Saturday, March 26, 2005

Configure OpenBSD Mail Gateway

OpenBSDA very effective way to filter viruses and SPAM for multiple email domains is to use OpenBSD, OpenBSD's spamd, ClamAV and SpamAssassin with OpenBSD's included version of sendmail.

You can also use this configuration as a mail gateway in front of Microsoft Exchange servers if you have concerns with putting Exchange's SMTP port "on the Internet."

Here's how to set it up:

  1. Buy an OpenBSD CD.

  2. Install OpenBSD 3.6.

  3. Install Clam AV 0.83.

  4. Install SpamAssassin 3.02.

  5. Configure SpamAssassin for site-wide use with SpamAssassin's spamd.

  6. Edit sendmail's access table, /etc/mail/access, and add " RELAY" for each domain you want to relay.

  7. Edit sendmail's mailertable, /etc/mail/mailertable, and add " esmtp:[ip.address]" for each domain you want to relay that is not local to your OpenBSD server.

  8. Create the database maps for access and mailertable:
    sudo makemap hash /etc/mail/access < /etc/mail/access
    sudo makemap hash /etc/mail/mailertable < /etc/mail/mailertable

  9. Add the following two lines to your /etc/rc.conf.local:
    spamd_flags="-G 8:4:864"

  10. Assuming this box is not a firewall (meaning that you're not contending with other rules), create a new /etc/pf.conf with the following in it:

    table <spamd> persist
    table <spamd-white> persist
    rdr pass on !lo0 proto tcp from <spamd> to !lo0 port smtp -> lo0 port spamd
    rdr pass on !lo0 proto tcp from !<spamd-white> to !lo0 port smtp -> lo0 port spamd

  11. Configure your DNS MX record to point to this server for the domains in /etc/mail/access.
  12. Reboot to test your startup scripts and make sure everything works.


  1. Congratulations,

    This article is very nice...
    All the site is nice...

    Thanks a lot.


  2. Neat little reference. Thanks for sharing. I'll give it a chance with my freshly arrived 3.8. :O)

    polarizers 2cent

  3. I found your website and think its very helpful for those wishing to learn more about openbsd. I was wondering what changes I would need to enact to use your "Configure OpenBSD Mail Gateway" setup on openbsd 4.0? If you have dones so could you send me or put an append on the website as to what needs to be done to enact this setup on openbsd 4.0.

    Thank you.

  4. Thanks for going to the trouble of putting this very useful information on the net. Any chance of updating it for 4.0?

  5. I'm trying to find the time... The problem is with the spamass-milter port. It is not stable. When I used it, it would stop processing mail and return a failure message to sendmail.

    I'm currently using mimedefang (another erdely-special port), but that port is not ready for public-release.

    Also, I'm considering moving to postfix. Since moving from spamass-milter on Linux to mimedefang on OpenBSD, I've noticed a drop in effectiveness of SpamAssassin. It's slight and could be a coincidence, but I doubt it.

  6. [...] der Integration von SpamAssassin und ClamAV in Sendmail haben mir ein Artikel von Mike Erdelyn und ein Artikel von David L. Goodrich [...]