OpenBSD has earned its reputation as a BSD descendant focused on security. With the increased development of OpenBSD's httpd and OpenSMTPD, plus most of the components commonly used in a basic web server, OpenBSD provides a highly secure and efficient choice for building servers.

Finding online support for OpenBSD can be much more difficult when compared to Linux. While the OpenBSD project requires its man pages to be very complete, support beyond man pages such as tutorials or sample configurations can be much harder to find. This has largely been due to the project being targeted at use primarily by professional systems administrators.

This tutorial will establish a basic web server that includes a functioning mail server with local maildir accessed through mutt.

Initial configuration

The default configuration for OpenBSD is generally acceptable for the majority of users. However, some small changes are necessary to some configurations.

Run updates

On initial login, update OpenBSD and installed packages, then reboot:

servername# syspatch
Get/Verify syspatch66-020_vmm_pvc... 100% |*************|   178 KB    00:00    
Installing patch 020_vmm_pvclock
Get/Verify syspatch66-021_smtpd_e... 100% |*************|   317 KB    00:01    
Installing patch 021_smtpd_envelope
Relinking to create unique kernel... done; reboot to load the new kernel
Errata can be reviewed under /var/syspatch
servername# pkg_add -u
quirks-3.183 signed on 2020-03-08T21:21:46Z
pcre2-10.33->10.34: ok
Read shared items: ok
servername# reboot

Install nano

Log back into the server using the root account.

For users not familiar with vi or mg, it may be preferable to install a simple text editor, such as nano

servername# pkg_add nano
quirks-3.183 signed on 2020-03-08T21:21:46Z
nano-4.4: ok

Set up user account

servername# adduser

This will generate adduser.conf for default new user configuration by asking several questions, followed the option to set up a new user. Default options are presented within brackets [] (e.g, [default]). Pressing Enter without typing anything will select the default option.

Couldn't find /etc/adduser.conf: creating a new adduser configuration file
Reading /etc/shells
Enter your default shell: csh ksh nologin sh [ksh]: 
Your default shell is: ksh -> /bin/ksh
Default login class: authpf bgpd daemon default pbuild staff unbound 
Enter your default HOME partition: [/home]: 
Copy dotfiles from: /etc/skel no [/etc/skel]: 
Send welcome message?: /path/file default no [no]: yes
Really? Type the filepath, 'default' or 'no' [no]: default
Message file ``/etc/adduser.message'' created
Prompt for passwords by default (y/n) [y]: 
Default encryption method for passwords: auto blowfish [auto]: 
Use option ``-silent'' if you don't want to see all warnings and questions.

Reading /etc/shells
Check /etc/master.passwd
Check /etc/group

Ok, let's go.
Don't worry about mistakes. There will be a chance later to correct any input.
Enter username []: username
Enter full name []: Full Username
Enter shell csh ksh nologin sh [ksh]: 
Uid [1000]: 
Login group username [username]: 
Login group is ``username''. Invite username into other groups: guest no 
[no]: wheel
Login class authpf bgpd daemon default pbuild staff unbound 
[default]: staff
Enter password []: 
Enter password again []: 

Name:           username
Password:       ****
Fullname:       Full Username
Uid:            1000
Gid:            1000 (username)
Groups:         username wheel
Login Class:    staff
HOME:           /home/username
Shell:          /bin/ksh
OK? (y/n) [y]:
Added user ``username''
Copy files from /etc/skel to /home/username
Send welcome message to ``username'' (y/n) [y]: 

Full Username,

your account ``username'' was created.
Have fun!

See also chpass(1), finger(1), passwd(1)

Add anything to the message (y/n) [n]: 
Copy message to another user?: no root second_mail_address 
Mail sent!
Add another user? (y/n) [y]: n

The above configured username account is intended to be an administrator account for the server. Adding the wheel group applies several administrator level privilege configurations, as well as editing or reading privileges of otherwise protected system files and directories. Configuration as staff grants the account greater resource availability within OpenBSD.

Configure and enable doas

The OpenBSD sudo command is doas, but is not configured by default.

There are many example configuration files located in /etc/examples/:

servername# ls /etc/examples/                                                   
acme-client.conf    ifstated.conf       ospfd.conf          ripd.conf
bgpd.conf           iked.conf           pf.conf             sasyncd.conf
chio.conf           inetd.conf          printcap            sensorsd.conf
dhclient.conf       ipsec.conf          rad.conf            snmpd.conf
dhcpd.conf          ldapd.conf          radiusd.conf        sysctl.conf
doas.conf           ldpd.conf           rbootd.conf         unwind.conf
dvmrpd.conf         man.conf            rc.local            vm.conf
eigrpd.conf         mixerctl.conf       rc.securelevel      wsconsctl.conf
exports             mrouted.conf        rc.shutdown         ypldap.conf
hostapd.conf        ntpd.conf           relayd.conf
httpd.conf          ospf6d.conf         remote

Copy the example doas.conf file into /etc/

servername# cp /etc/examples/doas.conf /etc/

Edit the configuration file:

servername# nano /etc/doas.conf


permit persist keepenv :wheel

By adding the configuration to /etc/, doas can now be invoked. The configuration file permits members of wheel to use doas and permitting persist means that each time doas is successfully invoked, a password will not be required when invoked again within five minutes.

Configure sshd

Permitting login through ssh with the root account or using passwords to log in are considered bad practice. The sshd configuration is managed through the sshd_config configuration file:

servername# nano /etc/ssh/sshd_config

Edit the following keyword line configurations to match the following:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no 

Restart sshd:

servername# rcctl restart sshd

Most security experts are recommending moving away from RSA keys. As configured, OpenBSD will work with RSA and ed25519 keys. In OpenSSH installations in most Linux distributions, both will be installed by default and ed25519 public keys are in the /home/username/.ssh/ file.

Add a public key to the configured user account authorized_keys file:

servername# nano /home/username/.ssh/authorized_keys

Notable differences from Ubuntu Linux


Ubuntu default shell uses Bash (BASH) while OpenBSD uses KornShell (ksh).

ll (ls -alF)

Ubuntu has a convenient command, ll, for viewing directory contents that is a shortcut for ls -alF.

To add ll to the OpenBSD command line:

$ nano .profile

Add the following line:

alias ll="ls -alF"

Default editor

The default text editor in OpenBSD is vi. To change to a different default text editor:

$ nano .profile

Add the following lines:

export VISUAL=/usr/local/bin/nano

Do the same for root:

$ doas nano /root/.profile

Add the following lines:

export VISUAL=/usr/local/bin/nano

Note that this does not change the default editor for commands such as crontab.

Web server

Most of the instructions in this article require root:

$ doas su

OpenBSD comes with httpd, the project's own web server, installed by default though disabled. The httpd configuration is managed in its configuration file, /etc/httpd.conf, which has to be created:

# nano /etc/httpd.conf

Add to the file:

# Main Configuration
server "" {
    listen on * port 80
    root "/htdocs/"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    location * {
        block return 302 "https://$HTTP_HOST$REQUEST_URI"

Test the configuration:

# httpd -n
configuration OK

Start httpd.

# rcctl -f start httpd

Add a Let's Encrypt certificate to the server:

# cp /etc/examples/acme-client.conf /etc/acme-client.conf
# nano /etc/acme-client.conf

Change to the desired domain and remove, change, or add subdomains to the alternative line.

# acme-client -v

After successful registration, create a cron job:

# crontab -e


0	*	*	*	*	sleep $((RANDOM \% 2048)) && \
	acme-client && rcctl reload httpd

Now add the SSL/TLS and redirect options httpd.conf

# nano /etc/httpd.conf


# This is a redirect to the Main Configuration
server "" {
    listen on * port 80
    listen on * tls port 443
    tls {
        certificate "/etc/ssl/"
        key "/etc/ssl/private/"
    block return 301 "$REQUEST_URI"
server "" {
    listen on * tls port 443
    root "/htdocs/"
    tls {
        certificate "/etc/ssl/"
        key "/etc/ssl/private/"

    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2

Test and restart httpd

# httpd -n
Configuration OK
# rcctl reload httpd


OpenBSD in its default configuration comes with opensmtpd in a very secure configuration that supports outgoing mail. This is primarily useful for transactional email, most especially administrative messages.

Administrative message recipients can be configured in the aliases file and are default configured to be sent to the local root user local mailbox. To configure additional recipients:

# nano /etc/mail/aliases

Change and add:

# Basic system aliases -- these MUST be present
MAILER-DAEMON: postmaster
postmaster: root

Update the configuration:

# newaliases

Mail server configuration

Create DKIM key and directory:

# mkdir /etc/mail/dkim
# openssl genrsa -out /etc/mail/dkim/ 1024
# chmod 640 /etc/mail/dkim/
# openssl rsa -in /etc/mail/dkim/ -pubout -out /etc/mail/dkim/
# cat /etc/mail/dkim/

Install and configure antispam packages

# pkg_add redis rspamd opensmtpd-filter-rspamd opensmtpd-filter-senderscore

Configure DKIM signing:

# chown root:_rspamd /etc/mail/dkim/
# mkdir /etc/rspamd/local.d
# nano /etc/rspamd/local.d/dkim_signing.conf
allow_username_mismatch = true;

domain { {
        path = "/etc/mail/dkim/";
        selector = "20200221";

Enable and start redis and rspamd:

# rcctl enable redis
# rcctl enable rspamd
# rcctl start redis
# rcctl start rspamd

Update the OpenSMTPD configuration:

# mv /etc/mail/smtpd.conf /etc/mail/smtpd.conf.original
# nano /etc/mail/smtpd.conf
pki cert "/etc/ssl/"
pki key "/etc/ssl/private/"

filter check_dyndns phase connect match rdns regex { '.*\.dyn\..*', '.*\.dsl\..*' } \
    disconnect "550 no residential connections"

filter check_rdns phase connect match !rdns \
    disconnect "550 no rDNS is so 80s"

filter check_fcrdns phase connect match !fcrdns \
    disconnect "550 no FCrDNS is so 80s"

filter senderscore \
    proc-exec "filter-senderscore -blockBelow 10 -junkBelow 70 -slowFactor 5000"

filter rspamd proc-exec "filter-rspamd"

table aliases file:/etc/mail/aliases

listen on all tls pki \
    filter { check_dyndns, check_rdns, check_fcrdns, senderscore, rspamd }

listen on all port submission tls-require pki auth filter rspamd

action "local_mail" maildir junk alias <aliases>
action "outbound" relay helo

match from any for domain "" action "local_mail"
match for local action "local_mail"

match from any auth for any action "outbound"
match for any action "outbound"

Reinstallation on Vultr

To run OpenBSD as configured by the OpenBSD project, it is currently necessary to create a Vultr instance running OpenBSD, then reinstall OpenBSD using the terminal in the Vultr dashboard.

From the Vultr dashboard, open the OpenBSD instance and click the terminal icon at the top of the page. Note that when using the terminal interface, it will not be possible to use a mouse, access the local clipboard, or otherwise interact with the interface other than through the keyboard.

Log in using root with the password from the Vultr dashboard.

vultr# reboot

After the system boots there will be a boot prompt. Simply enter rc.d and press enter.

boot> rc.d

Most of the install questions can be answered using the default, which is shown in brackets.

Create the root user using the password provided for the instance by Vultr.

The non-default selections will be entering the domain of the hostname ( plus the following:

Do you expect to run the X Window System? [yes] no

There is a warning about not allowing root to ssh log in using password. This is will be configured later in the setup process.

Allow root ssh login? (yes, no, prohibit-password) [no] yes
Location of sets? (cd0 disk http nfs or 'done') [cd0] http

For selecting the download location, enter ? then note a desired download location and enter the number:

HTTP Server? (hostname, list#, 'done' or '?') ?
HTTP Server? (hostname, list#, 'done' or '?') 47