Fedora36: MAIL server settings

🔗

1. Postfix settings.
2. SMTP authentication settings.
3. Creation of Maildir format mailboxes.
4. Open TCP25 and TCP587 ports.
5. Port open test.
6. OP25B measures for mail servers.
7. Forward mail addressed to root (using free mail).
8. Email sending test.
9. Email forwarding settings for Gmail.
10. Receipt confirmation of mail addressed to root.
11. Install Dovecot.
12. Open TCP110 or TCP143 port.
13. Adding mail users.
    1. Edit “/etc/ssh/sshd_config” to disable authentication connection with private key.
14. Check sendmail path.
15. Email software registration.
16. Obtaining a server certificate.
17. SSL settings.
18. Open port TCP465.
19. Port open test.
20. Close TCP port 587.
21. Port open test.
22. Open port TCP995 or TCP993.
23. Port open test.
24. Change email settings.
25. Cooperation with anti-virus software (Clamav + Amavisd).

Postfix settings.

Allow external web access.

[root@www ~]# vi /etc/httpd/conf.d/virtualhost-00-fedoraserver.jp.conf
<VirtualHost *:80>
    ServerName fedoraserver.jp
    DocumentRoot /var/www/html
    ServerAlias mail.fedoraserver.jp
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www.fedoraserver.jp
    RewriteRule ^(.*)$ http://fedoraserver.jp/$1 [R=301,L]
</VirtualHost>

Install Postfix.

[root@www ~]# dnf install postfix

Configure Postfix.

[root@www ~]# vi /etc/postfix/main.cf

Line 96: Add the specification of the mail server domain name.

myhostname = mail.fedoraserver.jp

Line 103: Add the specification of the domain name.

mydomain = fedoraserver.jp

Line 119: Add the specification of the domain name to the sender’s email address.

myorigin = $mydomain

Line 135: Change the settings to allow receiving emails from outside.

inet_interfaces = all

Line 183: Change the setting to receive domain mail.

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

Line 439: Add the setting to set the mail storage format to Maildir format.

home_mailbox = Maildir/

Line 593: Add the setting to hide the name of the mail server software.

smtpd_banner = $myhostname ESMTP unknown

Add SMTP authentication settings to the last line.

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

Add a setting to limit the size of incoming mail to 10MB=10*1024*1024 to the last line.

message_size_limit = 10485760

set the file.

[root@www ~]# vi /etc/postfix/master.cf

Line 19: Remove the “#” at the beginning of the line to uncomment it.

submission inet n    -    n    -    -    smtpd

Line 22: Remove the “#” at the beginning of the line to uncomment it.

 -o smtpd_sasl_auth_enable=yes

SMTP authentication settings.

Install cyrus-sasl.

[root@www ~]# dnf install cyrus-sasl cyrus-sasl-plain

start up.

[root@www ~]# systemctl start saslauthd

Set auto start.

[root@www ~]# systemctl enable saslauthd

Creation of Maildir format mailboxes.

Set to automatically create a Maildir format mailbox when adding a new user.

[root@www ~]# mkdir -p /etc/skel/Maildir/{new,cur,tmp}

Set mailbox permissions.

[root@www ~]# chmod -R 700 /etc/skel/Maildir/

start up.

[root@www ~]# systemctl restart postfix

Configure settings to create a Maildir format mailbox for the current user.

[root@www ~]# wget https://rcg.jp/perfect_maildir/perfect_maildir.pl -O /usr/local/bin/perfect_maildir.pl
[root@www ~]# chmod +x /usr/local/bin/perfect_maildir.pl

Install Perl’s TimeDate module required for Maildir conversion.

[root@www ~]# dnf -y install perl-TimeDate

Stop Postfix.

[root@www ~]# systemctl stop postfix

Create a Maildir bulk conversion script.

[root@www ~]# vi migrate-maildir.sh
#!/bin/bash
#
#Maildir batch conversion script
#
#Mailbox => Maildir format conversion script
#http://perfectmaildir.home-dn.net/
FOLDERCONVERT=/usr/local/bin/perfect_maildir.pl
#general user list
USERLIST=`ls /home/`
#log
MIGRATELOG=/tmp/migrate-maildir.log
rm -f $MIGRATELOG
#Argument (conversion source mailbox format) check
if [ "$1" != "mbox" ] && [ "$1" != "Mailbox" ]; then
echo "Usage: migrate-maildir.sh {mbox|Mailbox}"
exit
fi
#Migrate general user mailboxes
for user in $USERLIST;
do
if [ "$1" = "mbox" ]; then
inbox="/var/spool/mail/${user}"
else
inbox="/home/${user}/Mailbox"
fi
if [ -f "${inbox}" ]; then
newdir="/home/${user}/Maildir/"
mkdir -p "$newdir"
mkdir -p "$newdir"/cur
mkdir -p "$newdir"/new
mkdir -p "$newdir"/tmp
chmod -R 700 "${newdir}"
$FOLDERCONVERT "$newdir" < "${inbox}" >> $MIGRATELOG 2>&1
chown -R ${user}. "$newdir"
find "$newdir" -type f -exec chmod 600 {} ;
fi
done
#root user mailbox migration
user="root"
if [ "$1" = "mbox" ]; then
inbox="/var/spool/mail/${user}"
else
inbox="/${user}/Mailbox"
fi
if [ -f "${inbox}" ]; then
newdir="/${user}/Maildir/"
mkdir -p "$newdir"
mkdir -p "$newdir"/cur
mkdir -p "$newdir"/new
mkdir -p "$newdir"/tmp
chmod -R 700 "${newdir}"
$FOLDERCONVERT "$newdir" < "${inbox}" >> $MIGRATELOG 2>&1
chown -R ${user}. "$newdir"
find "$newdir" -type f -exec chmod 600 {} ;
fi
[ -a $MIGRATELOG ] && cat $MIGRATELOG;rm -f $MIGRATELOG

Run the batch conversion script.

[root@www ~]# sh migrate-maildir.sh mbox

Remove the Maildir bulk conversion script.

[root@www ~]# rm -f migrate-maildir.sh

Remove Maildir conversion tool.

[root@www ~]# rm -f /usr/local/bin/perfect_maildir.pl

start up.

[root@www ~]# systemctl restart postfix

Change “/etc/aliases” if you want to use the webmaster user for mail.

[root@www ~]# vi /etc/aliases

Add # to the beginning of the line to disable forwarding.

#webmaster: root

Reflect transfer settings.

[root@www ~]# newaliases

Open TCP25 and TCP587 ports.

Open TCP25 and TCP587 ports in your router settings. (Check the setting method according to your own environment.)

Port open test.

“Host name (fedoraserver.jp)” and “Port number (25, 587)” are open.

Release confirmation site

OP25B measures for mail servers.

As a countermeasure against OP25B on the mail server, set to send outgoing mail via Gmail.

Configure Postfix.

Postfixを設定します。

[root@www ~]# vi /etc/postfix/main.cf

Add the following to the last line.

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain

Set your SMTP credentials.

[root@www ~]# echo [smtp.gmail.com]:587 Gmailアドレス:Gmailパスワード > /etc/postfix/sasl_passwd

Change the permission so that it cannot be referred to other than root.

[root@www ~]# chmod 640 /etc/postfix/sasl_passwd

Create a database of SMTP authentication information.

[root@www ~]# postmap /etc/postfix/sasl_passwd

Restart Postfix.

[root@www ~]# systemctl reload postfix

Forward mail addressed to root (using free mail).

Forward mail to root.

[root@www ~]# vi /etc/aliases

Append to the last line.。

# Person who should get root's mail
#root: marc
root: 転送用メールアドレス

Reflect transfer settings.

[root@www ~]# newaliases

Email sending test.

Send test mail to root.

[root@www ~]# echo test|sendmail root

Email forwarding settings for Gmail.

First, configure Thunderbird’s Gmail (outgoing email) settings.

Thunderbird Gmail (outgoing mail) settings

Launch Thunderbird, open “Check blocked logins” with your outgoing email address, and click “Allow access to less secure apps”.

Log in to Gmail in your browser.

Right-click on the user icon in the upper right corner → “Manage Google Account” → “Security” → Enable access by “Access for less secure apps”.。

Receipt confirmation of mail addressed to root.

First, set Thunderbird’s Gmail (mail for forwarding).

Thunderbird Gmail (forwarding mail) settings

Confirm the receipt with the forwarding email address for root of Thunderbird (Gmail).

Install Dovecot.

Install Dovecot.

[root@www ~]# dnf -y install dovecot

set the file.

[root@www ~]# vi /etc/dovecot/dovecot.conf

Line 24: Remove the “#” at the beginning of the line to uncomment it.

protocols = imap pop3 lmtp submission

Line 30: Remove the “#” at the beginning of the line to uncomment it and change the settings to disable IPv6.

listen = *

set the file.

[root@www ~]# vi /etc/dovecot/conf.d/10-mail.conf

Line 31: Add the setting to set the mail storage format to Maildir format.

mail_location = maildir:~/Maildir

set the file.

[root@www ~]# vi /etc/dovecot/conf.d/10-auth.conf

Line 11: Add the setting to allow plaintext authentication.

disable_plaintext_auth = no

set the file.

[root@www ~]# vi /etc/dovecot/conf.d/10-ssl.conf

Line 8: Change the setting to disable SSL connection.

ssl = no

start up.

[root@www ~]# systemctl start dovecot

Set autostart.

[root@www ~]# systemctl enable dovecot

Open TCP110 or TCP143 port.

“Host name (fedoraserver.jp)” and “Port number (110 or 143)” are open.

Release confirmation site

Adding mail users.

Add users. (User example: fedora)

[root@www ~]# useradd fedora

Set your password.

[root@www ~]# passwd fedora
Changing password for user fedora.
New UNIX password:
Retype new UNIX password:

Edit “/etc/ssh/sshd_config” to disable authentication connection with private key.

Edit sshd_config.

[root@www ~]# vi /etc/ssh/sshd_config

Line 65: Change from “no” to “yes”.

PasswordAuthentication yes

Restart SSH.

[root@www ~]# systemctl restart sshd

Make a new connection to TeraTerm with fedora.。

Set SSH server public key authentication method connection.

Setting up an SSH server public key authentication method connection

Check sendmail path.

Open a file.

[root@www ~]# vi /etc/postfix/main.cf

Line 665: Check sendmail path.WP-Coder title=”section_end”]

sendmail_path = /usr/sbin/sendmail.postfix

Email software registration.

Launch Thunderbird and click Mail.

Your name and email address (fedora@fedoraserver.jp), enter your password, and click Continue.

Click “Manual Settings”.

		Server hostname	port number	SSL	Authentication method
Incoming server	POP3	mail.fedoraserver.jp	110	No connection protection	normal password authentication
Outgoing server	SMTP	mail.fedoraserver.jp	587	No connection protection	normal password authentication

Refer to the table above to configure the settings, and then click “Finish”.

Select “I understand the risks of connecting” and click “Finish”.

Obtaining a server certificate.

Install Certbot.

[root@www ~]# dnf -y install certbot

Get a certificate.

Document root: /var/www/html/

Email address: webmaster＠fedoraserver.jp

Mail server name:mail.fedoraserver.jp

[root@www ~]# certbot certonly --webroot -w /var/www/html/ -m webmaster@fedoraserver.jp  -d mail.fedoraserver.jp --agree-tos

Configure automatic certificate renewal.

[root@www ~]# vi /etc/cron.d/letsencrypt

Add the following.

00 16 * * 2 root /usrobin/certbot renew --post-hook "service httpd restart"

SSL settings.

set the file.

[root@www ~]# vi /etc/postfix/main.cf

Add the following to the last line.

smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.fedoraserver.jp/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.fedoraserver.jp/privkey.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

set the file.

[root@www ~]# vi /etc/postfix/master.cf

Line 19: Add “#” at the beginning of the line to comment it out and disable the SUBMISSION port.

#submission inet n    -    n    -    -    smtpd

Line 22: Add “#” at the beginning of the line to comment it out and disable SMTP authentication for the SUBMISSION port.

#  -o smtpd_sasl_auth_enable=yes

Line 33: Remove the “#” at the beginning of the line to uncomment and enable SMTPS.

smtps    inet n    -    n    -    -    smtpd

Line 35: Remove the “#” at the beginning of the line to uncomment it and enable SMTPS.

 -o smtpd_tls_wrappermode=yes

Line 36: Remove the “#” at the beginning of the line to uncomment it and enable SMTPS.

 -o smtpd_sasl_auth_enable=yes

Line 49: Remove the “#” at the beginning of the line to uncomment and enable SMTPS.

tlsmgr    unix    -    -    n    300    1    tlsmgr

Restart.

[root@www ~]# systemctl restart postfix

Open port TCP465.

Open TCP port 465 in your router settings. (Check the setting method according to your own environment.)

Port open test.

On the release confirmation site, enter “host name (mail.fedoraserver.jp)” and “Port number (465)” are open.

Release confirmation site

Close TCP port 587.

Block TCP port 587 in your router settings. (Check the setting method according to your own environment.)

Port open test.

set the file.

[root@www ~]# vi /etc/dovecot/conf.d/10-ssl.conf

Line 8: Change the setting to enable SSL connection.

ssl = yes

Line 14: Specify server certificate + intermediate certificate.

ssl_cert = </etc/letsencrypt/live/mail.fedoraserver.jp/fullchain.pem

Line 15: Specify the private key.

ssl_key = </etc/letsencrypt/live/mail.fedoraserver.jp/privkey.pem

Restart.

[root@www ~]# systemctl restart dovecot

Open port TCP995 or TCP993.

Open port TCP995 or TCP993 in your router settings. (Check the setting method according to your own environment.)

Port open test.

On the release confirmation site, enter “host name (mail.fedoraserver.jp)” and “Port number (995 or 993)” are open.

Release confirmation site

Change email settings.

Launch Thunderbird, select your email address, and click “View settings for this account”.

Click Server Settings and select SSL/TLS under Secure Connection.

Click Outgoing (SMTP) Server, select your SMTP server, and click Edit.

Enter “465” in “Port number”, select “SSL/TLS” in “Connection security”, and click “OK”.

Click OK.

Cooperation with anti-virus software (Clamav + Amavisd).

Install Amavisd and Clamav Server.

[root@www ~]# dnf -y install amavisd-new clamd perl-Digest-SHA1 perl-IO-stringy

set the file.

[root@www ~]# vi /etc/amavisd/amavisd.conf

Line 23: Set the domain name.

$mydomain = 'fedoraserver.jp';

Line 158: Remove the “#” at the beginning of the line to uncomment and set the mail server.

$myhostname = 'mail.fedoraserver.jp';

Lines 163, 164: Remove the “#” at the beginning of the line to uncomment it.

$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';

set the file.

[root@www ~]# vi /etc/clamd.d/scan.conf

Line 8: Add “#” at the beginning of the line to make it a comment.

#Example

Line 14: Remove the “#” at the beginning of the line to uncomment it.

LogFile /var/log/clamd.scan

Line 77: Remove the “#” at the beginning of the line to uncomment it.

PidFile /var/run/clamd.scan/clamd.pid

Line 81: Remove the “#” at the beginning of the line to uncomment it.

TemporaryDirectory /var/tmp

Line 96: Uncomment by removing “” at the beginning of the line.

LocalSocket /var/run/clamd.scan/clamd.sock

Start up.

[root@www ~]# touch /var/log/clamd.scan
[root@www ~]# chown clamscan. /var/log/clamd.scan

Set autostart.

[root@www ~]# systemctl enable --now clamd@scan amavisd

Set the file.

[root@www ~]# vi /etc/postfix/main.cf

Append to the last line.

content_filter=smtp-amavis:[127.0.0.1]:10024

Set the file.

[root@www ~]# vi /etc/postfix/master.cf

Append to the last line.

smtp-amavis unix -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
127.0.0.1:10025 inet n    -    n    -    -    smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000

Restart.

[root@www ~]# systemctl restart postfix