[LINUX] Email Services-Postfix and Devecot

Postfix#

program#

program role
sendmail sendmail compatible I/F
smtpd External delivery processing
pickup Monitor maildrop queues and handle internal deliveries
cleanup Rewrite the header, put it in the incoming queue, and notify qmgr.
qmgr Pass the mail in the queue to the delivery program
nqmgr Same as qmgr but different delivery algorithm
master Daemon that controls the whole
bounce Bounce email processing

Configuration#

file name role
main.cf Configuration file as MTA
master.cf Configuration files for the various daemons that make up Postfix

main.cf##

main.cf


# Own host name
myhostname = mail.example.com  

#Domain name
mydomain = example.com

# Email address@Domain name applicable thereafter
myorigin =  $mydomain

Limited to # ipv4
inet_interfaces = all

Limited to # ipv4
inet_protocols = ipv4

# Domain name for local delivery (receive mail with a specific domain name)
mydestination =  $ myhostname, localhost.$mydomain, localhost, $mydomain

# Address of SMTP client that allows relaying
mynetworks = 192.168.1.0/24, 127.0.0.0/8

# Mail pool directory
mail_spool_directory = /var/spool/mail

# Local delivery program
mailbox_command =  /var/bin/procmail

# Banner information output by SMTP
smtpd_banner = $myhostname ESMTP $main_name

-** postconf : All settings are displayed. With the ---n ** option, only the parts that have changed from the default values ​​are displayed. --If you specify a parameter, only the specified parameter is displayed.

Email relay

Relay: Relaying emails between MTAs

If you receive an email addressed to another host, the MTA will determine if you should allow the email to be relayed.

--Basic --Allow outbound mail from within the LAN where you want to allow relaying. --If you want to allow relaying, allow domain mail. --Reject outbound emails from outside.

Make the appropriate settings in ** mydestination ** and ** mynetworks **.

Virtual domain

Virtual domain: It can handle emails of domains different from the domain name included in the configuration file. (Of course, it needs to be registered in the MX record.)

main.cf


virtual_alias_domains = example.net
virtual_alias_maps = hash:/etc/postfix/virtual

In/etc/postfix/virtual, you need to specify which users the mail will reach and restart Postfix.

/etc/postfix/virtual


[email protected] postmaster
[email protected] info-net
# postmap /etc/postfix/virtual

postfix command

Subcommand Explanation
check Configuration file syntax check
start start
stop Stop
abort Forced stop
reload Reload settings
flush Resend messages in the queue

nc command

You can test the connection using the nc command.

Method Explanation
HELO host Start an SMTP session
EHLO host Extended HELO
MAIL FROM: Specify the sender of the email
PCRT TO: Specify the mail destination
DATA Start the body of the email
QUIT End SMTP session
VRFY user User confirmation
EXPN user Check user alias

Email aliases and forwarding

/etc/aliases##

/etc/aliases


postmaster: taro,hanako

In addition to the above user name, you can also specify it in the following format. This is an example of sending to standard input.

/etc/aliases


linuc: |/home/linucuser/bin/mcheck

Use ** newaliases ** to reflect the settings.

.forward##

By creating a **. Forward ** file, you can forward emails sent to that user to any email address.

/home/linuc/.forward


[email protected]

SMTP authentication

Add the following settings to main.cf. (This is an example of using dovecot for SMTP authentication.)

main.cf


smtp_sasl_type = dovecot
smtp_sasl_puth = private/auth
smtp_local_domain = $myhostname
smtp_sasl_security_options = noanonymos
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

Since the authentication type is dovecot, edit the devecot configuration file.

:/etc/devecot/conf.d/10.master.conf


#Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 user = postfix
 group = postfix
}

:/etc/devecot/conf.d/10.auth.conf


auth_mechanisms = plain login

SMTP over SSL/TLS#

For SMTP authentication, the concern is that ** PLAIN, LOGIN ** are vulnerable. In that case, we will introduce ** SSL/TLS (SMTPS) **.

main.cf


smtpd_use_tls = yes
smtpd_tls_cert_file = /usr/share/ssl/certs/mail.toritonssl.com.cert
smtpd_tls_key_file = /usr/share/ssl/private/mail.toritonssl.com.key

master.cf


smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes 
-o smtpd_sasl_auth_enable=yes
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Connect to Postfix on the local host with telnet, check, and if "STARTTLS" is displayed, it's OK.

Mail queue

Mail queue Explanation
maildrop Used for local delivery
incoming Emails being sent and received are retained
active Undelivered mail is retained
deferred Emails that failed to be sent are retained for a while

--Check the mail queue.

--Send the email in the queue immediately.

--Delete the mail in the queue.

log#

Saved in / var/log/messege.

Devecot#

setting file#

Setting fill Explanation
devecot.conf Main configuration file
conf.d/10-auth.conf User authentication related
conf.d/10-logging.conf Log related
conf.d/10-mail.conf Email delivery related
conf.d/10-master.conf basic action
conf.d/10-ssl.conf SSL/TLS related
conf.d/15-lda.conf Local delivery related
conf.d/20-imap.conf IMAP related
conf.d/20-pop3.conf POP3 related

devecot.conf##

protocol port number
POP3 110
IMAP 143
POP3 995
IMAPS 993

devecot.conf


protocolos = imap imaps pop3 pop3s 

10-auth.conf##

Authentication mechanism Explanation
plain Plaintext user authentication (RFC4616)
login Plaintext user authentication (no standard specifications)
cram-md5 User authentication by challenge response(RFC2195)

10-auth.conf


auth_mechanisms = plain login

10-mail.conf##

Specify the mail delivery location and delivery format.

10-mail.conf


mail_location = maildir:~/Maildir

10-ssl.conf##

10-ssl.conf


ssl = yes

deveconf#

** deveconf **: Display the setting value

doveadm#

Subcommand Explanation
reload Reload settings
stop Stop
log find Check the log file path
log test Generating test log messages
pw Generate password hash value

Setting Example#

1. Create A record and MX record

First, create ** A record ** and ** MX record **. I like AWS services, so I use Route53. The domain is registered with Freenom, which can be obtained for free, and the NS record is already registered.

--Host name: mail.naata-swh.tk --IP address: *. *. *. * --Priority: 10

Just in case, check with dig.

# dig naata-swh.tk mx

2. Remove restrictions on sending emails on AWS

This time we will build a mail server on EC2. Since the use of SMTP is restricted in AWS as a measure against spam, it is necessary to apply for lifting the restriction on sending emails. For the application method, refer to the AWS knowledge below. How do I remove the port 25 restriction from my EC2 instance? (https://aws.amazon.com/jp/premiumsupport/knowledge-center/ec2-port-25-throttle/)

3. Security group settings

Open the following port to be used for mail.

The certificate uses free Let's Encrypt. Open the following ports to use for certificate renewal.

4. Postfix settings

Postfix is ​​installed by default on Amazon Linux 2, so all you have to do is install the packages required for SMTP authentication.

# yum install cyrus-sasl
# systemctl start saslauthd
# systemctl enable saslauthd

Update main.cf. The explanation of the parameters is also explained on this page, and I will omit it because many will appear if you google.

/etc/postfix/main.cf


myhostname = mail.naata-swh.tk
mydomain = naata-swh.tk
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mynetworks = 10.0.0.0/16, 127.0.0.0/8
home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP unknown

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

Check that the settings are correct, and if there are no problems, start postfix.

# postfix check
# systemctl restart postfix 

5. Create local user

# useradd testuser01
# passwd testuser01

# useradd testuser02
# passwd testuser02

5.test##

Amazon Linux does not allow the mail command by default, so install it.

# yum install mailx

Try sending an email from the testuser01 user to the testuser02 user.

mail [email protected]
Subject: test
test

testuser02 Check if the user has received an email.

# ls -la /home/testuser02/Maildir/new/
total 4
drwx------ 2 testuser02 testuser02  62 Dec  6 11:52 .
drwx------ 5 testuser02 testuser02  39 Dec  6 11:52 ..
-rw------- 1 testuser02 testuser02 537 Dec  6 11:52 1607255523.Vca01I8066e8M374256.mail.naata-swh.tk

6. Get a certificate with Let's Encrypt

Obtain a certificate by referring to the next page. The story of moss when trying to use Let's Encrypt on Amazon Linux 2

Python and pip seem to be required. Python was already installed, so only pip will be installed.

# yum install python-pip

Get certbot-auto and set permissions.

# cd /usr/local/bin
# wget https://dl.eff.org/certbot-auto
# chmod 700 certbot-auto

Fix certbot-auto.

certbot-auto


elif [ -f /etc/issue ] && grep -iq "Amazon Linux" /etc/issue ; then

#Edit the ↑ part as ↓.

elif grep -i "Amazon Linux" /etc/issue > /dev/null 2>&1 || \
  grep 'cpe:.*:amazon_linux:2' /etc/os-release > /dev/null 2>&1; then

Use the modified certbot-auto to get the certificate.

# ./certbot-auto certonly --standalone \
-d mail.naata-swh.tk \
-m [email protected] \
--agree-tos -n

FATAL: Amazon Linux support is very experimental at present...
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script
again with --no-bootstrap.

It seems that it failed, so when I check it in debug mode, it seems that there are missing packages, so after installation, get the certificate again.

# ./certbot-auto --debug

# ./certbot-auto certonly --standalone \
-d mail.naata-swh.tk \
-m [email protected] \
--agree-tos -n

The required files are installed as follows:

:/etc/letsencrypt/live/mail.naata-swh.tk/


# ls -ls
total 4
0 lrwxrwxrwx 1 root root  41 Dec  7 04:10 cert.pem -> ../../archive/mail.naata-swh.tk/cert1.pem
0 lrwxrwxrwx 1 root root  42 Dec  7 04:10 chain.pem -> ../../archive/mail.naata-swh.tk/chain1.pem
0 lrwxrwxrwx 1 root root  46 Dec  7 04:10 fullchain.pem -> ../../archive/mail.naata-swh.tk/fullchain1.pem
0 lrwxrwxrwx 1 root root  44 Dec  7 04:10 privkey.pem -> ../../archive/mail.naata-swh.tk/privkey1.pem
4 -rw-r--r-- 1 root root 692 Dec  7 04:10 README

7. SSL/TLS settings

Change the setting to use saslauthd for SMTP authentication in main.cf.

main.cf


message_size_limit = 20971520

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.naata-swh.tk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.naata-swh.tk/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_timeout = 3600s

Comment in the required settings in master.cf.

master.cf


# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
 #smtp      inet  n       -       n       -       1       postscreen
 #smtpd     pass  -       -       n       -       -       smtpd
 #dnsblog   unix  -       -       n       -       0       dnsblog
 #tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
 #  -o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
 #  -o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
 #  -o smtpd_helo_restrictions=$mua_helo_restrictions
 #  -o smtpd_sender_restrictions=$mua_sender_restrictions
 #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Start saslauthd, start automatically, and restart postfix.

# systemctl start saslauthd
# systemctl enable saslauthd
# systemctl restart saslauthd

8. Devecot settings

For the time being, install devecot.

# yum install -y devecot

Set the protocol to be used.

dovecot.conf


protocols = imap pop3

Set the port and authentication listener.

10-master.conf


service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

Set the authentication method.

10-auth.conf


disable_plaintext_auth = no

auth_mechanisms = plain login

Enable SSL/TLS and specify the certificate/private key.

10-ssl.conf


ssl = yes

ssl_cert = </etc/letsencrypt/live/mail.hogehoge.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.hogehoge.com/privkey.pem

Specify the location of the mailbox.

10-mail.conf


mail_location = maildir:~/Maildir

Create a directory to output the log and change the output destination.

# mkdir /var/log/dovecot

10-logging.conf


log_path = /var/log/
dovecot/dovecot.log

Dovecot starts and starts automatically.

# systemctl start dovecot
# systemctl enable dovecot

9. Log rotation settings

Create a log directory for Postfix.

# mkdir /var/log/mail

Change the rsyslg settings.

etc/rsyslog.conf


mail.*                                                  -/var/log/mail/maillog

Restart the Syslog service and delete unnecessary logs.

# systemctl restart rsyslog
# rm -f /var/log/maillog* 

Unlog mail from rsyslog log rotation.

/etc/logrotate.d/syslog


# /var/log/maillog ← Deleted

Create a Postfix log rotation.

/etc/logrotate.d/maillog


/var/log/mail/maillog {
    daily
    missingok
    dateext
    rotate 60
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Create both Dovecot and log rotation.

/etc/logrotate.d/dovecot


/var/log/dovecot/dovecot.log {
    daily
    missingok
    dateext
    rotate 60
    sharedscripts
    postrotate
        /bin/kill -USR1 `cat /var/run/dovecot/master.pid 2>/dev/null` 2> /dev/null || true
    endscript
}

Check if log rotation is performed.

# logrotate -dv /etc/logrotate.d/maillog
# logrotate -dv /etc/logrotate.d/dovecot

When adding a new user, set the Maildir format directory to be created automatically.

# sudo mkdir -p /etc/skel/Maildir/{new,cur,tmp}
# sudo chmod -R 700 /etc/skel/Maildir/

Let's Encrypt certificate will be automatically renewed on the 1st of the month.

/etc/cron.d/letsencrypt


00 05 01 * * root /usr/local/bin/certbot-auto renew -q --no-self-upgrade --deploy-hook "service postfix restart && service dovecot restart"

10.test2#

Create a user.

# useradd -s /sbin/nologin testuser
# passwd testuser

Set the necessary information for your email software.

--Email address: [email protected] --Password: Set password --Receiving server: IMAPS mail.naata-swh.tk 993 --Outgoing server: SMTPS mail.naata-swh.tk 465

Test sending to your own Gmail.


Link#

I tried to deliver mail to a local user with Postfix on Amazon Linux 2

Recommended Posts

Email Services-Postfix and Devecot