Fedora36: MAIL server settings

s50

Postfix settings.

Allow external web access.

[root@www ~]# 50_1vi /etc/httpd/conf.d/virtualhost-00-fedoraserver.jp.conf
<VirtualHost *:80>
    ServerName fedoraserver.jp
    DocumentRoot /var/www/html
    50_2ServerAlias mail.fedoraserver.jp
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www.fedoraserver.jp
    RewriteRule ^(.*)$ http://fedoraserver.jp/$1 [R=301,L]
</VirtualHost>

s51Install Postfix.

[root@www ~]# 51_1dnf install postfix

s52Configure Postfix.

[root@www ~]# 52_1vi /etc/postfix/main.cf

s53Line 96: Add the specification of the mail server domain name.

53_1myhostname = mail.fedoraserver.jp

s54Line 103: Add the specification of the domain name.

54_1mydomain = fedoraserver.jp

s55Line 119: Add the specification of the domain name to the sender’s email address.

55_1myorigin = $mydomain

s56Line 135: Change the settings to allow receiving emails from outside.

inet_interfaces = 56_1all

s57Line 183: Change the setting to receive domain mail.

mydestination = $myhostname, localhost.$mydomain, localhost57_1, $mydomain

s58Line 439: Add the setting to set the mail storage format to Maildir format.

58_1home_mailbox = Maildir/

s59Line 593: Add the setting to hide the name of the mail server software.

59_1smtpd_banner = $myhostname ESMTP unknown

s60Add SMTP authentication settings to the last line.

60_1smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

s61Add a setting to limit the size of incoming mail to 10MB=10*1024*1024 to the last line.

61_1message_size_limit = 10485760

s62set the file.

[root@www ~]# 62_1vi /etc/postfix/master.cf

s63Line 19: Remove the “#” at the beginning of the line to uncomment it.

submission inet n    -    n    -    -    smtpd

s64Line 22: Remove the “#” at the beginning of the line to uncomment it.

 -o smtpd_sasl_auth_enable=yes

s65

SMTP authentication settings.

Install cyrus-sasl.

[root@www ~]# 65_1dnf install cyrus-sasl cyrus-sasl-plain

s66start up.

[root@www ~]# 66_1systemctl start saslauthd

s67Set auto start.

[root@www ~]# 67_1systemctl enable saslauthd

s68

Creation of Maildir format mailboxes.

Set to automatically create a Maildir format mailbox when adding a new user.

[root@www ~]# 68_1mkdir -p /etc/skel/Maildir/{new,cur,tmp}

s69Set mailbox permissions.

[root@www ~]# 69_1chmod -R 700 /etc/skel/Maildir/

s70start up.

[root@www ~]# 70_1systemctl restart postfix

s71Configure settings to create a Maildir format mailbox for the current user.

[root@www ~]# 71_1wget https://rcg.jp/perfect_maildir/perfect_maildir.pl -O /usr/local/bin/perfect_maildir.pl
[root@www ~]# 71_2chmod +x /usr/local/bin/perfect_maildir.pl

s72Install Perl’s TimeDate module required for Maildir conversion.

[root@www ~]# 72_1dnf -y install perl-TimeDate

s73Stop Postfix.

[root@www ~]# 73_1systemctl stop postfix

s74Create a Maildir bulk conversion script.

[root@www ~]# 74_1vi migrate-maildir.sh
74_2#!/bin/bash
#
#Maildir batch conversion script
#
#Mailbox => Maildir format conversion script
#http://perfectmaildir.home-dn.net/
FOLDERCONVERT=/usr/local/bin/perfect_maildir.pl
#general user list
USERLIST=`ls /home/`
#log
MIGRATELOG=/tmp/migrate-maildir.log
rm -f $MIGRATELOG
#Argument (conversion source mailbox format) check
if [ "$1" != "mbox" ] && [ "$1" != "Mailbox" ]; then
echo "Usage: migrate-maildir.sh {mbox|Mailbox}"
exit
fi
#Migrate general user mailboxes
for user in $USERLIST;
do
if [ "$1" = "mbox" ]; then
inbox="/var/spool/mail/${user}"
else
inbox="/home/${user}/Mailbox"
fi
if [ -f "${inbox}" ]; then
newdir="/home/${user}/Maildir/"
mkdir -p "$newdir"
mkdir -p "$newdir"/cur
mkdir -p "$newdir"/new
mkdir -p "$newdir"/tmp
chmod -R 700 "${newdir}"
$FOLDERCONVERT "$newdir" < "${inbox}" >> $MIGRATELOG 2>&1
chown -R ${user}. "$newdir"
find "$newdir" -type f -exec chmod 600 {} ;
fi
done
#root user mailbox migration
user="root"
if [ "$1" = "mbox" ]; then
inbox="/var/spool/mail/${user}"
else
inbox="/${user}/Mailbox"
fi
if [ -f "${inbox}" ]; then
newdir="/${user}/Maildir/"
mkdir -p "$newdir"
mkdir -p "$newdir"/cur
mkdir -p "$newdir"/new
mkdir -p "$newdir"/tmp
chmod -R 700 "${newdir}"
$FOLDERCONVERT "$newdir" < "${inbox}" >> $MIGRATELOG 2>&1
chown -R ${user}. "$newdir"
find "$newdir" -type f -exec chmod 600 {} ;
fi
[ -a $MIGRATELOG ] && cat $MIGRATELOG;rm -f $MIGRATELOG

s75Run the batch conversion script.

[root@www ~]# 75_1sh migrate-maildir.sh mbox

s76Remove the Maildir bulk conversion script.

[root@www ~]# 76_1rm -f migrate-maildir.sh

s77Remove Maildir conversion tool.

[root@www ~]# 77_1rm -f /usr/local/bin/perfect_maildir.pl

s78start up.

[root@www ~]# 78_1systemctl restart postfix

s79Change “/etc/aliases” if you want to use the webmaster user for mail.

[root@www ~]# 79_1vi /etc/aliases

s80Add # to the beginning of the line to disable forwarding.

80_1#webmaster: root

s81Reflect transfer settings.

[root@www ~]# 81_1newaliases

s82

Open TCP25 and TCP587 ports.

Open TCP25 and TCP587 ports in your router settings. (Check the setting method according to your own environment.)

Port open test.

“Host name (fedoraserver.jp)” and “Port number (25, 587)” are open.

Release confirmation site
s83

OP25B measures for mail servers.

As a countermeasure against OP25B on the mail server, set to send outgoing mail via Gmail.

Configure Postfix.

Postfixを設定します。

[root@www ~]# 83_1vi /etc/postfix/main.cf

s84Add the following to the last line.

84_1relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = plain

s85Set your SMTP credentials.

[root@www ~]# 85_1echo [smtp.gmail.com]:587 Gmailアドレス:Gmailパスワード > /etc/postfix/sasl_passwd

s86Change the permission so that it cannot be referred to other than root.

[root@www ~]# 86_1chmod 640 /etc/postfix/sasl_passwd

s87Create a database of SMTP authentication information.

[root@www ~]# 87_1postmap /etc/postfix/sasl_passwd

s88Restart Postfix.

[root@www ~]# 88_1systemctl reload postfix

s89

Forward mail addressed to root (using free mail).

Forward mail to root.

[root@www ~]# 89_1vi /etc/aliases

s90Append to the last line.。

# Person who should get root's mail
#root: marc
90_1root: 転送用メールアドレス

s91Reflect transfer settings.

[root@www ~]# 91_1newaliases

s92

Email sending test.

Send test mail to root.

[root@www ~]# 92_1echo test|sendmail root

s93

Email forwarding settings for Gmail.

First, configure Thunderbird’s Gmail (outgoing email) settings.

Thunderbird Gmail (outgoing mail) settings

s94Launch Thunderbird, open “Check blocked logins” with your outgoing email address, and click “Allow access to less secure apps”.

Gmailのメール転送設定

s95Log in to Gmail in your browser.

Gmailにログイン

s96Right-click on the user icon in the upper right corner → “Manage Google Account” → “Security” → Enable access by “Access for less secure apps”.。

安全性の低いアプリの許可を有効
s97

Receipt confirmation of mail addressed to root.

First, set Thunderbird’s Gmail (mail for forwarding).

Thunderbird Gmail (forwarding mail) settings

s98Confirm the receipt with the forwarding email address for root of Thunderbird (Gmail).

Install Dovecot.

Install Dovecot.

[root@www ~]# 98_1dnf -y install dovecot

s99set the file.

[root@www ~]# 99_1vi /etc/dovecot/dovecot.conf

s101Line 24: Remove the “#” at the beginning of the line to uncomment it.

protocols = imap pop3 lmtp submission

s102Line 30: Remove the “#” at the beginning of the line to uncomment it and change the settings to disable IPv6.

listen = *

s103set the file.

[root@www ~]# 103_1vi /etc/dovecot/conf.d/10-mail.conf

s104Line 31: Add the setting to set the mail storage format to Maildir format.

104_1mail_location = maildir:~/Maildir

s105set the file.

[root@www ~]# 105_1vi /etc/dovecot/conf.d/10-auth.conf

s106Line 11: Add the setting to allow plaintext authentication.

106_1disable_plaintext_auth = no

s107set the file.

[root@www ~]# 107_1vi /etc/dovecot/conf.d/10-ssl.conf

s108Line 8: Change the setting to disable SSL connection.

ssl = 108_1no

s109start up.

[root@www ~]# 109_1systemctl start dovecot

s110Set autostart.

[root@www ~]# 110_1systemctl enable dovecot

s111

Open TCP110 or TCP143 port.

“Host name (fedoraserver.jp)” and “Port number (110 or 143)” are open.

Release confirmation site
s112

Adding mail users.

Add users. (User example: fedora)

[root@www ~]# 112_1useradd fedora

s113Set your password.

[root@www ~]# 113_1passwd fedora
Changing password for user fedora.
New UNIX password:
Retype new UNIX password:

s114

Edit “/etc/ssh/sshd_config” to disable authentication connection with private key.

Edit sshd_config.

[root@www ~]# 114_1vi /etc/ssh/sshd_config

s115Line 65: Change from “no” to “yes”.

PasswordAuthentication 116_1yes

s117Restart SSH.

[root@www ~]# 117_1systemctl restart sshd

s118Make a new connection to TeraTerm with fedora.。

Set SSH server public key authentication method connection.

Setting up an SSH server public key authentication method connection
s119

Check sendmail path.

Open a file.

[root@www ~]# 119_1vi /etc/postfix/main.cf

s120Line 665: Check sendmail path.WP-Coder title=”section_end”]

sendmail_path = /usr/sbin/sendmail.postfix

s121

Email software registration.

Launch Thunderbird and click Mail.

Thunderbird

s122Your name and email address (fedora@fedoraserver.jp), enter your password, and click Continue.

メールアドレス

s123Click “Manual Settings”.

手動設定

Server hostname port number SSL Authentication method
Incoming server POP3 mail.fedoraserver.jp 110 No connection protection normal password authentication
Outgoing server SMTP mail.fedoraserver.jp 587 No connection protection normal password authentication

s124Refer to the table above to configure the settings, and then click “Finish”.

完了

s125Select “I understand the risks of connecting” and click “Finish”.

接続する上での危険性を理解しました
s126

Obtaining a server certificate.

Install Certbot.

[root@www ~]# 126_1dnf -y install certbot

s127Get a certificate.

Document root: /var/www/html/

Email address: webmasterfedoraserver.jp

Mail server name:mail.fedoraserver.jp

[root@www ~]# 127_1certbot certonly --webroot -w /var/www/html/ -m webmaster@fedoraserver.jp  -d mail.fedoraserver.jp --agree-tos

s128Configure automatic certificate renewal.

[root@www ~]# 128_1vi /etc/cron.d/letsencrypt

s129Add the following.

129_100 16 * * 2 root /usrobin/certbot renew --post-hook "service httpd restart"

s130

SSL settings.

set the file.

[root@www ~]# 130_1vi /etc/postfix/main.cf

s131Add the following to the last line.

131_1smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.fedoraserver.jp/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.fedoraserver.jp/privkey.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

s132set the file.

[root@www ~]# 132_1vi /etc/postfix/master.cf

s133Line 19: Add “#” at the beginning of the line to comment it out and disable the SUBMISSION port.

133_1#submission inet n    -    n    -    -    smtpd

s134Line 22: Add “#” at the beginning of the line to comment it out and disable SMTP authentication for the SUBMISSION port.

134_1#  -o smtpd_sasl_auth_enable=yes

s135Line 33: Remove the “#” at the beginning of the line to uncomment and enable SMTPS.

smtps    inet n    -    n    -    -    smtpd

s136Line 35: Remove the “#” at the beginning of the line to uncomment it and enable SMTPS.

 -o smtpd_tls_wrappermode=yes

s137Line 36: Remove the “#” at the beginning of the line to uncomment it and enable SMTPS.

 -o smtpd_sasl_auth_enable=yes

s138Line 49: Remove the “#” at the beginning of the line to uncomment and enable SMTPS.

tlsmgr    unix    -    -    n    300    1    tlsmgr

s139Restart.

[root@www ~]# 139_1systemctl restart postfix

s140

Open port TCP465.

Open TCP port 465 in your router settings. (Check the setting method according to your own environment.)

Port open test.

On the release confirmation site, enter “host name (mail.fedoraserver.jp)” and “Port number (465)” are open.

Release confirmation site
s141

Close TCP port 587.

Block TCP port 587 in your router settings. (Check the setting method according to your own environment.)

Port open test.

set the file.

[root@www ~]# 141_1vi /etc/dovecot/conf.d/10-ssl.conf

s142Line 8: Change the setting to enable SSL connection.

ssl = 142_1yes

s143Line 14: Specify server certificate + intermediate certificate.

ssl_cert = <143_1/etc/letsencrypt/live/mail.fedoraserver.jp/fullchain.pem

s144Line 15: Specify the private key.

ssl_key = <144_1/etc/letsencrypt/live/mail.fedoraserver.jp/privkey.pem

s145Restart.

[root@www ~]# 145_1systemctl restart dovecot

s146

Open port TCP995 or TCP993.

Open port TCP995 or TCP993 in your router settings. (Check the setting method according to your own environment.)

Port open test.

On the release confirmation site, enter “host name (mail.fedoraserver.jp)” and “Port number (995 or 993)” are open.

Release confirmation site
s147

Change email settings.

Launch Thunderbird, select your email address, and click “View settings for this account”.
このアカウントの設定を表示する
s148Click Server Settings and select SSL/TLS under Secure Connection.
サーバー設定
s149Click Outgoing (SMTP) Server, select your SMTP server, and click Edit.

送信(SMTP)サーバー

s150Enter “465” in “Port number”, select “SSL/TLS” in “Connection security”, and click “OK”.

ポート番号

s154Click OK.

「OK」をクリック
s155

Cooperation with anti-virus software (Clamav + Amavisd).

Install Amavisd and Clamav Server.

[root@www ~]# 155_1dnf -y install amavisd-new clamd perl-Digest-SHA1 perl-IO-stringy

s156set the file.

[root@www ~]# 156_1vi /etc/amavisd/amavisd.conf

s157Line 23: Set the domain name.

$mydomain = 157_1'fedoraserver.jp';

s158Line 158: Remove the “#” at the beginning of the line to uncomment and set the mail server.

$myhostname = 158_1'mail.fedoraserver.jp';

s159Lines 163, 164: Remove the “#” at the beginning of the line to uncomment it.

$notify_method = 'smtp:[127.0.0.1]:10025';
$forward_method = 'smtp:[127.0.0.1]:10025';

s160set the file.

[root@www ~]# 160_1vi /etc/clamd.d/scan.conf

s161Line 8: Add “#” at the beginning of the line to make it a comment.

161_1#Example

s162Line 14: Remove the “#” at the beginning of the line to uncomment it.

LogFile /var/log/clamd.scan

s163Line 77: Remove the “#” at the beginning of the line to uncomment it.

PidFile /var/run/clamd.scan/clamd.pid

s164Line 81: Remove the “#” at the beginning of the line to uncomment it.

TemporaryDirectory /var/tmp

s165Line 96: Uncomment by removing “” at the beginning of the line.

LocalSocket /var/run/clamd.scan/clamd.sock

s166Start up.

[root@www ~]# 166_1touch /var/log/clamd.scan
[root@www ~]# 166_2chown clamscan. /var/log/clamd.scan

s167Set autostart.

[root@www ~]# 167_1systemctl enable --now clamd@scan amavisd

s168Set the file.

[root@www ~]# 168_1vi /etc/postfix/main.cf

s169Append to the last line.

169_1content_filter=smtp-amavis:[127.0.0.1]:10024

s170Set the file.

[root@www ~]# 170_1vi /etc/postfix/master.cf

s171Append to the last line.

171_1smtp-amavis unix -    -    n    -    2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
127.0.0.1:10025 inet n    -    n    -    -    smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000

s172Restart.

[root@www ~]# 172_1systemctl restart postfix

コメント

タイトルとURLをコピーしました