more on OpenSMTPD filters

TL;DR: Not this time, pal/gal, I took hours writing this post, you'll take a few minutes reading it all. Oh, and merry X-mas :-* A bit of short-sighted history The filtering feature has been introduced only recently in OpenSMTPD, first presented on this blog a month ago. I had a working proof-of-concept running on my laptop and my plan was to start bringing the code to the OpenBSD tree, small chunks by small chunks, through a serie of diffs. [Read More]

OpenSMTPD proc filters & fc-rDNS

TL;DR: I *FINALFUCKINGLY* commited proc filters support allowing full filtering in OpenSMTPD. eric@ implemented fc-rDNS lookups. fc-rDNS fc-rDNS, or forward-confirmed reverse DNS, consists in performing a reverse DNS lookup to determine the hostname associated to an IP address… then performing a DNS lookup on that hostname to check if it resolves back to the IP address. On my request, eric@ implemented fc-rDNS lookups in our SMTP engine, causing OpenSMTPD to perform the double lookup upon clients connections. [Read More]

OpenSMTPD reporting update

TL;DR: The reporting mechanism has been described shortly in my previous article about both reporting and filters. Let's focus a bit more on the reporting bits this time. The format is improving further and has extended to outgoing trafic reporting. Reporting In previous article, I described the events reporting mechanism that has been introduced in the development branch of OpenSMTPD. To sum it up, you could now write an event processor as simple as a shell script reading its stdin on a loop: [Read More]

OpenSMTPD released and upcoming filters preview

TL;DR: Filters have been a (the most ?) long awaited feature in OpenSMTPD. I finally committed most of the filters code to OpenBSD. There is still a bit of work required but the trickiest parts are done. This article describes how filters are implemented and what to expect. OpenSMTPD 6.4.0 was released ! We have released OpenSMTPD 6.4.0 last week without filters. I won’t expand on the features in the 6. [Read More]

switching to OpenSMTPD new config

TL;DR: Switching to new config is not too hard and can be done in minutes. The new config is also a new queue that is not backwards compatible. The easiest way is to flush the mail queue before switching. We came up with a solution to help maintainers of more complex setups. Switching from old config to new config The new OpenSMTPD configuration grammar is slightly different from the current one, rules are no longer stated as single lines, but the conversion from previous ruleset to new ruleset isn’t that hard. [Read More]

OpenSMTPD new config

TL;DR: OpenBSD #p2k18 hackathon took place at Epitech in Nantes. I was organizing the hackathon but managed to make progress on OpenSMTPD. As mentionned at EuroBSDCon the one-line per rule config format was a design error. A new configuration grammar is almost ready and the underlying structures are simplified. Refactor removes ~750 lines of code and solves _many_ issues that were side-effects of the design error. New features are going to be unlocked thanks to this. [Read More]

Install OpenBSD on dedibox with full-disk encryption

TL;DR: I run several "dedibox" servers at, all powered by OpenBSD. OpenBSD is not officially supported so you have to work-around. Running full-disk encrypted OpenBSD there is a piece of cake. As a bonus, my first steps within a brand new booted machine ;-) Step #0: choosing your server OpenBSD is not officially supported, I can’t guarantee that this will work for you on any kind of server online. [Read More]


TL;DR: deraadt@ thought it would be nice to have a spf fetch utility in base. Aaron Poffenberger wrote a shell-based `spf_fetch` utility. I wrote a C-based `spfwalk` utility that's `pledge()`-ed. The `spfwalk` utility got merged to `smtpctl`. What’s SPF in a few words SPF is the Sender Policy Framework, a standard to verify the domain name of an e-mail sender. Long story short, the SMTP protocol does not come with a way to authenticate a domain and, during an SMTP session, nothing really prevents a sender from pretending to come from any domain: [Read More]

News from the front !

TL;DR: Came very close to a burn out late 2016, had to quit former employer. Started working at another company early 2017. Became a student again, currently halfway through second year in psychology. Haven't done much opensource since early 2017, slowly resuming. Happy new year ! I wish you a very happy new year 2018 and hope that you succeed in whatever you attempt. It feels odd to write again to this blog considering the last blog post dates from September 2016, over a year ago. [Read More]

OpenSMTPD 6.0.0 is released !

TL;DR: We just released OpenSMTPD 6.0.0 and it's quite different from former releases. Turns out most of the changes are not visible. A featureless release I managed to wrap the 6.0.0 release yesterday. Unlike most of our releases, it comes out with almost no new feature. The changelog fits in less than 10 lines as follows: - new fork+reexec model so each process has its own randomized memory space - logging format has been reworked - a "multi-line response" bug in the LMTP delivery backend has been fixed - connections concurrency limits have been bumped - artificial delaying in remote sessions have been reduced - dhparams option has been removed - dhe option has been added, supporting auto and legacy modes - smtp engine has been simplified - various cosmethic changes, code cleanup and documentation improvement Seems like a very productive slacking, however some of these changes turn out to be very interesting in terms of code simplification and security. [Read More]