From ArchWiki

OpenSMTPD is a free mail transfer agent, developed as part of the OpenBSD project. This article builds upon Mail server.


Install the opensmtpd package.


OpenSMTPD is configured in /etc/smtpd/.

Note: Starting with OpenSMTPD version 6.4.0 the configuration file syntax has been completely reworked, breaking compatibility with previous configuration files. For instruction on migrating the configuration to the new syntax see

Local mail

This article or section is out of date.

Reason: OpenSMTPD 6.6.3p1 changed the default configuration to use Maildir instead of mbox. (Discuss in Talk:OpenSMTPD)

To have local mail working, for example for cron mails, it is enough to simply start smtpd.service.

The default configuration of OpenSMTPD is to do local retrieval and delivery of mail, and also relay outgoing mail. See smtpd.conf(5).

To have your local mails go to the /var/spool/mail/username i.e the path where most email clients expect the mails, use action "local" maildir "/var/spool/mail/%{rcpt.user}" alias <aliases> instead of action "local" mbox alias <aliases>

Local mail only

To do only local mail, the following is enough:

listen on localhost
action "local" mbox alias <aliases>
match for local action "local"

Hybrid : local mail and relay

These two lines in /etc/smtpd/smtpd.conf :

action "local" mbox alias <aliases>
action "relay" relay host "smtp://" mail-from ""
match for local action "local"
match for any action "relay"

configure OpenSMTPD to :

  • send local email locally, without going through a relay (useful for cron & at mail notifications)
  • use a relay to send a mail outside of localhost

Simply replace by your ISP mail server, or another server at your convenience.

Relay only

To send all local emails through a relay invoke procmail:

action "local" mda "procmail -f -" virtual <aliases>
action "relay" relay host "smtps://" auth <secrets> mail-from ""
match for local action "local"
match for any action "relay"

The aliases option is used for the local user mapping, for a simplified mapping you can use virtual aliases with a catch all:

@ foo@bar

Simple OpenSMTPD/mbox configuration


To obtain a certificate, see OpenSSL#Usage.

Note: OpenSMTPD has solid defaults, SSLv3 is always disabled and the default ciphers are not known to be insecure. You might still want to test the server as described in Server-side TLS.

Create user accounts

  • Create a user account on the mail server for each desired mailbox.
# useradd -m roger
# useradd -m shirley
  • OpenSMTPD will deliver messages to the user account's mbox file at /var/spool/mail/<username>
  • Multiple SMTP email addresses can be routed to a given mbox if desired.

Craft a simple smtpd.conf setup

  • A working configuration can be had in as little as nine lines!
pki mx.domain.tld cert         "/etc/smtpd/tls/smtpd.crt"
pki mx.domain.tld key          "/etc/smtpd/tls/smtpd.key"

table creds                    "/etc/smtpd/creds"
table vdoms                    "/etc/smtpd/vdoms"
table vusers                   "/etc/smtpd/vusers"

listen on eth0 tls pki mx.domain.tld
listen on eth0 port 465 smtps pki mx.domain.tld auth <creds>
listen on eth0 port 587 tls-require pki mx.domain.tld auth <creds>

action receive	mbox virtual <vusers>
action send relay

match from any for domain <vdoms> action receive
match for any action send

Create tables

  • For the domain table file; simply put one domain per line
  • For the user table file; list one inbound SMTP email address per line and then map it to an mbox user account name, SMTP email address, or any combination of the two on the right, separated by commas.
/etc/smtpd/vusers          roger    roger,            roger          shirley             roger,shirley
  • For the creds table file; put the user name in the 1st column and the password hash in the 2nd column
roger                              <password hash created using 'smtpctl encrypt' command>
shirley                            <password hash created using 'smtpctl encrypt' command>

Test the configuration

# smtpd -n

If you get a message that says 'configuration OK' - you are ready to rock and roll. If not, work on any configuration errors and try again.


Console debugging

If you are having problems with mail delivery, try stopping the smtpd.service and launching the daemon manually with the 'do not daemonize' and 'verbose output' options. Then watch the console for errors.

# smtpd -dv

Subsystem tracing

Add the -T flag to get real-time subsystem tracing

# smtpd -dv -T smtp

Alternately, use the smtpctl trace <subsystem> command if the daemon is already running. The trace output will appear in the console output above as well as the journalctl output for the smtpd.service. For example:

# smtpctl trace expand && smtpctl trace lookup

...will trace both aliases/virtual/forward expansion and user/credentials lookups

Manual Submission port authentication

  • Encode username and password in base64
    $ printf '\0%s\0%s' 'username' 'password' | base64
  • Connect to submission port using openssl s_client command, using one of the following commands:
    • To connect via port 465 (implicit TLS):
      $ openssl s_client -host mx.domain.tld -port 465
    • To connect via port 587 (STARTTLS):
      $ openssl s_client -host mx.domain.tld -port 587 -starttls smtp
  • enter EHLO myhostname followed by AUTH PLAIN. Paste in the base64 string from step above after 334 response.
250 HELP
EHLO test.domain.tld
250-mx.hostname.tld Hello test.domain.tld [], pleased to meet you
250-SIZE 36700160
250 HELP
235 2.0.0: Authentication succeeded

"Helo command rejected: need fully-qualified hostname"

When sending email, if you get this kind of messages, set your FQDN in the file /etc/smtpd/mailname. Otherwise, the server name is derived from the local hostname returned by gethostname(3p), either directly if it is a fully qualified domain name, or by retrieving the associated canonical name through getaddrinfo(3).

System users authentication failure

If you are using the system users and the authentication with valid credentials fails, you have to configure PAM:

auth required
account required
password required
session required

See also