FreeBSD installation

The installation described above was performed on an FreeBSD 13.0 server.

Installing Rust language

Rust port, packages and information can be found on freshports website. You can find more information about packages and port in the FreeBSD handbook.

pkg install lang/rust

Rust 1.60+ package is required. You may have to switch to the latest ports branch. Please refer to the freeBSD wiki.

Dependencies

FreeBSD 13.x comes with all required dependencies. Please check that sasl is included in your release (see Linux dependencies).

vSMTP compilation

git clone https://github.com/viridIT/vSMTP.git
cargo build --release
cargo run -V

Configuring the Operating System for vSMTP

Create the directories and change the owner and group.

mkdir /etc/vsmtp /etc/vsmtp/rules /etc/vsmtp/certs /var/log/vsmtp /var/spool/vsmtp
cp ./target/release/vsmtp /usr/sbin/
cp ./target/release/vqueue /usr/sbin/
cp ./examples/config/minimal.toml /etc/vsmtp/vsmtp.toml
chown -R vsmtp:vsmtp /var/log/vsmtp /etc/vsmtp/* /var/spool/vsmtp

Create a minimal vsmtp.toml configuration file that matches vsmtp version (i.e. 1.0.0)

echo "version_requirement = \">=1.0.0\"" > /etc/vsmtp/vsmtp.toml

Grant rights to files and folders.

chmod 555 /usr/sbin/vsmtp
sudo chown -R vsmtp:vsmtp /var/log/vsmtp /etc/vsmtp/* /var/spool/vsmtp

If required, do not forget to add your private key and certificate to /etc/vsmtp/certs and allow vsmtp user to read them.

Disabling sendmail

Sendmail may have been disabled during FreeBSD install. If not, add the following in the /etc/rc.conf file and reboot the system.

sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Use sockstat command to check that sendmail is disabled.

Add vSMTP user:group

pw groupadd vsmtp -g 999
pw useradd vsmtp -u 999 -d /noexistent -g vsmtp -s /sbin/nologin
chown -R vsmtp:vsmtp /var/log/vsmtp /etc/vsmtp/* /var/spool/vsmtp

Adding a vSMTP as a system service

vSMTP comes with a mechanism that drop privileges at startup. User ACLs are no longer needed.

Please add:

  • the flag `vsmtp_enable=“YES” in /etc/rc.conf.
  • the vsmtp script in /usr/local/etc/rc.d
cp ./tools/install/freebsd/freebsd-vsmtp.service /usr/local/etc/rc.d/vsmtp
#! /bin/sh

# PROVIDE: vsmtp
# REQUIRE: DAEMON
# KEYWORD: shutdown

#
# Add the following lines to /etc/rc.conf to enable vsmtp:
#
# vsmtp_enable="YES"

. /etc/rc.subr

name="vsmtp"
rcvar="${name}_enable"

load_rc_config $name

: ${vsmtp_enable:=NO}
: ${vsmtp_config:=/etc/vsmtp/vsmtp.toml}
: ${vsmtp_flags:=--config}

command="/usr/sbin/vsmtp"
command_args="${vsmtp_config}"

run_rc_command "$1"

Starting with a non privileged user

If you want to start with an other mechanism please follow these instructions. You must grant the rights to the user to bind on ports <1024. The kernel must be updated to support network ACL. Add to these options to the KERNEL file and rebuild it.

options MAC
options MAC_PORTACL
cd /usr/src
make buildkernel KERNCONF=MYKERNEL
make installkernel KERNCONF=MYKERNEL
$ sysctl security.mac
security.mac.portacl.rules:
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.labeled: 0
security.mac.max_slots: 4
security.mac.version: 4
$ sysctl security.mac.portacl.rules=uid:999:tcp:25,uid:999:tcp:587,uid:999:tcp:465
security.mac.portacl.rules: uid:999:tcp:25, -> uid:999:tcp:25,uid:999:tcp:587,uid:999:tcp:465
$ sysctl security.mac.portacl.rules
security.mac.portacl.rules: uid:999:tcp:25,uid:999:tcp:587,uid:999:tcp:465
$ sysctl net.inet.ip.portrange.reservedlow=0
net.inet.ip.portrange.reservedlow: 0 -> 0
$ sysctl net.inet.ip.portrange.reservedhigh=0
net.inet.ip.portrange.reservedhigh: 1023 -> 0

The user with uid 999 should now be enable to bind on standard SMTP ports (25, 587, 465).