Skip to main content

Message to github and patreon sponsors: THANK YOU ❤️
  1. Posts/

OpenSMTPD relay maps & new url syntax

·464 words·3 mins·
Gilles Chehade
Gilles Chehade
I’m not a cat.
If you like reading articles on this website, please ❤️ consider sharing on social networks to help increase visibility: this helps buy time for new articles and projects !

When we first started working on OpenSMTPD, we planned for future features but we did not necessarily start integrating them right away as the goal was to bootstrap the project first with basic features.

Amongst these features was the ability to use mappings for outgoing MX servers. Currently, OpenSMTPD knows two ways of going out:

Using the DNS system to find MX records: accept for […] relay

Using the provided mail exchanger: accept for […] relay via “” […]

The first method is straightforward, nothing can really be tweaked about it without tweaking the DNS system itself.

The second method is much more flexible as it allows providing a port, a transport method (plaintext ? starttls ? smtps ?), a credentials map for authentication to remote relays, a certificate, a SMTP-level FROM overriding, and possibly more as time passes.

In some situations, you can end up with a rule like: accept for all relay via “” tls port 25 certificate “foobar” auth “mycredsmap” as “

Not too complicated, but not too nice either. It becomes annoying when we start considering implementation of mappings at the relay level:

map “relaymap” source plain “/etc/mail/relaymap”

accept for all relay via map “relaymap” tls port 25 certificate “foobar” auth “mycredsmap” as “

How do you specifiy different ports, different ssl options and enable/disable auth on a specific MX ?

Well you can’t because tls, port and auth is tied to the rule and not the MX referenced by the rule…

So I came up with a prototype for a new syntax:

accept for all relay via “[schema://]host[:port]”

Where schema can be smtp://, smtps://, tls://, ssl://, smtps+auth://, tls+auth:// or ssl+auth://.

As usual we default to the sanest behaviour so if you specify (or use the default) smtp://, like:

accept for all relay via “”

OpenSMTPD will attempt to use STARTTLS if possible before falling back to a plaintext session; whereas:

accept for all relay via “tls://”

OpenSMTPD will make it mandatory to use a STARTTLS session, refusing to deliver the message otherwise.

Since the MX options are now tied to the MX itself, it becomes possible to store them in a map:

% cat /etc/mail/mxmap.txt ssl:// ssl:// ssl://

% cat /etc/mail/smtpd.conf map “mxmap” source plain “/etc/mail/mxmap.txt”

accept for all relay via map “mxmap”

Of course, this will become more interesting when the implementation for relay maps is done and allows looking policies (round-robin, random, ratio, …) and that you can use them from other backends like SQL or db, as this will allow changing exchangers at runtime, a feature that offers plennnnnnty of possibilities :-)

Anyways, I have it mostly working on my sandbox, it still needs a couple hours of work I think, I’ll get to it by this week-end if time permits.

Stay tuned !

You're invited to join my Discord server
This is a chat server where I hang out, discuss my projects and sometimes screencast as I work on them.

Feel free to hop in, talk about your own projects, share your thoughts: this is a virtual coworking room for anyone to join.