OpenBSD as backup hydrus server

The Dell Latitude E6500 became available for OpenBSD again, running as chrome. I wanted to complete the work of making this a replacement server for the normal hydrus server, opal, should it die an unpleasant death.

I'd already had an OpenBSD httpd configuration to serve the website. However, I also needed:

DHCP server

This was easy. OpenBSD has a DHCP daemon in base, so just a configuration file was needed.

  # option definitions common to all supported networks...
  option domain-name "";
  option domain-search "";

  option domain-name-servers,;
  option routers;

  # time is in seconds; lease-time is 24 hours
  default-lease-time 86400;
  max-lease-time 86400;

  # If this DHCP server is the official DHCP server for the local
  # network, the authoritative directive should be uncommented.

  host green {
       hardware ethernet c4:cc:a6:9f:36:7b;

  host blue {
       hardware ethernet 8b:72:be:ec:c9:bf;

  shared-network "" {
      subnet netmask {

Enable by adding the line dhcpd_flags= to /etc/rc.conf.local.


OpenBSD includes unbound, a forwarding DNS resolver, with a limited local zone capability. It doesn't offer Dynamic DHCP (to register DHCP clients in the DNS), but as chrome should only be needed for a limited period, this wasn't an issue. Once again, a configuration file was needed and the daemon enabled. I'm not re-producing the configuration file here, as the sample configuration file is very simple to extend.

I also used this ad blacklist to create a sink for ad servers. A small script is all that is required:

  # get master blacklist from opal
  scp opal:/usr/local/etc/namedb/ad-blacklist .
  # convert to unbound local zone format
  cat ad-blacklist | grep zone | awk \
  '{print "local-zone: " $2 " redirect\nlocal-data: " substr($2,1,length($2)-1) " A\""}' \
  doas mv ad-blacklist.conf /var/unbound/etc
  rm -f ad-blacklist
  doas rcctl restart unbound

The ad-blacklist file is included in the unbound configuration using an include directive (surprise):

  include: "/var/unbound/etc/ad-blacklist.conf"

Mail server

OpenBSD includes a mail transfer agent (MTA), OpenSMTPD. I had a configuration file already, but it needed some changes to allow authenticated access by mail clients and the delivery of authenticated client messages.

  listen on em0 port 587 tls-require auth \
        ca \

  # outgoing mail
  match auth from any for any action "relay"
  match from local for any action "relay"

Webdav server

On opal, I host org-mode files, updated by emacs locally, but also made available via WebDAV for the Orgzly Android client. Apache includes WebDAV module, so it was relatively easy to setup. OpenBSD's httpd does not provide WebDAV, so I needed an add-on.

Finding a WebDAV server took a while. I couldn't find anything simple enough. In the end, I found a Python2 server, EasyDAV, which I figured I could port to Python3. Its dependencies had all been ported to Python3, but not the templating engine it uses, kid. I started the attempt to port kid to Python3, but gave up. Way too much effort. It was much easier to use a templating engine that was already Python3 capable. It turned out one was already available on chrome, mako, installed as a dependency of something else.

EasyDAV-0.5-3 now works (if only for Orgzly) in Python3, using the mako templating engine. I've put this up on Github.

To enable httpd to connect to the webdav server, add the following stanza in /etc/httpd.conf:

  location "/webdav/*" {
        authenticate with "/var/passwd"
        fastcgi {
                socket "/run/webdav.sock"

Note the use of authentication, via a htpasswd file.

IMAP server (Dovecot)

Install from packages

  doas pkg_add dovecot

Then, configure as necessary (same as opal, in this case), enable and start:

  doas rcctl enable dovecot
  doas rcctl start dovecot

The enable step seems required, as just adding dovecot_flags= to /etc/rc.conf.local does not result in dovecot starting at boot.