Recent Changes - Search:
Opensmtpd /

Troubleshooting OpenSMTPd

Ruleset Evaluation

To view how your smtpd.conf ruleset is evaluated: 

# smtpd -d -T rules

File Permissions

OpenBSD strictly checks ownership and file permissions listed in /etc/mtree/special as part of its security checks. An error message similar to below indicates a permissions error: 

Jul 17 14:46:18 example smtpd[20780]: info: OpenSMTPD 7.7.0 starting
Jul 17 14:46:18 example smtpd[17229]: dkimsign: Can't open key file (/etc/mail/dkim/private.key): Permission denied
Jul 17 14:46:18 example smtpd[42894]: warn: lost processor: dkimsign exited abnormally
Jul 17 14:46:18 example smtpd[42894]: Exiting

This indicates a file permissions issue with DKIM Make sure to re-read the DKIM guide and properly set file ownership and permissions.

Outbound Mail Filtering

At times, OpenSMTPd may be unable to connect because outgoing packets are being filtered. For example, suppose OpenSMTPd attempts to send a letter to Yahoo. There may be errors similar to the following, showing a connection timeout: 

smtpd[]: smtp-out: Enabling route [] <-> 67.195.204.77 (mtaproxy1.free.mail.vip.bf1.yahoo.com)
smtpd[]: smtp-out: Enabling route [] <-> 67.195.228.106 (mtaproxy2.free.mail.vip.gq1.yahoo.com)
smtpd[]: mta error reason=Connection timeout
smtpd[]: smtp-out: Disabling route [] <-> 104.47.55.33 (104.47.55.33) for 15s

To test if packets are being filtered, first find the MX records from Yahoo. Then, attempt a tcp connection on port 25 using netcat: 

$ dig -t mx yahoo.com
;; ANSWER SECTION:
yahoo.com.              395     IN      MX      1 mta6.am0.yahoodns.net.
yahoo.com.              395     IN      MX      1 mta5.am0.yahoodns.net.
yahoo.com.              395     IN      MX      1 mta7.am0.yahoodns.net.
$ nc mta5.am0.yahoodns.net 25

If the Internet is unfiltered, you should see a 220 reply: 

$ nc mta5.am0.yahoodns.net 25
220 mtaproxy511.free.mail.ne1.yahoo.com ESMTP ready

If that last line does not appear, and there is no response, then outgoing packets to port 25 are being blocked. This may be due to a firewall by your VPS provider to block spam, or Yahoo has blacklisted your IP address.

It is also possible that TLS is being dropped by the firewall. This can be tested using OpenSSL: 

$ openssl s_client -starttls smtp -connect mta5.am0.yahoodns.net:25
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = California, L = Sunnyvale, O = Oath Inc, CN = *.am0.yahoodns.net
...
250 STARTTLS

If the Internet is unfiltered, the response should include the entire SSL cert plus the 250 STARTTLS reply. If the response hangs at any point (perhaps it returns CONNECTED(00000003) and nothing else), then TLS on port 25 might be filtered.

Open Mail Relay

If outgoing email is being marked as spam, check /var/log/maillog . The message log often explains why the mail is being rejected: 

Jan  8 11:00:29 smtpd[39035]: 83bd6b3b1669649f mta delivery evpid=a8d16cd2144222fa from=<spammer@example.com> to=<victim@example.com> rcpt=<-> source="192.168.0.1" relay="10.0.0.1 (10.0.0.1)" delay=16h2s result="TempFail" stat="451 4.7.650 The mail server [192.168.0.1] has been temporarily rate limited due to IP reputation. For e-mail delivery information, see https://postmaster.example.com (S843)"

Rate-limiting sometimes indicates the mail server is being exploited by a spammer. Check the open mail relay guide to ensure the mail server is not accidentally sending spam.

A poor IP reputation may also indicate improper DNS configuration.

Too Many Sockets

A warning message may appear in /var/log/maillog indicating too many open files: 

Dec  6 03:44:17 smtpd[]: info: OpenSMTPD 6.7.0 starting
Dec  6 03:44:17 smtpd[]: pony express: smtpd: socket: Too many open files
Dec  6 03:44:17 smtpd[]: warn: lost child: pony express exited abnormally

This can occur on a multihomed system with many IP addresses. It occurs when OpenSMTPd tries to bind to too many addresses. This can happen, for example, on a system with hundreds of IP addresses and there exists a rule in smtpd.conf(5) that says listen on egress: 

listen on egress port 25 tls pki example.com $optional
listen on egress port 587 tls-require pki example.com $required

These two lines will cause OpenSMTPd to listen to all available ip addresses. Remember, a multihomed system can easily include hundreds or thousands of IPv6 addresses. To fix this, smtpd.conf(5) must specify the exact IP addresses to listen to.

Inconsistent State

OpenSMTPD may end up in an inconsistent state. This can happen due to a misconfiguration. One symptom is this error: 

smtpd[]: pony express: smtpd: socket: Too many open files

If this is suspected, one "fix" is to delete all the temporary files inside OpenSMTPD:

WARNING: This will delete all messages in the queue. 

# rcctl stop smtpd
# rm -r /var/spool/smtpd/queue/*
# rm -r /var/spool/smtpd/offline/*

Control smtpd

To control smtpd(8), use smtpctl(8).