Skip to main content

Alpha This is a new website theme. Help me improve it and give your feedback (opens in a new tab).

An OpenBSD Mail Server on Digital Ocean

Published:

Tags:

Digitalocean Email Standards Openbsd Sysadmin Planet FSFE
This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.
I never finished this blog post, but I'm hitting publish anyway, maybe something in here is useful. If you were looking for a complete guide then this isn't going to be what you wanted.

I am one person, but I have many roles. I’m starting to find that I’m getting too much information from too many directions. I’m also finding that I don’t have access to certain information when I need it due to operational security issues. The biggest problem that I’m having with email right now is that 99.9% of my email is going into a single inbox.

This presents a number of problems:

  • Crack the email, crack it all. Access to a single inbox allows password resets on many of my accounts. There’s no seperation between notifications/alerts and password reset access either.
  • There’s a lot of history. Could you describe every email in your inbox and folders? Is there anything dangerous in there? People are not very good at information hygiene when it comes to email unfortunately. When I’m travelling, or out and about, I don’t need to have the full history of every email I’ve ever received with me. That’s not the sort of thing I want falling into the wrong hands (stolen by theives, seized by border staff, etc.).
  • There’s just too much going on. Maybe I used to be better at this, or maybe there really is more going on now, but context switches are painful. If I have a whole stack in my head while I’m working on some code, and then I get notifications going off about something unrelated, then some of that stack gets smashed and I have to rebuild it. I can’t just close my email client because I’m referring to relevant messages from a mailing list or team member.

There are other problems too but these are the main ones. Until now I’ve relied on my FastMail family plan for my day-to-day email, but I only get one inbox. The pricing is per-inbox, not per-user. The pricing model is set up to force me into centralising my entire history, password reset capabilities and notifications through a single login.

In fact it’s even got worse than that, as when I signed up for FastMail they gave you a “master user” account with the family plan that you could use for “admin” powers relating to the plan, including modifying DNS records and billing information, that had a seperate password. In the current plans that account is gone and the “admin” powers are overloaded on your inbox account.

I’ve tried shopping around for the commercial provider that offers the service that I want, but just like with my DNS provider, it doesn’t exist. So I’ll do it myself.

This is not my perfect mail server setup, this is a work-in-progress. I’m mostly documenting this so I can remember what I did.

This guide will use OpenBSD 6.5. If later versions of OpenBSD have been released since this was written you should refer to the changelogs and errata to see what may have changed.

To get started, you’re going to need to login to Digital Ocean and create a $5/mo droplet with “FreeBSD 11.2 x64 ufs”. FreeBSD VMs require an SSH key for login so make sure you’ve got that ready.

Get logged into the instance via SSH. Also load up the “console” by going to Access → Launch Console in the droplet page. To install OpenBSD we’re going to write a filesystem with the ramdisk installer over the virtual disk and then boot from it. We use the miniroot image because by the time we get to installing the sets, the disk will have a new disklabel anyway.

First we will write down the IPv4 and IPv6 addresses that have been assigned by Digital Ocean to the instance. Make sure to get the addresses, the netmasks/prefix lengths, and the default routes. Also get the local DNS resolvers in case you want to use them as forwarders.

# get the ipv4 and ipv6 adresses and netmasks
ifconfig
# get the default routes
netstat -rn
# get the local resolvers
cat /etc/resolv.conf

With this information written down safely:

# download the openbsd 6.5 miniroot filesystem
fetch https://cdn.openbsd.org/pub/OpenBSD/6.5/amd64/miniroot65.fs
# the computer is upset when you write over its memory with openbsd
# installers
swapoff /dev/gpt/swapfs
# the computer gets upset when you try to write over the partition table of
# the running system
sysctl kern.geom.debugflags=0x10
# write the miniroot filesystem to the virtual disk
dd if=miniroot57.fs of=/dev/vtbd0 bs=512k
# reboot into the openbsd installer
shutdown -r now

Now look to the console, which may have turned to a blank screen. Refresh the browser window if it has, and you’ll see that it’s booting into the installer. The OpenBSD installer runs from memory so it won’t be upset when we write over the disk it was loaded from later.

The installer will ask you to answer some questions. They are all fairly self-explanatory. Note that your network interface will appear as vio0, and your virtual disk will appear as sd0. Use the network addresses you wrote down earlier.

I used a temporary root password during the installation and then loaded in an SSH key after the first boot before disabling SSH root password login.

selector1._domainkey IN TXT "k=rsa; t=s; p=MHwwDQYJK ... OprwIDAQAB"

Contact