OpenBSD as a mail server - Preliminary installation steps

2. Preliminary installation steps

Before delving into the installation and configuration of all the mail-handling software, we will take a brief look at the operating system that will host it.

As usual, my choice goes to OpenBSD for its proven security, reliability and ease of use. Needless to say, all these features are essential for a system that will have to handle a large volume of email traffic while still making life hard for spammers and malicious users.

We won't cover the installation procedure here, which is documented in full detail on the OpenBSD web site. Just a couple of notes:

while partitioning the hard drive, bear in mind that we will configure Postfix to use virtual domains and, consequently, it will store all users' mail folders in a single directory (/var/vmail). Therefore, it is recommended to assign a (large) dedicated slice to this filesystem, in order to prevent mails from filling up any critical filesystem, should quotas fail. Furthermore, if you choose to install MySQL on the mail server itself, it is usually recommended to assign one of the first slices to /var/mysql, in order to allow for faster disk access by the database engine;

the only file sets we will need to install are those marked as "required" on the documentation, i.e. bsd (the kernel), baseXX.tgz (the base system), and etcXX.tgz (the configuration files in /etc) plus compXX.tgz (the C compiler), since we will also have to install some ports not available as precompiled packages for licensing reasons. Note: since leaving a compiler on a publicly accessible server is a definite security risk, it is recommended that you remove the compiler when the installation is over or that you compile on another machine.

After the first reboot, we can disable some default network services managed by inetd(8):

$ grep -v ^# /etc/inetd.conf
ident           stream  tcp     nowait  _identd /usr/libexec/identd     identd -el
ident           stream  tcp6    nowait  _identd /usr/libexec/identd     identd -el
127.0.0.1:comsat dgram  udp     wait    root    /usr/libexec/comsat     comsat
[::1]:comsat    dgram   udp6    wait    root    /usr/libexec/comsat     comsat
daytime         stream  tcp     nowait  root    internal
daytime         stream  tcp6    nowait  root    internal
time            stream  tcp     nowait  root    internal
time            stream  tcp6    nowait  root    internal
$

by commenting them out in /etc/inetd.conf and reloading inetd(8):

# pkill -HUP inetd

Anyway, OpenBSD is considered secure also with those services turned on and the mail server should be placed behind a firewall; nevertheless, I prefer staying on the safe side and disable them all (including comsat(8), since we won't have any interactive user receiving mail on the system).

To modify the server network configuration, please refer to the appropriate chapter in the previous document about redundant firewalls or to the Networking FAQ.