| program | role |
|---|---|
| sendmail | sendmail compatible I/F |
| smtpd | External delivery processing |
| pickup | Monitor maildrop queues and handle internal deliveries |
| cleanup | Rewrite the header, put it in the incoming queue, and notify qmgr. |
| qmgr | Pass the mail in the queue to the delivery program |
| nqmgr | Same as qmgr but different delivery algorithm |
| master | Daemon that controls the whole |
| bounce | Bounce email processing |
| file name | role |
|---|---|
| main.cf | Configuration file as MTA |
| master.cf | Configuration files for the various daemons that make up Postfix |
main.cf##
main.cf
# Own host name
myhostname = mail.example.com
#Domain name
mydomain = example.com
# Email address@Domain name applicable thereafter
myorigin = $mydomain
Limited to # ipv4
inet_interfaces = all
Limited to # ipv4
inet_protocols = ipv4
# Domain name for local delivery (receive mail with a specific domain name)
mydestination = $ myhostname, localhost.$mydomain, localhost, $mydomain
# Address of SMTP client that allows relaying
mynetworks = 192.168.1.0/24, 127.0.0.0/8
# Mail pool directory
mail_spool_directory = /var/spool/mail
# Local delivery program
mailbox_command = /var/bin/procmail
# Banner information output by SMTP
smtpd_banner = $myhostname ESMTP $main_name
-** postconf : All settings are displayed. With the ---n ** option, only the parts that have changed from the default values are displayed. --If you specify a parameter, only the specified parameter is displayed.
Relay: Relaying emails between MTAs
If you receive an email addressed to another host, the MTA will determine if you should allow the email to be relayed.
--Basic --Allow outbound mail from within the LAN where you want to allow relaying. --If you want to allow relaying, allow domain mail. --Reject outbound emails from outside.
Make the appropriate settings in ** mydestination ** and ** mynetworks **.
Virtual domain: It can handle emails of domains different from the domain name included in the configuration file. (Of course, it needs to be registered in the MX record.)
main.cf
virtual_alias_domains = example.net
virtual_alias_maps = hash:/etc/postfix/virtual
In/etc/postfix/virtual, you need to specify which users the mail will reach and restart Postfix.
/etc/postfix/virtual
[email protected] postmaster
[email protected] info-net
# postmap /etc/postfix/virtual
| Subcommand | Explanation |
|---|---|
| check | Configuration file syntax check |
| start | start |
| stop | Stop |
| abort | Forced stop |
| reload | Reload settings |
| flush | Resend messages in the queue |
You can test the connection using the nc command.
| Method | Explanation |
|---|---|
| HELO host | Start an SMTP session |
| EHLO host | Extended HELO |
| MAIL FROM: | Specify the sender of the email |
| PCRT TO: | Specify the mail destination |
| DATA | Start the body of the email |
| QUIT | End SMTP session |
| VRFY user | User confirmation |
| EXPN user | Check user alias |
/etc/aliases##
/etc/aliases
postmaster: taro,hanako
In addition to the above user name, you can also specify it in the following format. This is an example of sending to standard input.
/etc/aliases
linuc: |/home/linucuser/bin/mcheck
Use ** newaliases ** to reflect the settings.
.forward##
By creating a **. Forward ** file, you can forward emails sent to that user to any email address.
/home/linuc/.forward
[email protected]
Add the following settings to main.cf. (This is an example of using dovecot for SMTP authentication.)
main.cf
smtp_sasl_type = dovecot
smtp_sasl_puth = private/auth
smtp_local_domain = $myhostname
smtp_sasl_security_options = noanonymos
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
Since the authentication type is dovecot, edit the devecot configuration file.
:/etc/devecot/conf.d/10.master.conf
#Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
:/etc/devecot/conf.d/10.auth.conf
auth_mechanisms = plain login
SMTP over SSL/TLS#
For SMTP authentication, the concern is that ** PLAIN, LOGIN ** are vulnerable. In that case, we will introduce ** SSL/TLS (SMTPS) **.
main.cf
smtpd_use_tls = yes
smtpd_tls_cert_file = /usr/share/ssl/certs/mail.toritonssl.com.cert
smtpd_tls_key_file = /usr/share/ssl/private/mail.toritonssl.com.key
master.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
Connect to Postfix on the local host with telnet, check, and if "STARTTLS" is displayed, it's OK.
| Mail queue | Explanation |
|---|---|
| maildrop | Used for local delivery |
| incoming | Emails being sent and received are retained |
| active | Undelivered mail is retained |
| deferred | Emails that failed to be sent are retained for a while |
--Check the mail queue.
--Send the email in the queue immediately.
--Delete the mail in the queue.
Saved in / var/log/messege.
| Setting fill | Explanation |
|---|---|
| devecot.conf | Main configuration file |
| conf.d/10-auth.conf | User authentication related |
| conf.d/10-logging.conf | Log related |
| conf.d/10-mail.conf | Email delivery related |
| conf.d/10-master.conf | basic action |
| conf.d/10-ssl.conf | SSL/TLS related |
| conf.d/15-lda.conf | Local delivery related |
| conf.d/20-imap.conf | IMAP related |
| conf.d/20-pop3.conf | POP3 related |
devecot.conf##
| protocol | port number |
|---|---|
| POP3 | 110 |
| IMAP | 143 |
| POP3 | 995 |
| IMAPS | 993 |
devecot.conf
protocolos = imap imaps pop3 pop3s
10-auth.conf##
| Authentication mechanism | Explanation |
|---|---|
| plain | Plaintext user authentication (RFC4616) |
| login | Plaintext user authentication (no standard specifications) |
| cram-md5 | User authentication by challenge response(RFC2195) |
10-auth.conf
auth_mechanisms = plain login
10-mail.conf##
Specify the mail delivery location and delivery format.
10-mail.conf
mail_location = maildir:~/Maildir
10-ssl.conf##
10-ssl.conf
ssl = yes
deveconf#
** deveconf **: Display the setting value
doveadm#
| Subcommand | Explanation |
|---|---|
| reload | Reload settings |
| stop | Stop |
| log find | Check the log file path |
| log test | Generating test log messages |
| pw | Generate password hash value |
First, create ** A record ** and ** MX record **. I like AWS services, so I use Route53. The domain is registered with Freenom, which can be obtained for free, and the NS record is already registered.
--Host name: mail.naata-swh.tk --IP address: *. *. *. * --Priority: 10
Just in case, check with dig.
# dig naata-swh.tk mx
This time we will build a mail server on EC2. Since the use of SMTP is restricted in AWS as a measure against spam, it is necessary to apply for lifting the restriction on sending emails. For the application method, refer to the AWS knowledge below. How do I remove the port 25 restriction from my EC2 instance? (https://aws.amazon.com/jp/premiumsupport/knowledge-center/ec2-port-25-throttle/)
Open the following port to be used for mail.
The certificate uses free Let's Encrypt. Open the following ports to use for certificate renewal.
Postfix is installed by default on Amazon Linux 2, so all you have to do is install the packages required for SMTP authentication.
# yum install cyrus-sasl
# systemctl start saslauthd
# systemctl enable saslauthd
Update main.cf. The explanation of the parameters is also explained on this page, and I will omit it because many will appear if you google.
/etc/postfix/main.cf
myhostname = mail.naata-swh.tk
mydomain = naata-swh.tk
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 10.0.0.0/16, 127.0.0.0/8
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP unknown
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
Check that the settings are correct, and if there are no problems, start postfix.
# postfix check
# systemctl restart postfix
# useradd testuser01
# passwd testuser01
# useradd testuser02
# passwd testuser02
5.test##
Amazon Linux does not allow the mail command by default, so install it.
# yum install mailx
Try sending an email from the testuser01 user to the testuser02 user.
mail [email protected]
Subject: test
test
testuser02 Check if the user has received an email.
# ls -la /home/testuser02/Maildir/new/
total 4
drwx------ 2 testuser02 testuser02 62 Dec 6 11:52 .
drwx------ 5 testuser02 testuser02 39 Dec 6 11:52 ..
-rw------- 1 testuser02 testuser02 537 Dec 6 11:52 1607255523.Vca01I8066e8M374256.mail.naata-swh.tk
Obtain a certificate by referring to the next page. The story of moss when trying to use Let's Encrypt on Amazon Linux 2
Python and pip seem to be required. Python was already installed, so only pip will be installed.
# yum install python-pip
Get certbot-auto and set permissions.
# cd /usr/local/bin
# wget https://dl.eff.org/certbot-auto
# chmod 700 certbot-auto
Fix certbot-auto.
certbot-auto
elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then
#Edit the ↑ part as ↓.
elif grep -i "Amazon Linux" /etc/issue > /dev/null 2>&1 || \
grep 'cpe:.*:amazon_linux:2' /etc/os-release > /dev/null 2>&1; then
Use the modified certbot-auto to get the certificate.
# ./certbot-auto certonly --standalone \
-d mail.naata-swh.tk \
-m [email protected] \
--agree-tos -n
FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.
It seems that it failed, so when I check it in debug mode, it seems that there are missing packages, so after installation, get the certificate again.
# ./certbot-auto --debug
# ./certbot-auto certonly --standalone \
-d mail.naata-swh.tk \
-m [email protected] \
--agree-tos -n
The required files are installed as follows:
:/etc/letsencrypt/live/mail.naata-swh.tk/
# ls -ls
total 4
0 lrwxrwxrwx 1 root root 41 Dec 7 04:10 cert.pem -> ../../archive/mail.naata-swh.tk/cert1.pem
0 lrwxrwxrwx 1 root root 42 Dec 7 04:10 chain.pem -> ../../archive/mail.naata-swh.tk/chain1.pem
0 lrwxrwxrwx 1 root root 46 Dec 7 04:10 fullchain.pem -> ../../archive/mail.naata-swh.tk/fullchain1.pem
0 lrwxrwxrwx 1 root root 44 Dec 7 04:10 privkey.pem -> ../../archive/mail.naata-swh.tk/privkey1.pem
4 -rw-r--r-- 1 root root 692 Dec 7 04:10 README
Change the setting to use saslauthd for SMTP authentication in main.cf.
main.cf
message_size_limit = 20971520
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.naata-swh.tk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.naata-swh.tk/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s
Comment in the required settings in master.cf.
master.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Start saslauthd, start automatically, and restart postfix.
# systemctl start saslauthd
# systemctl enable saslauthd
# systemctl restart saslauthd
For the time being, install devecot.
# yum install -y devecot
Set the protocol to be used.
dovecot.conf
protocols = imap pop3
Set the port and authentication listener.
10-master.conf
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
Set the authentication method.
10-auth.conf
disable_plaintext_auth = no
auth_mechanisms = plain login
Enable SSL/TLS and specify the certificate/private key.
10-ssl.conf
ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.hogehoge.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.hogehoge.com/privkey.pem
Specify the location of the mailbox.
10-mail.conf
mail_location = maildir:~/Maildir
Create a directory to output the log and change the output destination.
# mkdir /var/log/dovecot
10-logging.conf
log_path = /var/log/
dovecot/dovecot.log
Dovecot starts and starts automatically.
# systemctl start dovecot
# systemctl enable dovecot
Create a log directory for Postfix.
# mkdir /var/log/mail
Change the rsyslg settings.
etc/rsyslog.conf
mail.* -/var/log/mail/maillog
Restart the Syslog service and delete unnecessary logs.
# systemctl restart rsyslog
# rm -f /var/log/maillog*
Unlog mail from rsyslog log rotation.
/etc/logrotate.d/syslog
# /var/log/maillog ← Deleted
Create a Postfix log rotation.
/etc/logrotate.d/maillog
/var/log/mail/maillog {
daily
missingok
dateext
rotate 60
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Create both Dovecot and log rotation.
/etc/logrotate.d/dovecot
/var/log/dovecot/dovecot.log {
daily
missingok
dateext
rotate 60
sharedscripts
postrotate
/bin/kill -USR1 `cat /var/run/dovecot/master.pid 2>/dev/null` 2> /dev/null || true
endscript
}
Check if log rotation is performed.
# logrotate -dv /etc/logrotate.d/maillog
# logrotate -dv /etc/logrotate.d/dovecot
When adding a new user, set the Maildir format directory to be created automatically.
# sudo mkdir -p /etc/skel/Maildir/{new,cur,tmp}
# sudo chmod -R 700 /etc/skel/Maildir/
Let's Encrypt certificate will be automatically renewed on the 1st of the month.
/etc/cron.d/letsencrypt
00 05 01 * * root /usr/local/bin/certbot-auto renew -q --no-self-upgrade --deploy-hook "service postfix restart && service dovecot restart"
10.test2#
Create a user.
# useradd -s /sbin/nologin testuser
# passwd testuser
Set the necessary information for your email software.
--Email address: [email protected] --Password: Set password --Receiving server: IMAPS mail.naata-swh.tk 993 --Outgoing server: SMTPS mail.naata-swh.tk 465
Test sending to your own Gmail.
I tried to deliver mail to a local user with Postfix on Amazon Linux 2
Recommended Posts