SlideShare a Scribd company logo

OpenSMTPD delivers secure SMTP

Giovanni Bechis
Giovanni Bechis

OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange e-mails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD nowadays is a fairly complete SMTP implementation.

Internet
1 of 21
Download to read offline
OpenSMTPD: we deliver Giovanni Bechis <giovanni@openbsd.org> LinuxCon Europe 2015
About Me sys admin and developer @SNB OpenBSD developer Open Source developer in several other projects
OpenSMTPD story first import in late 2008 default smtp server in OpenBSD since March 2014 current version is 5.7.3 released October 5, 2015 portable version is available for *BSD, Linux and MacOSX
why OpenSMTPD ? in OpenBSD we needed a new smtp server to replace sendmail(8) Postfix has not a ”good” licence (from an OpenBSD pov) OpenSMTPD is designed with security in mind pf.conf(5) like configuration file
OpenSMTPD: security in mind multiple processes privilege revocation chroot strlcpy(3), reallocarray(3), arc4random(3), imsg, ... no auth on unsecure connections crypt(3) as password hashing function
OpenSMTPD: features smtp protocol as defined in RFC 5321 backup mx support mbox and maildir support authentication inbound and outbound with multiple backends masquerade support mailwrapper(8) for sendmail(8) filters compressed or crypted mail queue
OpenSMTPD: extras in base src code lives the main smtp server implementation in extra src code lives all extra features: table(5) support for different databases different queue backends different schedulers filters
OpenSMTPD: basic configuration listen on lo0 table aliases db:/etc/mail/aliases.db # accept from any for domain "example.org" alias <aliases> deliver to mbox accept for local alias <aliases> deliver to mbox accept from local for any relay
OpenSMTPD: advanced configuration pki mail.example.org certificate "/etc/ssl/mail.example.org.crt" pki mail.example.org key "/etc/ssl/private/mail.example.org.key" filter myregex regex filter mydnsbl dnsbl filter myperl perl /usr/libexec/smtpd/spamfilter.pl filter mychain chain myregex mydnsbl myperl table aliases db:/etc/mail/aliases.db table vusers mysql:/etc/mail/mysql.conf table vdomains mysql:/etc/mail/mysql.conf table valiases mysql:/etc/mail/mysql.conf table credentials mysql:/etc/mail/mysql.conf listen on eth0 secure auth-optional <credentials> pki mail.example.org filter mychain listen on eth0 port submission tls auth <credentials> pki mail.example.org listen on lo0 port 10025 tag Filtered listen on lo0 port 10027 tag Signed accept tagged Filtered for domain <vdomains> userbase <vusers> virtual <valiases> deliver to lmtp "/var/dovecot/lmtp" accept from any for domain <vdomains> relay via "smtp://127.0.0.1:10024" # Local emails accept tagged Filtered for local alias <aliases> deliver to mbox accept tagged Signed for any relay pki mail.example.org accept for any relay via "smtp://127.0.0.1:10026"
OpenSMTPD: table(5) # smtpd.conf: table vusers mysql:/etc/mail/mysql.conf host localhost username user password passwd database db # Alias lookup query # query_alias select destination from mail_valias where source=? # Domain lookup query # query_domain select domain from mail_domain where domain=?; # User lookup query # query_userinfo select uid,gid,maildir from mail_user where login=?; # Credentials lookup query # query_credentials select login, password from mail_user where login=?;
OpenSMTPD: antispam interaction spamd(8) on OpenBSD OpenSMTPD filters amavisd-new, spampd, dkimproxy
spamd(8) and spamd-{,geo}setup(8) OpenBSD spamd(8) spamd-geosetup(8): geolocalize spammers
OpenSMTPD filters OpenSMTPD filters standalone programs written in C, Lua, Perl or Python the filter accepts or rejects the email talk to the main process via imsg read(3) and friends fork(2) and imsg are managed by internals, writing a new filter is easy there are filters available for dnsbl, regex matching, SpamAssassin and Clamav integration and much more
OpenSMTPD filters: C code static int on_connect(uint64_t id, struct filter_connect *conn) { log_warnx("filter-stub: ALOHA, WELCOME TO MY MAIL SERVER !"); return (1); } int main(int argc, char **argv) { int ch; log_init(-1); while ((ch = getopt(argc, argv, "")) != -1) { switch (ch) { default: log_warnx("warn: filter-stub: bad option"); return (1); /* NOTREACHED */ } } argc -= optind; argv += optind; /* register a callback for "on_connect" event */ filter_api_on_connect(on_connect); /* start doing stuff */ filter_api_loop(); log_warnx("warn: filter-stub: exiting"); return (1); }
OpenSMTPD filters: Perl code use strict; use warnings; sub on_connect { my ($id, $l, $r, $h) = @_; print "on_connect: $id $l $r $h"; return smtpd::filter_api_accept $id; }
OpenSMTPD filters: Python code import filter def on_connect(session, local_addr, remote_addr, hostname): print "on_connect:", hex(session), local_addr, remote_addr, hostname return filter.accept(id)
OpenSMTPD monitoring: smtpctl(8) smtpctl(8) is used to control and monitor smtpd(8) view mail queue increase logging monitor smtpd(8) process trace option to debug mail flow
OpenSMTPD monitoring: smtpctl(8) $ sudo smtpctl show monitor --- client --- -- envelope -- ---- relay/delivery --- ------- misc ------- curr conn disc curr enq deq ok tmpfail prmfail loop expire remove bounce 0 1627 1627 5 1689 1684 1623 442 50 0 11 0 55 0 0 0 5 0 0 0 0 0 0 0 0 0
OpenSMTPD monitoring: smtpctl(8) $ sudo smtpctl show stats [...] queue.bounce=6673 queue.evpcache.load.hit=773522 queue.evpcache.size=0 queue.evpcache.update.hit=7238 scheduler.delivery.ok=58582 scheduler.delivery.permfail=875 scheduler.delivery.tempfail=7123 [...] smtp.session=0 smtp.session.inet4=17039 smtp.session.inet6=1 smtp.session.local=1876 smtp.smtps=0 smtp.tls=0 uptime=7582306 uptime.human=87d18h11m46s
OpenSMTPD monitoring: smtpctl(8) trace [...] expand: 0x133db4879018: inserted node 0x133cf460d800 expand: lka_expand: username: giovanni [depth=1] lookup: lookup "giovanni" as ALIAS in table db:aliases -> 0 lookup: lookup "giovanni" as USERINFO in table getpwnam:<getpwnam> -> "giovanni: 1000:103:/home/giovanni" mproc: lka -> parent : 1080 IMSG_LKA_OPEN_FORWARD imsg: parent <- lka: IMSG_LKA_OPEN_FORWARD (len=1080) mproc: parent -> lka : 1080 IMSG_LKA_OPEN_FORWARD imsg: lka <- parent: IMSG_LKA_OPEN_FORWARD (len=1080) expand: no .forward for user giovanni, just deliver lookup: lookup "giovanni" as USERINFO in table getpwnam:<getpwnam> -> "giovanni: 1000:103:/home/giovanni" mproc: lka -> queue: allocating 128 mproc: lka -> queue: realloc 128 -> 512 mproc: lka -> queue : 361 IMSG_LKA_ENVELOPE_SUBMIT mproc: lka -> queue : 9 IMSG_LKA_ENVELOPE_COMMIT expand: 0x133db4879018: clearing expand tree imsg: queue <- lka: IMSG_LKA_ENVELOPE_SUBMIT (len=361) queue-backend: queue_envelope_create(09a2ee6000000000, 342) -> 1 (09a2ee60261b00 61) [...]
Questions ?

Recommended

OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SSH
SSHSSH
SSHZach Dennis
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 

Recommended

OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
LibreSSL, one year later
LibreSSL, one year laterLibreSSL, one year later
LibreSSL, one year laterGiovanni Bechis
 
SSH
SSHSSH
SSHZach Dennis
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnelAmandeep Singh
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
Ssh
SshSsh
Sshgh02
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using pythonPurna Chander K
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
Tcp sockets
Tcp socketsTcp sockets
Tcp socketsbabak danyal
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open sshDan Kaminsky
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015Zi Lin
 
香港六合彩
香港六合彩香港六合彩
香港六合彩香港六合彩 香港六合彩
 
Skill Hierarchy
Skill HierarchySkill Hierarchy
Skill Hierarchygeogeeks
 

More Related Content

What's hot

Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Giovanni Bechis
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
Ssh
SshSsh
Sshgh02
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using pythonPurna Chander K
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015Zi Lin
 

What's hot (20)

Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
 
Secure shell
Secure shellSecure shell
Secure shell
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
 
Ssh
SshSsh
Ssh
 
Penetration testing using python
Penetration testing using pythonPenetration testing using python
Penetration testing using python
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Tcp sockets
Tcp socketsTcp sockets
Tcp sockets
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
Zi nginx conf_2015
Zi nginx conf_2015Zi nginx conf_2015
Zi nginx conf_2015
 

Viewers also liked

Skill Hierarchy
Skill HierarchySkill Hierarchy
Skill Hierarchygeogeeks
 
YODI_research_mapping_presentation1
YODI_research_mapping_presentation1YODI_research_mapping_presentation1
YODI_research_mapping_presentation1Dominic Santangelo
 
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...Tanay Kumar Das
 
Sin título
Sin títuloSin título
Sin títuloWiktor99
 
Wireless HDMI: a quick-and-dirty guide
Wireless HDMI: a quick-and-dirty guideWireless HDMI: a quick-and-dirty guide
Wireless HDMI: a quick-and-dirty guideAirtame
 
Dog Startups: Love Gaw |15 June, Chasopys|
Dog Startups: Love Gaw |15 June, Chasopys|Dog Startups: Love Gaw |15 June, Chasopys|
Dog Startups: Love Gaw |15 June, Chasopys|Vika Zhurbas
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Mobile Number Portability
Mobile Number PortabilityMobile Number Portability
Mobile Number PortabilitySunny Agarwal
 

Viewers also liked (15)

香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Skill Hierarchy
Skill HierarchySkill Hierarchy
Skill Hierarchy
 
YODI_research_mapping_presentation1
YODI_research_mapping_presentation1YODI_research_mapping_presentation1
YODI_research_mapping_presentation1
 
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...
Crpf 1939 constable (tradesmen technical) recruitment exam 2011 coaching at...
 
Sin título
Sin títuloSin título
Sin título
 
Cover Letter
Cover LetterCover Letter
Cover Letter
 
Wireless HDMI: a quick-and-dirty guide
Wireless HDMI: a quick-and-dirty guideWireless HDMI: a quick-and-dirty guide
Wireless HDMI: a quick-and-dirty guide
 
Beebetter Plano de Negócios
Beebetter Plano de NegóciosBeebetter Plano de Negócios
Beebetter Plano de Negócios
 
Discussion paper 16.11.2015
Discussion paper 16.11.2015Discussion paper 16.11.2015
Discussion paper 16.11.2015
 
Curso redes
Curso redesCurso redes
Curso redes
 
Dog Startups: Love Gaw |15 June, Chasopys|
Dog Startups: Love Gaw |15 June, Chasopys|Dog Startups: Love Gaw |15 June, Chasopys|
Dog Startups: Love Gaw |15 June, Chasopys|
 
Sementes
SementesSementes
Sementes
 
Tipos de energía
Tipos de energíaTipos de energía
Tipos de energía
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Mobile Number Portability
Mobile Number PortabilityMobile Number Portability
Mobile Number Portability
 

Similar to OpenSMTPD delivers secure SMTP

Network Prog.ppt
Network Prog.pptNetwork Prog.ppt
Network Prog.pptEloOgardo
 
Socket Programming Intro.pptx
Socket Programming Intro.pptxSocket Programming Intro.pptx
Socket Programming Intro.pptxssuserc4a497
 
Opentalk at Large - StS 2005
Opentalk at Large - StS 2005Opentalk at Large - StS 2005
Opentalk at Large - StS 2005Martin Kobetic
 
Scaling Your Logging Infrastructure With Syslog-NG
Scaling Your Logging Infrastructure With Syslog-NGScaling Your Logging Infrastructure With Syslog-NG
Scaling Your Logging Infrastructure With Syslog-NGAll Things Open
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngPeter Czanik
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)dantleech
 
SquirrelMail for webmail
SquirrelMail for webmailSquirrelMail for webmail
SquirrelMail for webmailAryman Gautam
 
Session Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersSession Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersStephan Schmidt
 
Network programming using python
Network programming using pythonNetwork programming using python
Network programming using pythonAli Nezhad
 

Similar to OpenSMTPD delivers secure SMTP (20)

Basic socket programming
Basic socket programmingBasic socket programming
Basic socket programming
 
Network Prog.ppt
Network Prog.pptNetwork Prog.ppt
Network Prog.ppt
 
Net Programming.ppt
Net Programming.pptNet Programming.ppt
Net Programming.ppt
 
Socket Programming Intro.pptx
Socket Programming Intro.pptxSocket Programming Intro.pptx
Socket Programming Intro.pptx
 
Basics of sockets
Basics of socketsBasics of sockets
Basics of sockets
 
Netkitmig
NetkitmigNetkitmig
Netkitmig
 
L5-Sockets.pptx
L5-Sockets.pptxL5-Sockets.pptx
L5-Sockets.pptx
 
Opentalk at Large - StS 2005
Opentalk at Large - StS 2005Opentalk at Large - StS 2005
Opentalk at Large - StS 2005
 
Scaling Your Logging Infrastructure With Syslog-NG
Scaling Your Logging Infrastructure With Syslog-NGScaling Your Logging Infrastructure With Syslog-NG
Scaling Your Logging Infrastructure With Syslog-NG
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
 
Pemrograman Jaringan
Pemrograman JaringanPemrograman Jaringan
Pemrograman Jaringan
 
Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)Exploring Async PHP (SF Live Berlin 2019)
Exploring Async PHP (SF Live Berlin 2019)
 
SquirrelMail for webmail
SquirrelMail for webmailSquirrelMail for webmail
SquirrelMail for webmail
 
03 sockets
03 sockets03 sockets
03 sockets
 
Session Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersSession Server - Maintaing State between several Servers
Session Server - Maintaing State between several Servers
 
lab04.pdf
lab04.pdflab04.pdf
lab04.pdf
 
Network programming using python
Network programming using pythonNetwork programming using python
Network programming using python
 
Npc08
Npc08Npc08
Npc08
 
sockets_intro.ppt
sockets_intro.pptsockets_intro.ppt
sockets_intro.ppt
 
Sockets
Sockets Sockets
Sockets
 

More from Giovanni Bechis

SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresGiovanni Bechis
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyGiovanni Bechis
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with PuppetGiovanni Bechis
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3Giovanni Bechis
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profitGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management frameworkGiovanni Bechis
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceGiovanni Bechis
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teGiovanni Bechis
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDGiovanni Bechis
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaGiovanni Bechis
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internetGiovanni Bechis
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografiaGiovanni Bechis
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourceGiovanni Bechis
 

More from Giovanni Bechis (18)

the Apache way
the Apache waythe Apache way
the Apache way
 
SpamAssassin 4.0 new features
SpamAssassin 4.0 new featuresSpamAssassin 4.0 new features
SpamAssassin 4.0 new features
 
ACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easyACME and mod_md: tls certificates made easy
ACME and mod_md: tls certificates made easy
 
Scaling antispam solutions with Puppet
Scaling antispam solutions with PuppetScaling antispam solutions with Puppet
Scaling antispam solutions with Puppet
 
What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3What's new in SpamAssassin 3.4.3
What's new in SpamAssassin 3.4.3
 
Fighting Spam for fun and profit
Fighting Spam for fun and profitFighting Spam for fun and profit
Fighting Spam for fun and profit
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSD
 
ELK: a log management framework
ELK: a log management frameworkELK: a log management framework
ELK: a log management framework
 
LibreSSL
LibreSSLLibreSSL
LibreSSL
 
SOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open SourceSOGo: sostituire Microsoft Exchange con software Open Source
SOGo: sostituire Microsoft Exchange con software Open Source
 
Cloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con teCloud storage, i tuoi files, ovunque con te
Cloud storage, i tuoi files, ovunque con te
 
Npppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSDNpppd: easy vpn with OpenBSD
Npppd: easy vpn with OpenBSD
 
Openssh: comunicare in sicurezza
Openssh: comunicare in sicurezzaOpenssh: comunicare in sicurezza
Openssh: comunicare in sicurezza
 
Ipv6: il futuro di internet
Ipv6: il futuro di internetIpv6: il futuro di internet
Ipv6: il futuro di internet
 
L'ABC della crittografia
L'ABC della crittografiaL'ABC della crittografia
L'ABC della crittografia
 
Pf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open sourcePf e netfilter, analisi dei firewall open source
Pf e netfilter, analisi dei firewall open source
 
Mysql diventa grande
Mysql diventa grandeMysql diventa grande
Mysql diventa grande
 

Recently uploaded

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 

Recently uploaded (9)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 

OpenSMTPD delivers secure SMTP

  • 1. OpenSMTPD: we deliver Giovanni Bechis <giovanni@openbsd.org> LinuxCon Europe 2015
  • 2. About Me sys admin and developer @SNB OpenBSD developer Open Source developer in several other projects
  • 3. OpenSMTPD story first import in late 2008 default smtp server in OpenBSD since March 2014 current version is 5.7.3 released October 5, 2015 portable version is available for *BSD, Linux and MacOSX
  • 4. why OpenSMTPD ? in OpenBSD we needed a new smtp server to replace sendmail(8) Postfix has not a ”good” licence (from an OpenBSD pov) OpenSMTPD is designed with security in mind pf.conf(5) like configuration file
  • 5. OpenSMTPD: security in mind multiple processes privilege revocation chroot strlcpy(3), reallocarray(3), arc4random(3), imsg, ... no auth on unsecure connections crypt(3) as password hashing function
  • 6. OpenSMTPD: features smtp protocol as defined in RFC 5321 backup mx support mbox and maildir support authentication inbound and outbound with multiple backends masquerade support mailwrapper(8) for sendmail(8) filters compressed or crypted mail queue
  • 7. OpenSMTPD: extras in base src code lives the main smtp server implementation in extra src code lives all extra features: table(5) support for different databases different queue backends different schedulers filters
  • 8. OpenSMTPD: basic configuration listen on lo0 table aliases db:/etc/mail/aliases.db # accept from any for domain "example.org" alias <aliases> deliver to mbox accept for local alias <aliases> deliver to mbox accept from local for any relay
  • 9. OpenSMTPD: advanced configuration pki mail.example.org certificate "/etc/ssl/mail.example.org.crt" pki mail.example.org key "/etc/ssl/private/mail.example.org.key" filter myregex regex filter mydnsbl dnsbl filter myperl perl /usr/libexec/smtpd/spamfilter.pl filter mychain chain myregex mydnsbl myperl table aliases db:/etc/mail/aliases.db table vusers mysql:/etc/mail/mysql.conf table vdomains mysql:/etc/mail/mysql.conf table valiases mysql:/etc/mail/mysql.conf table credentials mysql:/etc/mail/mysql.conf listen on eth0 secure auth-optional <credentials> pki mail.example.org filter mychain listen on eth0 port submission tls auth <credentials> pki mail.example.org listen on lo0 port 10025 tag Filtered listen on lo0 port 10027 tag Signed accept tagged Filtered for domain <vdomains> userbase <vusers> virtual <valiases> deliver to lmtp "/var/dovecot/lmtp" accept from any for domain <vdomains> relay via "smtp://127.0.0.1:10024" # Local emails accept tagged Filtered for local alias <aliases> deliver to mbox accept tagged Signed for any relay pki mail.example.org accept for any relay via "smtp://127.0.0.1:10026"
  • 10. OpenSMTPD: table(5) # smtpd.conf: table vusers mysql:/etc/mail/mysql.conf host localhost username user password passwd database db # Alias lookup query # query_alias select destination from mail_valias where source=? # Domain lookup query # query_domain select domain from mail_domain where domain=?; # User lookup query # query_userinfo select uid,gid,maildir from mail_user where login=?; # Credentials lookup query # query_credentials select login, password from mail_user where login=?;
  • 11. OpenSMTPD: antispam interaction spamd(8) on OpenBSD OpenSMTPD filters amavisd-new, spampd, dkimproxy
  • 12. spamd(8) and spamd-{,geo}setup(8) OpenBSD spamd(8) spamd-geosetup(8): geolocalize spammers
  • 13. OpenSMTPD filters OpenSMTPD filters standalone programs written in C, Lua, Perl or Python the filter accepts or rejects the email talk to the main process via imsg read(3) and friends fork(2) and imsg are managed by internals, writing a new filter is easy there are filters available for dnsbl, regex matching, SpamAssassin and Clamav integration and much more
  • 14. OpenSMTPD filters: C code static int on_connect(uint64_t id, struct filter_connect *conn) { log_warnx("filter-stub: ALOHA, WELCOME TO MY MAIL SERVER !"); return (1); } int main(int argc, char **argv) { int ch; log_init(-1); while ((ch = getopt(argc, argv, "")) != -1) { switch (ch) { default: log_warnx("warn: filter-stub: bad option"); return (1); /* NOTREACHED */ } } argc -= optind; argv += optind; /* register a callback for "on_connect" event */ filter_api_on_connect(on_connect); /* start doing stuff */ filter_api_loop(); log_warnx("warn: filter-stub: exiting"); return (1); }
  • 15. OpenSMTPD filters: Perl code use strict; use warnings; sub on_connect { my ($id, $l, $r, $h) = @_; print "on_connect: $id $l $r $h"; return smtpd::filter_api_accept $id; }
  • 16. OpenSMTPD filters: Python code import filter def on_connect(session, local_addr, remote_addr, hostname): print "on_connect:", hex(session), local_addr, remote_addr, hostname return filter.accept(id)
  • 17. OpenSMTPD monitoring: smtpctl(8) smtpctl(8) is used to control and monitor smtpd(8) view mail queue increase logging monitor smtpd(8) process trace option to debug mail flow
  • 18. OpenSMTPD monitoring: smtpctl(8) $ sudo smtpctl show monitor --- client --- -- envelope -- ---- relay/delivery --- ------- misc ------- curr conn disc curr enq deq ok tmpfail prmfail loop expire remove bounce 0 1627 1627 5 1689 1684 1623 442 50 0 11 0 55 0 0 0 5 0 0 0 0 0 0 0 0 0
  • 19. OpenSMTPD monitoring: smtpctl(8) $ sudo smtpctl show stats [...] queue.bounce=6673 queue.evpcache.load.hit=773522 queue.evpcache.size=0 queue.evpcache.update.hit=7238 scheduler.delivery.ok=58582 scheduler.delivery.permfail=875 scheduler.delivery.tempfail=7123 [...] smtp.session=0 smtp.session.inet4=17039 smtp.session.inet6=1 smtp.session.local=1876 smtp.smtps=0 smtp.tls=0 uptime=7582306 uptime.human=87d18h11m46s
  • 20. OpenSMTPD monitoring: smtpctl(8) trace [...] expand: 0x133db4879018: inserted node 0x133cf460d800 expand: lka_expand: username: giovanni [depth=1] lookup: lookup "giovanni" as ALIAS in table db:aliases -> 0 lookup: lookup "giovanni" as USERINFO in table getpwnam:<getpwnam> -> "giovanni: 1000:103:/home/giovanni" mproc: lka -> parent : 1080 IMSG_LKA_OPEN_FORWARD imsg: parent <- lka: IMSG_LKA_OPEN_FORWARD (len=1080) mproc: parent -> lka : 1080 IMSG_LKA_OPEN_FORWARD imsg: lka <- parent: IMSG_LKA_OPEN_FORWARD (len=1080) expand: no .forward for user giovanni, just deliver lookup: lookup "giovanni" as USERINFO in table getpwnam:<getpwnam> -> "giovanni: 1000:103:/home/giovanni" mproc: lka -> queue: allocating 128 mproc: lka -> queue: realloc 128 -> 512 mproc: lka -> queue : 361 IMSG_LKA_ENVELOPE_SUBMIT mproc: lka -> queue : 9 IMSG_LKA_ENVELOPE_COMMIT expand: 0x133db4879018: clearing expand tree imsg: queue <- lka: IMSG_LKA_ENVELOPE_SUBMIT (len=361) queue-backend: queue_envelope_create(09a2ee6000000000, 342) -> 1 (09a2ee60261b00 61) [...]