor lock-in
OpenSMTPD is THE solution for self-hosted email. While it requires more initial setup than cloud services, the long-term benefits of control, privacy, and cost savings make it worthwhile.
The initial configuration takes 2-4 hours, but once set up, OpenSMTPD runs reliably with minimal maintenance. Just remember:
โข Start small: Test thoroughly before using for critical communications
โข Monitor regularly: Check logs and deliverability weekly
โข Stay updated: Keep software and security practices current
โข Have a backup plan: Keep a transactional email API as failover for critical emails
Happy mailing! ๐ง
Copyleft Statement
Renoncรฉ du droit d'auteur
Much of our content is freely available under the Creative Commons BY-NC-ND 4.0 licence, which allows free distribution and republishing of our content for non-commercial purposes, as long as Ronzz.org is appropriately credited and the content is not being modified materially to express a different meaning than it is originally intended for. It must be noted that some images on Ronzz.org are the intellectual property of third parties. Our permission to use those images may not cover your reproduction. This does not affect your statutory rights.
Nous mettons la plupart de nos contenus disponibles gratuitement sous la licence Creative Commons By-NC-ND 4.0, qui permet une distribution et une republication gratuites de notre contenu ร des fins non commerciales, tant que Ronzz.org est correctement crรฉditรฉ et que le contenu n'est pas modifiรฉ matรฉriellement pour exprimer un sens diffรฉrent que prรฉvu ร l'origine.Il faut noter que certaines images sur Ronzz.org sont des propriรฉtรฉs intellectuelles de tiers. Notre autorisation d'utiliser ces images peut ne pas couvrir votre reproduction. Cela n'affecte pas vos droits statutaires.
Member discussion