The default MDA in OpenBSD is popa3d, but it's pretty limited, so some tips on installing and configuring the IMAP and POP3 portions of Courier and Cyrus are also below. 7.5.1. popa3d This is OpenBSD's default POP3 MDA. You could read the popa3d manpage and then figure out a good command to put into /etc/rc.local to start it at boot time, but it's more easily initialized through inetd. Edit /etc/inetd.conf and uncomment this line: #pop3 stream tcp nowait root /usr/sbin/popa3d popa3d popa3d requires no configuration because it only fetches mail from local mailboxes, so you have to have a user account on the system with a non-null password. It's pretty simple, and should do perfectly for most servers that only need email for a small number of users. If you need IMAP, or if you need something a little more complex, you should probably use Courier-IMAP instead. 7.5.2. Courier-IMAP Technically Courier is a complete MTA, but many people just use the MDA portion of it to deliver messages to local or virtual user accounts. In OpenBSD, only the MDA portion of Courier (Courier-IMAP) is available, and it's in /usr/ports/mail/courier-imap. Before you install it, make sure you check out the pkg directory and the Makefile to see what flavors are available. Specifically, you can build in support for LDAP, MySQL, PostgreSQL, and POP3. At the end of the Courier-IMAP installation you'll be given a screenful of instructions. Basically they are: 1. Make a configuration directory: 2. mkdir /etc/courier-imap 3. Copy over the default configuration files to it: 4. cp /usr/local/share/examples/courier-imap/* /etc/courier-imap/ 5. Put this line in /etc/rc.local to start Courier-IMAP at boot time: 6. mkdir -p /var/run/courier-imap && /usr/local/libexec/authlib/authdaemond start 7. Edit your config files in /etc/courier-imap, then generate OpenSSL certificates with the mkimapdcert script. 7.5.3. Cyrus-IMAPd There's a memory mapping incompatibility between Cyrus and OpenBSD, so if you use this MDA, you could have some performance problems under heavy loads. Courier-IMAP is a better choice for a full-featured MDA. If you're committed to using Cyrus anyway, you can find it in /usr/ports/mail/cyrus-imapd. Make sure you check out the DESCR file in the pkg directory to see the warnings, recommendations, and the different flavors you can build. 7.6. OpenLDAP OpenLDAP is not included with OpenBSD by default, but you can install the client libraries and tools through the /usr/ports/databases/openldap directory. If you want to run an OpenLDAP server on OpenBSD, you need the -server package, which is not compiled by default in Ports. You can either hack the Makefile or use the pkg_add command to install the openldap-client and openldap-server packages. Once installed, you can find the system-wide client configuration file in /etc/openldap/ldap.conf, or you can create a user-specific client configuration in ~/.ldaprc file (it doesn't exist; you have to create it). Configuring an OpenLDAP server is just as easy: the config file is /etc/openldap/slapd.conf, and there are some sample schemas in /etc/openldap/schema. To start the slapd and slurpd daemons automatically at boot time, add these two lines to /etc/rc.local (they should go before any LDAP-dependent services if you're running any): /usr/local/libexec/slapd /usr/local/libexec/slurpd Of course, there are a few switches that can be run with these daemons, so if you need to do more than just this basic configuration, see the slapd and slurpd manpages. There is also more to configuring OpenLDAP, but such configuration has nothing to do specifically with OpenBSD. There are, however, many LDAP- specific manpages in OpenBSD 4.0:  ldap  ldap.conf  slapd  slapd.conf  slapd.access  slapacl  slapadd  slapauth  slapcat  slapdn  slapindex  slaptest  slappasswd  slurpd  ldappasswd  ldapmodify  7.7. NFS  If you need to run an NFS server on OpenBSD, edit /etc/rc.conf and change the NO to a YES in these lines:  nfs_server=NO # see sysctl.conf for nfs client configuration  portmap=NO # Note: inetd(8) rpc services need portmap too   Then scroll down a bit and find this line:  nfsd_flags="-tun 4" # Crank the 4 for a busy NFS fileserver   These default options should be fine for most people. The -tu flags mean that both TCP and UDP clients will be served, and the -n 4 flag sets the concurrent connections to four, so up to four clients will be able to connect at once. Set this to a higher number if necessary, but if you do, edit the /etc/sysctl.conf file and uncomment this line and change the 4 to the same number you just set in rc.conf:  #vfs.nfs.iothreads=4 # number of nfsio kernel threads   You'll also want to set your remote mount points in the /etc/exports file (see the exports manpage for details). There are two other NFS-related programs that you should know about: nfsstat, which monitors NFS statistics, and mount_nfs, which mounts NFS volumes.  7.8. NIS  First of all, you do know that OpenLDAP is a more secure, scalable, and in general more modern alternative to NIS, right? If possible, you should use OpenLDAP over NIS. If it's not possible, no big dealOpenBSD has tools in the base system to handle NIS (or, more accurately, YP, which stands for either Yellow Pages or Yellow Pee, depending on whom you ask). YP is compatible with NIS, but not NIS+.  You can enable YP and set some options for it in /etc/rc.conf:  ypserv_flags= # E.g. -1 for YP v1, -d for DNS etc  yppasswdd_flags=NO # "-d /etc/yp" if passwd files are in /etc/yp   Enabling the yppasswd_flags means that you have to create an /etc/yp file. It's best to read the manpages for yp and ypinit to figure out what has to go into it. You also need to enable portmap in /etc/rc.conf by changing the NO to a YES in the following line:  portmap=NO # Note: inetd(8) rpc services need portmap too   Now go to the /var/yp directory and make sure that the Makefile.yp file is configured properly for your situation. Next you need to create an /etc/defaultdomain file and put this machine's domain name in it. Then type this command, substituting the master domain name you just put into the /etc/defaultdomain file for domainname:  ypinit -m domainname    You'll then be asked a series of questions. Answer them in accordance with your configuration. When the process is complete, YP will be initialized and should start automatically at boot time.  7.9. BIND  BIND version 9.3.2-P1 is part of the OpenBSD base system, so it's installed by default. You can find the generic configuration files in /var/named/etc (the only one that is used is named.conf, which is a clone of named- simple.conf), and your domain zone files go in /var/named/master and /var/named/slave. You might think that /var/named looks a little strange with its /etc and /dev directories and such; the reason for this silliness is that the name daemon runs in a chroot jail with /var/named as the root directory. So if BIND is compromised, the furthest an attacker can get is /var/named and all levels below it.  BIND is started through /etc/rc.conf, and the line you want to enable in specific is:  named_flags=NO # for normal use: ""  Change the NO to "".7.10. CARP CARP stands for Common Address Redundancy Protocol, and it's useful for failover protection for networked computers. Basically you create a CARP interface that routes traffic to a group of computers that all share the same IP address. Among those computers, there is one that handles all traffic by default. If that computer fails to properly announce its availability, CARP redirects its traffic to one or more machines. This means that you have to have at least two computers that are configured for the same services and/or contain identical data so that when the main machine fails or experiences too high a load, the backup machine can pick up where the main machine left off. CARP must therefore be configured on at least three machines: the gateway, the primary host, and the backup host. The primary host will advertise its availability at an interval that you specify; if the gateway and the backup host don't receive that advertisement within the allotted time, the backup host will take over until the primary host is available. If your primary host has multiple interfaces that connect to different networks, you can set up a CARP interface for all of them or some of themit's up to you, but the primary host must match its backup hosts if you want all network traffic to be rerouted to the backup server (or servers). In the above explanation, the "gateway" machine is just a nickname; it does not have to be your Internet gateway, but since CARP is so frequently used for firewall failover protection, it makes sense in that context. The "gateway" machine could just as easily be a workstation or nearly any kind of server that depends on a persistent network connection to another computer. Note that CARP doesn't sync your data or settings between machines. If one interface or machine goes down, all CARP does is pass the network connection on to the next available CARP interface (which is presumably but not necessarily on another computer) in the group. For this reason, CARP is frequently paired with pfsync to transfer firewall state, or rsync to transfer data to a failover machine. . initialized and should start automatically at boot time.  7.9. BIND  BIND version 9.3.2-P1 is part of the OpenBSD base system, so it's installed by default. You can find the generic configuration