OpenSMTPD released and upcoming filters preview

TL;DR: Filters have been a (the most ?) long awaited feature in OpenSMTPD. I finally committed most of the filters code to OpenBSD. There is still a bit of work required but the trickiest parts are done. This article describes how filters are implemented and what to expect. OpenSMTPD 6.4.0 was released ! We have released OpenSMTPD 6.4.0 last week without filters. I won’t expand on the features in the 6. [Read More]

switching to OpenSMTPD new config

TL;DR: Switching to new config is not too hard and can be done in minutes. The new config is also a new queue that is not backwards compatible. The easiest way is to flush the mail queue before switching. We came up with a solution to help maintainers of more complex setups. Switching from old config to new config The new OpenSMTPD configuration grammar is slightly different from the current one, rules are no longer stated as single lines, but the conversion from previous ruleset to new ruleset isn’t that hard. [Read More]

OpenSMTPD new config

TL;DR: OpenBSD #p2k18 hackathon took place at Epitech in Nantes. I was organizing the hackathon but managed to make progress on OpenSMTPD. As mentionned at EuroBSDCon the one-line per rule config format was a design error. A new configuration grammar is almost ready and the underlying structures are simplified. Refactor removes ~750 lines of code and solves _many_ issues that were side-effects of the design error. New features are going to be unlocked thanks to this. [Read More]

Install OpenBSD on dedibox with full-disk encryption

TL;DR: I run several "dedibox" servers at, all powered by OpenBSD. OpenBSD is not officially supported so you have to work-around. Running full-disk encrypted OpenBSD there is a piece of cake. As a bonus, my first steps within a brand new booted machine ;-) Step #0: choosing your server OpenBSD is not officially supported, I can’t guarantee that this will work for you on any kind of server online. [Read More]


TL;DR: deraadt@ thought it would be nice to have a spf fetch utility in base. Aaron Poffenberger wrote a shell-based `spf_fetch` utility. I wrote a C-based `spfwalk` utility that's `pledge()`-ed. The `spfwalk` utility got merged to `smtpctl`. What’s SPF in a few words SPF is the Sender Policy Framework, a standard to verify the domain name of an e-mail sender. Long story short, the SMTP protocol does not come with a way to authenticate a domain and, during an SMTP session, nothing really prevents a sender from pretending to come from any domain: [Read More]

News from the front !

TL;DR: Came very close to a burn out late 2016, had to quit former employer. Started working at another company early 2017. Became a student again, currently halfway through second year in psychology. Haven't done much opensource since early 2017, slowly resuming. Happy new year ! I wish you a very happy new year 2018 and hope that you succeed in whatever you attempt. It feels odd to write again to this blog considering the last blog post dates from September 2016, over a year ago. [Read More]

OpenSMTPD 6.0.0 is released !

TL;DR: We just released OpenSMTPD 6.0.0 and it's quite different from former releases. Turns out most of the changes are not visible. A featureless release I managed to wrap the 6.0.0 release yesterday. Unlike most of our releases, it comes out with almost no new feature. The changelog fits in less than 10 lines as follows: - new fork+reexec model so each process has its own randomized memory space - logging format has been reworked - a "multi-line response" bug in the LMTP delivery backend has been fixed - connections concurrency limits have been bumped - artificial delaying in remote sessions have been reduced - dhparams option has been removed - dhe option has been added, supporting auto and legacy modes - smtp engine has been simplified - various cosmethic changes, code cleanup and documentation improvement Seems like a very productive slacking, however some of these changes turn out to be very interesting in terms of code simplification and security. [Read More]

Home, sweet home

TL;DR: OpenSMTPD on github no longer diverges from OpenBSD. Since last episode Sometime this year, we released OpenSMTPD 5.7.1 which was the first version that shipped with the long-awaited experimental filters support. The result of over a year and a half of very very deep refactor in our IO layer and the addition of a very elegant but also very tricky new API. This refactor took place outside the OpenBSD tree because it required breaking a lot of code for extended period of times, which spanned over 3 OpenBSD releases. [Read More]

The state of filters

TL;DR: yeeeees, filters are coming. don't believe us ? here's an example. be patient. On my death bed On my death bed, when my life flashes before my eyes and I start recalling what people have told me during my (hopefully long) lifetime, these sentences will single out: “When will OpenSMTPD support filters ? I need it.” Not that it carries a philosophical meaning that will have taken me a lifetime of thinking, but because for the last three years I have been hearing this every time I met someone IRL and discussed OpenSMTPD, I have read it on our Github issues tracker, on GTalk, on IRC, on Twitter, on Facebook, on random forums, and just this week three times in my mailbox. [Read More]

Some OpenSMTPD overview, part 3

EHLO, This is the third post of a series about OpenSMTPD improvements that have taken place since this summer. Content altering For a long time, we have developed OpenSMTPD with a strict rule that the daemon should not alter DATA (as in the DATA SMTP phase) in any way. The rationale was that by enforcing that rule, the message writing was simplified as the smtp process would simply read data from a client and write it, without any post-processing, to a file descriptor. [Read More]