Real Beat

[修正版][memo] postfix + dovecotでSMTP AUTH & IMAPなメールサーバを立ち上げる

はてなブックマーク - [修正版][memo] postfix + dovecotでSMTP AUTH & IMAPなメールサーバを立ち上げる
Posted on

[memo] postfix + dovecotでSMTP AUTH & IMAPなメールサーバを立ち上げるがあまり正しくないので修正版。

ssmtpの削除

Gentooではいきなりpostfixを入れようとしても、デフォルトでssmtpが入っていてblockされるのでssmtpを消すのが先決。

emerge -C ssmtp

postfixとdovecotのインストール

Gentooの基本だけど、emergeするときはemerge -pvでどんなフラグが有効になるか必ず確認。必要ないならpackage.useで外す。あとsaslが必要なのでこれは付けておく。あとなんでかわからないけどpostfixにsaslを付けるとついてくるcyrus-saslで、gdbmやcryptをUSEするとコンパイルに失敗したので外した。

emerge -pv postfix dovecot
echo "mmail-mta/postfix -mysql sasl" >> /etc/portage/package.use
echo "dev-libs/cyrus-sasl -mysql -java -gdbm -crypt" >> /etc/portage/package.use
emerge postfix dovecot

オレオレ認証局の作成

Gentooでの方法なので他のディストリではパスが違うようなので注意。

mkdir /etc/certs
chmod 700 /etc/certs 
cd /etc/certs
cp /etc/ssl/misc/CA.pl .
perl ./CA.pl -newca
CA certificate filename (or enter to create)
(ENTER)
Making CA certificate ...
Generating a 1024 bit RSA private key
..................................++++++
.......................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:(パスフレーズを入力)
Verifying - Enter PEM pass phrase:(同じパスフレーズをもう一度入力)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Private
Organizational Unit Name (eg, section) []:Private
Common Name (eg, YOUR name) []:nobu666.fam.cx
Email Address []:root@nobu666.fam.cx

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(ENTER)
An optional company name []:(ENTER)
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 (略)
Certificate is to be certified until Oct 28 06:15:58 2009 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

クライアント用CA証明書とサーバ用CA証明書を作成

cd /etc/certs/demoCA
openssl x509 -inform pem -in cacert.pem -outform der -out cacert.der 
openssl x509 -in ./cacert.pem -out ./cacert.crt

デジタル証明書のリクエストファイルを作成

cd /etc/certs
perl ./CA.pl -newreq-nodes
Generating a 1024 bit RSA private key
...++++++
...............................................................................................................++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama
Organization Name (eg, company) [Internet Widgits Pty Ltd]:nobu666.fam.cx
Organizational Unit Name (eg, section) []:Admin
Common Name (eg, YOUR name) []:nobu666.fam.cx
Email Address []:root@nobu666.fam.cx

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(ENTER)
An optional company name []:(ENTER)
Request is in newreq.pem, private key is in newkey.pem

リクエストファイルからX.509サーバ証明書の作成と署名

perl ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ce:db:05:2a:6a:dc:75:17
        Validity
            Not Before: Oct 29 06:51:11 2006 GMT
            Not After : Oct 29 06:51:11 2007 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Kanagawa
            localityName              = Yokohama
            organizationName          = nobu666.fam.cx
            organizationalUnitName    = Admin
            commonName                = nobu666.fam.cx
            emailAddress              = root@nobu666.fam.cx
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7B:0E:46:62:02:FB:B6:A6:05:DC:DE:75:2E:2D:5A:29:5D:31:79:F8
            X509v3 Authority Key Identifier:
                keyid:A7:51:EC:0A:BD:B6:70:68:A5:01:ED:8E:76:1F:FE:0C:4D:B2:A0:19

Certificate is to be certified until Oct 29 06:51:11 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

openssl x509 -in newcert.pem -out server.crt

postfix用にシンボリックリンクを張る

ln -sf /etc/certs/server.crt /etc/ssl/postfix/server.crt
ln -sf /etc/certs/newkey.pem /etc/ssl/postfix/server.key

postfixの設定

vi /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = nobu666.fam.cx
mydomain = nobu666.fam.cx
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain, mail.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
mynetworks = 192.168.0.0/24, 127.0.0.0/8
relay_domains = $mydestination
alias_maps = hash:/etc/mail/aliases
alias_database = hash:/etc/mail/aliases
home_mailbox = .Maildir/

header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
mydestination = $myhostname, localhost.$mydomain, $myhostname.$mydomain, mail.$mydomain, localhost
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.2.10/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.2.10/readme
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/ssl/postfix/server.crt
smtpd_tls_key_file = /etc/ssl/postfix/server.key
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_security_options = noanonymous
allow_mail_to_commands = alias,forward,include
message_size_limit = 1024000
smtpd_client_restrictions =
            permit_mynetworks,
            permit_sasl_authenticated,
            permit_auth_destination,
            reject

vi /etc/postfix/master.cf

submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject

saslの設定

vi /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd

mkdir /var/state/saslauthd
chmod 700 /var/state/saslauthd
chown postfix /var/state/saslauthd

dovecotの設定

vi /etc/dovecot.conf

protocols = pop3 imap
ssl_disable = no
ssl_cert_file = /etc/ssl/postfix/server.crt
ssl_key_file = /etc/ssl/postfix/server.key
default_mail_env = maildir:%h/.Maildir

chmod 755 /var/run/dovecot
chmod 750 /var/run/dovecot/login

あとはデフォルトのまま。

クライアントの設定

まずはオレオレ認証局の証明書をクライアントに入れる必要がある(やらなくてもいいが警告が出るので…)。別にどうやってクライアントに渡してもOK。FTPとかSCPとかで適当に。メーラによって操作が違うがThunderbirdの場合は、ツール→オプション→プライバシー→セキュリティ→証明書を表示→認証局証明書→インポートと進んで、cacert.derを選択すればOK。あとはIMAPでアカウントを作って、受信は143番ポートでTLSを使うようにし、送信は587番ポートで同じくTLSを使うように設定する。送信テストするとユーザ名とパスワードが聞かれるので「パスワード無しで送信できないこと」「間違ったパスワードを入れて送信できないこと」「正しいパスワードを入れて送信できること」の3つを確認して終了。

comments powered by Disqus