sa-sa-ki.jpのblog

# Postfix(SMTP)はOSインストール時に自動でインストールされているので設定ファイルの変更から実施します
[root@sl6 ~]# vi /etc/postfix/main.cf
# INTERNET HOST AND DOMAIN NAMES
#
# The myhostname parameter specifies the internet hostname of this
# mail system. The default is to use the fully-qualified domain name
# from gethostname(). $myhostname is used as a default value for many
# other configuration parameters.
#
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
# FQDN名を入力します
myhostname = mail.sa-sa-ki.jp

# The mydomain parameter specifies the local internet domain name.
# The default is to use $myhostname minus the first component.
# $mydomain is used as a default value for many other configuration
# parameters.
#
#mydomain = domain.tld
# ドメイン名を入力します
mydomain = sa-sa-ki.jp

# SENDING MAIL
#
# The myorigin parameter specifies the domain that locally-posted
# mail appears to come from. The default is to append $myhostname,
# which is fine for small sites. If you run a domain with multiple
# machines, you should (1) change this to $mydomain and (2) set up
# a domain-wide alias database that aliases each user to
# user@that.users.mailhost.
#
# For the sake of consistency between sender and recipient addresses,
# myorigin also specifies the default domain name that is appended
# to recipient addresses that have no @domain part.
#
#myorigin = $myhostname
# 送信者メールアドレスの@以降をドメイン名にします
myorigin = $mydomain　# コメント解除

# RECEIVING MAIL

# The inet_interfaces parameter specifies the network interface
# addresses that this mail system receives mail on. By default,
# the software claims all active interfaces on the machine. The
# parameter also controls delivery of mail to user@[ip.address].
#
# See also the proxy_interfaces parameter, for network addresses that
# are forwarded to us via a proxy or network address translator.
#
# Note: you need to stop/start Postfix when this parameter changes.
#
# メールを受信するインターネットインターフェースを設定します
# (allを指定して外部からメール受信できるようにします)
inet_interfaces = all　# コメント解除
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost　# コメント化

# The mydestination parameter specifies the list of domains that this
# machine considers itself the final destination for.
#
# These domains are routed to the delivery agent specified with the
# local_transport parameter setting. By default, that is the UNIX
# compatible delivery agent that lookups all recipients in /etc/passwd
# and /etc/aliases or their equivalent.
#
# The default is $myhostname + localhost.$mydomain. On a mail domain
# gateway, you should also include $mydomain.
#
# Do not specify the names of virtual domains - those domains are
# specified elsewhere (see VIRTUAL_README).
#
# Do not specify the names of domains that this machine is backup MX
# host for. Specify those names via the relay_domains settings for
# the SMTP server, or use permit_mx_backup if you are lazy (see
# STANDARD_CONFIGURATION_README).
#
# The local machine is always the final destination for mail addressed
# to user@[the.net.work.address] of an interface that the mail system
# receives mail on (see the inet_interfaces parameter).
#
# Specify a list of host or domain names, /file/name or type:table
# patterns, separated by commas and/or whitespace. A /file/name
# pattern is replaced by its contents; a type:table is matched when
# a name matches a lookup key (the right-hand side is ignored).
# Continue long lines by starting the next line with whitespace.
#
# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
#
#mydestination = $myhostname, localhost.$mydomain, localhost # コメント化
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
# mail.$mydomain, www.$mydomain, ftp.$mydomain
# 自分のドメイン宛メールを受信できるようデフォルト設定にドメイン名を追加します
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# Alternatively, you can specify the mynetworks list by hand, in
# which case Postfix ignores the mynetworks_style setting.
#
# Specify an explicit list of network/netmask patterns, where the
# mask specifies the number of bits in the network part of a host
# address.
#
# You can also specify the absolute pathname of a pattern file instead
# of listing the patterns here. Specify type:table for table-based lookups
# (the value on the table right-hand side is not used).
#
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
# 中継を許可するクライアントネットワークを指定します
mynetworks = 192.168.0.0/24, 192.168.11.0/24, 127.0.0.0/8

# The relay_domains parameter restricts what destinations this system will
# relay mail to. See the smtpd_recipient_restrictions description in
# postconf(5) for detailed information.
#
# By default, Postfix relays mail
# - from "trusted" clients (IP address matches $mynetworks) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# - destinations that match $inet_interfaces or $proxy_interfaces,
# - destinations that match $mydestination
# - destinations that match $virtual_alias_domains,
# - destinations that match $virtual_mailbox_domains.
# These destinations do not need to be listed in $relay_domains.
#
# Specify a list of hosts or domains, /file/name patterns or type:name
# lookup tables, separated by commas and/or whitespace. Continue
# long lines by starting the next line with whitespace. A file name
# is replaced by its contents; a type:name table is matched when a
# (parent) domain appears as lookup key.
#
# NOTE: Postfix will not automatically forward mail for domains that
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
# 中継したメールの送信先を指定します
relay_domains = $mydestination　# コメント解除

# DELIVERY TO MAILBOX
#
# The home_mailbox parameter specifies the optional pathname of a
# mailbox file relative to a user's home directory. The default
# mailbox file is /var/spool/mail/user or /var/mail/user. Specify
# "Maildir/" for qmail-style delivery (the / is required).
#
#home_mailbox = Mailbox
# メールの管理方法をMaildir方式にします(1メール1ファイル管理)
# Mailboxにしたい場合は上記行のコメントを解除します(Mailbox方式は複数メール1ファイル管理)
home_mailbox = Maildir/　# コメント解除

# The header_checks parameter specifies an optional table with patterns
# that each logical message header is matched against, including
# headers that span multiple physical lines.
#
# By default, these patterns also apply to MIME headers and to the
# headers of attached messages. With older Postfix versions, MIME and
# attached message headers were treated as body text.
#
# For details, see "man header_checks".
#
# メールヘッダーのチェック機能を有効にします
header_checks = regexp:/etc/postfix/header_checks　# コメント解除

# SHOW SOFTWARE VERSION OR NOT
#
# The smtpd_banner parameter specifies the text that follows the 220
# code in the SMTP server's greeting banner. Some people like to see
# the mail version advertised. By default, Postfix shows no version.
#
# You MUST specify $myhostname at the start of the text. That is an
# RFC requirement. Postfix itself does not care.
#
#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
# Postfixのバージョンを非表示にします
smtpd_banner = $myhostname ESMTP unknown

# 送受信メールサイズ10MBに制限
message_size_limit = 10485760

# vrfyコマンドを無効にする
disable_vrfy_command = yes

# SMTP Authenticationを有効にします
smtpd_sasl_auth_enable = yes

# SMTP Authenticationの認証に匿名認証と平文テキストパスワードを禁止します
smtpd_sasl_security_options = noanonymous, noplaintext

# SMTP Authenticationのパスワード設定時のレルム名
smtpd_sasl_local_domain = $mydomain

# SMTP接続の要求を行うクライアントのホスト名／IPアドレス制限を行います
　　permit_mynetworks：
　　　クライアントのIPアドレスが$mynetworksにリストアップされている場合
　　　要求を許可します
　　reject_rhsbl_client：
　　　クライアントのホスト名が指定したドメインにリストアップされている場合
　　　要求を拒否します
　　reject_rbl_client：
　　　クライアントのIPアドレスが指定したドメインにリストアップされている場合
　　　要求を拒否します
　　reject_unknown_client：
　　　クライアントのIPアドレスがDNSサーバーで名前解決できない場合
　　　要求を拒否します
　　check_client_access：
　　　指定したファイルに記載されているクライアントのホスト名、IPアドレス、
　　　ドメイン名を個別に拒否します
　　permit：
　　　要求を許可します
smtpd_client_restrictions = permit_mynetworks,
reject_rhsbl_client rhsbl.ahbl.org,
reject_rbl_client spamcop.net,
reject_rbl_client dynablock.wirehub.net,
reject_rbl_client sbl.spamhaus.org,
check_client_access hash:/etc/postfix/access,
permit

# 受信者アドレスの制限を行います
　　permit_mynetworks：
　　　クライアントのIPアドレスが$mynetworksにリストアップされている場合
　　　要求を許可します
　　permit_sasl_authenticated：
　　　クライアントSMTP-Auth認証に成功した場合に要求を許可します
　　reject_unauth_destination：
　　　メールを転送する場合は送信先メールアドレスが $relay_domains または
　　　要求を許可します
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination

smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender,
check_sender_access hash:/etc/postfix/reject_sender

# 保存してviエディタを終了します

# main.cfのsmtpd_client_restrictionsで指定した/etc/postfix/accessとsmtpd_sender_restrictionsで指定した/etc/postfix/reject_senderのハッシュファイルを作成します
[root@sl6 ~]# postmap /etc/postfix/access
[root@sl6 ~]# touch /etc/postfix/reject_sender
[root@sl6 ~]# postmap /etc/postfix/reject_sender

# Postfixの再起動を行います
[root@sl6 ~]# /etc/rc.d/init.d/postfix restart
postfix を停止中: [ OK ]
postfix を起動中: [ OK ]

[root@sl6 ~]# mkdir -p /etc/skel/Maildir/{new,cur,tmp}
[root@sl6 ~]# chmod -R 700 /etc/skel/Maildir

# メールアカウントのパスワードをsaslauthd(Linuxユーザ認証)からauxprop(SASLユーザ認証)に変更します
[root@sl6 ~]# vi /etc/sasl2/smtpd.conf
pwcheck_method: auxprop　# saslauthdからauxpropに変更
mech_list: digest-md5 cram-md5 plain login　# digest-md5 cram-md5を追加

# 保存してviエディタを終了します

# チャレンジレスポンス形式(CRAM-MD5)のSMTP-AUTHでメール送信する為のパッケージ(cyrus-sasl-md5)を追加します
[root@sl6 postfix]# yum -y install cyrus-sasl-md5
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package cyrus-sasl-md5.x86_64 0:2.1.23-8.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

============================================================
Package Arch Version Repository Size
============================================================
Installing:
cyrus-sasl-md5 x86_64 2.1.23-8.el6 sl 45 k

Transaction Summary
============================================================
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 45 k
Installed size: 67 k
Downloading Packages:
cyrus-sasl-md5-2.1.23-8.el6.x86_64.rpm | 45 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : cyrus-sasl-md5-2.1.23-8.el6.x86_64 1/1

Installed:
cyrus-sasl-md5.x86_64 0:2.1.23-8.el6

Complete!

# メールアカウントを作成する為に、まずログイン不可Linuxユーザを作成します
# (例としてsl6という名前のメールアカウントを作成してみます)
[root@sl6 ~]# useradd -s /bin/nologin sl6

# SMTP-AUTH用アカウント設定
[root@sl6 ~]# saslpasswd2 -u sa-sa-ki.jp -c sl6
Password: SMTP-AUTH用パスワードを入力
Again (for verification): SMTP-AUTH用パスワードを再入力

# SMTP-AUTH用アカウント確認
[root@sl6 ~]# sasldblistusers2
sl6@sa-sa-ki.jp: userPassword

# SMTP-AUTH用アカウント管理ファイルの所有グループをpostfixに変更する
[root@sl6 ~]# ls -l /etc/sasldb2
-rw-r-----. 1 root root 12288 5月 20 16:45 2011 /etc/sasldb2
[root@sl6 ~]# chgrp postfix /etc/sasldb2
[root@sl6 ~]# ls -l /etc/sasldb2
-rw-r-----. 1 root postfix 12288 5月 20 16:45 2011 /etc/sasldb2

# 下記、メールアカウントとユーザーアカウントの削除は必須作業ではありませんがアカウント名が気に入らない場合などこの手順でアカウントを削除して再作成して下さい
# メールアカウント削除
※SMTP-AUTH用アカウントを削除する場合に実行します
[root@sl6 ~]# saslpasswd2 -u sa-sa-ki.jp -d sl6
# ユーザーアカウント削除
[root@sl6 ~]# userdel -r sl6

# SMTP-AUTHのサービスを起動及び自動起動設定を行う
[root@sl6 ~]# chkconfig --list saslauthd
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@sl6 ~]# chkconfig saslauthd on
[root@sl6 ~]# chkconfig --list saslauthd
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@sl6 ~]# /etc/rc.d/init.d/saslauthd start
saslauthd を起動中: [ OK ]

# telnetコマンドでSMTP-AUTHが働いているか事前に確認します
[root@sl6 ~]# telnet localhost 25
-bash: telnet: コマンドが見つかりません

# OSをインストールした時のオプションではtelnetが導入されていなかったのでtelnetをインストールします
[root@sl6 ~]# yum -y install telnet
sl | 3.2 kB 00:00
sl-security | 1.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package telnet.x86_64 1:0.17-46.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================
Package Arch Version Repository Size
=================================================================
Installing:
telnet x86_64 1:0.17-46.el6 sl 57 k

Transaction Summary
=================================================================
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 57 k
Installed size: 109 k
Downloading Packages:
telnet-0.17-46.el6.x86_64.rpm | 57 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:telnet-0.17-46.el6.x86_64 1/1

Installed:
telnet.x86_64 1:0.17-46.el6

Complete!

[root@sl6 ~]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.sa-sa-ki.jp ESMTP unknown
EHLO local
250-mail.sa-sa-ki.jp
250-PIPELINING
250-SIZE 10485760
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5　# 250-AUTH CRAM-MD5 DIGEST-MD5が表示されていることを確認
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

# Dovecotをインストールします
[root@sl6 ~]# yum -y install dovecot
sl | 3.2 kB 00:00
sl-security | 1.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package dovecot.x86_64 1:2.0-0.10.beta6.20100630.el6 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================
Package Arch Version Repository Size
=================================================================
Installing:
dovecot x86_64 1:2.0-0.10.beta6.20100630.el6 sl 2.2 M

Transaction Summary
=================================================================
Install 1 Package(s)
Upgrade 0 Package(s)

Total download size: 2.2 M
Installed size: 6.9 M
Downloading Packages:
dovecot-2.0-0.10.beta6.20100630.el6.x86_64.rpm | 2.2 MB 00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:dovecot-2.0-0.10.beta6.20100630.el6.x86_64 1/1

Installed:
dovecot.x86_64 1:2.0-0.10.beta6.20100630.el6

Complete!

[root@sl6 ~]# vi /etc/dovecot/dovecot.conf
# Protocols we want to be serving.
#protocols = imap pop3 lmtp
protocols = imap pop3

# 保存してviエディタを終了します

[root@sl6 ~]# vi /etc/dovecot/conf.d/10-mail.conf
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
#
#
mail_location = maildir:~/Maildir　# コメントを解除して値をmaildir:~/Maildirに変更

# 保存してviエディタを終了します

[root@sl6 ~]# vi /etc/dovecot/conf.d/10-auth.conf
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = no　# コメントを解除して値をyesからnoに変更

# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = digest-md5 cram-md5 plain login

##
## Password and user databases
##

#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
#
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
#

#!include auth-deny.conf.ext
#!include auth-master.conf.ext

#!include auth-system.conf.ext　コメント化
#!include auth-sql.conf.ext
#!include auth-ldap.conf.ext
!include auth-passwdfile.conf.ext　コメント解除
#!include auth-checkpassword.conf.ext
#!include auth-vpopmail.conf.ext
#!include auth-static.conf.ext

# 保存してviエディタを終了します

# アカウントsl6の/etc/passwdファイルの設定を確認します
# チャレンジレスポンス認証の設定を行うために必要なのでメモしておきます
[root@sl6 ~]# cat /etc/passwd|grep sl6
sl6:x:502:502::/home/sl6:/bin/nologin

# チャレンジレスポンス認証(CRAM-MD5)のパスワードを作成します
[root@sl6 ~]# doveadm pw -s CRAM-MD5
Enter new password: メール受信用パスワードを入力します
Retype new password: メール受信用パスワードを再入力します
{CRAM-MD5}f9xxx58a1b54xxxxx9215014xxxxxxc884b9xxxxxxxxxxx1864xxxxxxxxxx　# 受信用パスワード

# /etc/passwdファイルのアカウントsl6のメモした設定と作成したチャレンジレスポンス認証パスワードを重ね合わせて受信用パスワードを設定ファイルに登録します
[root@sl6 ~]# vi /etc/dovecot/users
sl6:{CRAM-MD5}f9xxx58a1b54xxxxx9215014xxxxxxc884b9xxxxxxxxxxx1864xxxxxxxxxx:502:502::/home/sl6:/bin/nologin
# 設定の仕方ですが/etc/passwdのメモした結果を貼り付け、ユーザー名(この例ではsl6)の後にあるxの文字をチャレンジレスポンス認証パスワードに置き換えます

# 保存してviエディタを終了します

# Dovecotのサービスを起動及び自動起動設定を行う
[root@sl6 ~]# chkconfig --list dovecot
dovecot 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@sl6 ~]# chkconfig dovecot on
[root@sl6 ~]# chkconfig --list dovecot
dovecot 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@sl6 ~]# /etc/rc.d/init.d/dovecot start
Dovecot Imap を起動中: [ OK ]

[root@sl6 ~]# vi /etc/aliases

～　省略　～

# Person who should get root's mail
#root: marc
root: sl6

# 保存してviエディタを終了します

[root@sl6 ~]# vi /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -j LOG --log-level debug --log-prefix '[iptables]:'
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

# 保存してviエディタを終了します

# iptablesを再起動して設定を反映します
[root@sl6 ~]# /etc/rc.d/init.d/iptables restart
iptables: ファイアウォールルールを消去中: [ OK ]
iptables: チェインをポリシー ACCEPT へ設定中filter [ OK ]
iptables: モジュールを取り外し中: [ OK ]
iptables: ファイアウォールルールを適用中: [ OK ]