{"id":717,"date":"2015-08-05T00:10:31","date_gmt":"2015-08-04T22:10:31","guid":{"rendered":"http:\/\/www.hauweele.net\/~gawen\/blog\/?p=717"},"modified":"2015-11-02T15:22:41","modified_gmt":"2015-11-02T14:22:41","slug":"switch-mta-on-freebsd","status":"publish","type":"post","link":"https:\/\/hauweele.net\/~gawen\/blog\/?p=717","title":{"rendered":"Switch MTA on FreeBSD"},"content":{"rendered":"<p>As you probably know FreeBSD comes with <a href=\"http:\/\/sendmail.org\">Sendmail<\/a> installed as the default MTA. However this may be a bit overkill on a desktop installation where the most you might want is to relay mails to an external address. Luckily it is quite easy to change the default MTA as described in the handbook, see <a href=\"https:\/\/www.freebsd.org\/doc\/handbook\/mail-changingmta.html\">28.4. Changing the Mail Transfer Agent<\/a>.<\/p>\n<p>On my Desktop I prefer to install <a href=\"http:\/\/untroubled.org\/nullmailer\">nullmailer<\/a>. This is a simple MTA replacement for hosts which only relay mails through a smart relay. GNUTLS (SSL) is not enabled by default in the nullmailer package on FreeBSD. So if you want SSL you have to compile the port. This is my case. Let&#8217;s install it:<\/p>\n<pre>cd \/usr\/ports\/mail\/nullmailer\r\nmake install clean\r\n(...)\r\npkg lock nullmailer\r\n<\/pre>\n<p>The configuration happens in <code>\/usr\/local\/etc\/nullmailer<\/code>. This directory contains multiple files and each one of them focuses on a specific aspect of the configuration.<\/p>\n<p>First we specify the remote SMTP through which our mail shall be relayed, this is the <code>remotes<\/code> file. This file contains a list of remote servers, the module used to send the message and command-line arguments for that module. Modules are located in <code>\/usr\/local\/libexec\/nullmailer<\/code>. The man page states that you can list available options using <code>--help<\/code> on each protocol module.<\/p>\n<p>In most cases you want to use the <i>smtp<\/i> module which takes the following arguments (with SSL enabled):<\/p>\n<ul>\n<li><strong>port:<\/strong> SMTP port (25, 465, 587, &#8230;)<\/li>\n<li><strong>user:<\/strong>\u00a0SMTP user<\/li>\n<li><strong>pass:\u00a0<\/strong>SMTP password<\/li>\n<li><strong>auth-login: <\/strong>LOGIN authentication method (default to PLAIN)<\/li>\n<li><b>ssl:\u00a0<\/b>Use SSL\/TLS encryption<\/li>\n<li><strong>starttls:\u00a0<\/strong>Use STARTTLS command to initiate encrypted connection<\/li>\n<li><strong>insecure:\u00a0<\/strong>Accept invalid certificates (which I do not recommend)<\/li>\n<li><strong>x509certfile:\u00a0<\/strong>Client certificate file<\/li>\n<li><strong>x509cafile:\u00a0<\/strong>Certificate Authority trust file (default to <code>\/etc\/ssl\/cert.pem<\/code> on FreeBSD)<\/li>\n<li><strong>x509crlfile:\u00a0<\/strong>Certificate revocation list<\/li>\n<li><strong>x509fmtder:\u00a0<\/strong>Switch from PEM to DER format for the certificates<\/li>\n<\/ul>\n<p>Here is an example that would relay through <code>relay.example.com:465<\/code> using SSL and LOGIN authentication:<\/p>\n<pre>relay.example.com smtp --port=465 --ssl --auth-login --user=some-user --pass=some-password\r\n<\/pre>\n<p>Since this file contains your SMTP password in cleartext, I advise you to:<\/p>\n<pre>chown nullmail:nullmail remotes\r\nchmod 600 remotes\r\n<\/pre>\n<p>Next we edit the name that will be used to construct email addresses on this host. You configure this in the <code>me<\/code> file. Normally this should be the fully-qualified host name of the computer running nullmailer. This is really useful to distinguish, say <code>root<\/code> at <code>machine-a<\/code> from <code>root<\/code> at <code>machine-b<\/code>. However some mail providers refuse to relay mails from a different domain name than their own so it might be useful to change this in those cases (I am my own mail provider, so personally I don&#8217;t care and do what I want). You also need to configure <code>defaultdomain<\/code> to your domain name. That is your FQHN minus the hostname. If a mail is sent to an address that is not localhost and does not contain a domain name (no <i>period<\/i> in the hostname), this domainname will be appended to it.<\/p>\n<p>After that we configure the mail to which all local mails are forwarded. You configure this address in the <code>adminaddr<\/code> file. And we also configure the file <code>pausetime<\/code>. This is the interval of time between two queue runs with a default value of 60 seconds. I prefer to set this to a higher value, like 15 minutes.<\/p>\n<p>For more information about the configuration of nullmailer, see <a href=\"http:\/\/raspberry.znix.com\/2013\/03\/nullmailer-on-raspberry-pi.html\">this article<\/a>. Although related to Raspbian on a RPi, it remains mostly the same.<\/p>\n<p>Now we need to replace the MTA on FreeBSD. First we configure the <i>mailwrapper<\/i> (see <code>man mailwrapper<\/code>) in <code>\/etc\/mail\/mailer.conf<\/code>. Replace each line with their nullmailer equivalent, that is:<\/p>\n<pre>sendmail  \/usr\/local\/libexec\/nullmailer\/sendmail\r\nsend-mail \/usr\/local\/libexec\/nullmailer\/sendmail\r\nmailq     \/usr\/local\/libexec\/nullmailer\/mailq\r\n<\/pre>\n<p>Time to test. Disable sendmail, enable nullmailer and send a mail. Oh and by the way, <code>tail -f \/var\/log\/maillog<\/code> in any case:<\/p>\n<pre>service sendmail stop\r\nservice nullmailer onestart\r\necho Hello from FreeBSD\\! | mailx -s \"test\" root\r\n<\/pre>\n<p>If it works, you can now disable <code>sendmail<\/code> and enable <code>nullmailer<\/code> in <code>\/etc\/rc.conf<\/code>:<\/p>\n<pre>\r\nsendmail_enable=\"NONE\"\r\nnullmailer_enable=\"YES\"\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>As you probably know FreeBSD comes with Sendmail installed as the default MTA. However this may be a bit overkill on a desktop installation where the most you might want is to relay mails to an external address. Luckily it &hellip; <a href=\"https:\/\/hauweele.net\/~gawen\/blog\/?p=717\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[590,389,588,589,585,587,586,561,400,560],"class_list":["post-717","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-external","tag-freebsd","tag-gnutls","tag-mail","tag-mta","tag-nullmailer","tag-sendmail","tag-ssl","tag-switch","tag-tls"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/717","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=717"}],"version-history":[{"count":0,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=\/wp\/v2\/posts\/717\/revisions"}],"wp:attachment":[{"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=717"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=717"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hauweele.net\/~gawen\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=717"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}