• Be as secure as possible. Code carefully, do strict validity checks especially in the network input path, and use bounded buffer operations. Use privilege separation to mitigate the effects of possible security bugs.
• Reliability is extremely important. Any email that OpenSMTPD has accepted has to be handled with care and must not be lost.
• Provide a lean implementation, sufficient for a majority. Don't try to support each and every obscure usage case, but cover the typical ones.
• Provide a powerful and easy to understand configuration language.
• Be fast and efficient. OpenSMTPD must be able to handle large queues with reasonable performance.
• Support Virtual Domains and Virtual Users
• Normal OpenSMTPD development produces a very small, secure, and easy to maintain version for the OpenBSD project. The portability team takes that pure version and adds portability code so that OpenSMTPD can run on many other operating systems:
  • OpenBSD
  • FreeBSD
  • NetBSD
  • Linux
  • MacOS

• OpenSMTPD is a general purpose implementation of the SMTP protocol
• It features both server-side and client-side implementations
• Operating as a server, it accepts messages from SMTP clients
• Operating as a client, it relays messages to other SMTP servers
• Doesn't follow the OpenBSD release cycle but aligns to it
• Accepts messages from a unix socket or the network for delivery or relaying
• Resolves SMTP addresses into recipients (aliases, virtual, ...)
• Manages a local persistent queue of messages that aren't allowed to be lost
• Schedules delivery with some retry logic in case of temporary failures
• Relays messages to other hosts over the network
• Delivers messages locally by executing a MDA with the user privileges

• When running on OpenBSD the OS provides it with out-of-the-box ASLR and randomized malloc()
• For privileges separation, OpenSMTPD forks at beginning
• All processes have completely different memory layouts
• Configuration is very simple, most people come to OpenSMTPD because of it
• The configurations for TLS, Auth, DKIM, IPv4/IPv6, virtual domains and aliases is about 15 lines
• OpenSMTPD has been used in very high-volume environments
• Can be extended with OpenSMTPD addons (extras)

# Sample Configuration for OpenSMTPD @ /etc/mail/smtpd.conf

pki example.com key  "/etc/letsencrypt/example.com/privkey.pem"
pki example.com cert "/etc/letsencrypt/example.com/fullchain.pem"

listen on lo mask-source
listen on 1.2.3.4 port  25 tls pki example.com auth-optional hostname example.com
listen on 1.2.3.4 port 465 smtps pki example.com auth hostname example.com mask-source
listen on 1.2.3.4 port 587 tls-require pki example.com auth hostname example.com mask-source

table aliases  file:/etc/mail/aliases
table domains  file:/etc/mail/domains
table virtuals file:/etc/mail/virtuals
table authinfo file:/etc/mail/authinfo

accept from any for domain <domains> virtual <virtuals> deliver to mda "/usr/local/bin/rspamc --mime --exec \"/usr/local/libexec/dovecot/deliver -d %{dest:lowercase|strip} -f %{sender} -a %{rcpt}\""
accept from local for local alias <aliases> deliver to mda "/usr/local/bin/rspamc --mime --exec \"/usr/local/libexec/dovecot/deliver -d %{dest:lowercase|strip} -f %{sender} -a %{rcpt}\""

accept from local for any relay via "tls+auth://example@smtp.example.com:587" auth <authinfo> verify

# END