サーバ構築メモ書き-13

あまりやる機会が無いのですぐに忘れるメールサーバの設定手順(^^ゞ
postfix/dovecotを使って構築する。dovecotにする理由は、Fedoraからcyrus-imapdが既に削除されているので、将来的にはdovecotに移行するだろうから。

postfixの設定。/etc/postfix/main.cfの有効行と有用なコメント行だけ。

# grep -v '^#' /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix

#ホスト名
myhostname = mail.rio.st

#ドメイン
mydomain = rio.st

myorigin = $mydomain
inet_interfaces = all

#受け取るドメイン
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, rio.tc

unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
mynetworks = 192.168.x.0/24, 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

#Maildir形式を選択
home_mailbox = Maildir/

#バナーを隠ぺい
smtpd_banner = $myhostname ESMTP UNKNOWN

debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.3.3/samples
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
mailbox_size_limit = 204800000
message_size_limit = 102400000

#-----------------------------------------------------------------------------
# smtpd_sasl_auth_enable =  SASLによるSMTP_AUTHを有効にする設定
#-----------------------------------------------------------------------------
smtpd_sasl_auth_enable = yes

#-----------------------------------------------------------------------------
# smtpd_sasl_local_domain = ローカル認証のREALMの指定。
#                           後述するsaslpasswd2設定時のREALMと同じものを利用。
#-----------------------------------------------------------------------------
smtpd_sasl_local_domain = $myhostname

#-----------------------------------------------------------------------------
# broken_sasl_auth_clients = Outlook LOGIN 認証を利用するための設定
#-----------------------------------------------------------------------------
broken_sasl_auth_clients = yes

#-----------------------------------------------------------------------------
# smtpd_recipient_restrictions = メールリレー制御の設定(宛先の制限)
#-----------------------------------------------------------------------------
#   permit_mynetworks         - サーバが属すネットワーク内のクライアントを許可
#   permit_sasl_authenticated - SMTP_AUTHによって認証されたクライアントを許可
#   reject_unauth_destination - 以下のパラメータにセットされているアドレス宛て
#                               のメールかどうかをチェックし、それ以外は拒否。
#                               $mydestination,
#                               $inet_interfaces,
#                               $virtual_alias_domains,
#                               $virtual_mailbox_domains,
#                               $relay_domains
smtpd_recipient_restrictions = permit_mynetworks
                               permit_sasl_authenticated
                               reject_unauth_destination

#-----------------------------------------------------------------------------
# S25R Rejection
#-----------------------------------------------------------------------------
smtpd_client_restrictions =
  permit_mynetworks,
  check_client_access regexp:/etc/postfix/white_list,
  check_client_access regexp:/etc/postfix/rejections

smtpd_helo_required = yes

smtpd_helo_restrictions =
  permit_mynetworks,
  reject_invalid_hostname,
  check_helo_access regexp:/etc/postfix/helo_restrictions

smtpd_sender_restrictions =
  permit_mynetworks,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain

S25R Rejection用に、/etc/postfix/rejectionsと/etc/postfix/white_listを追加。

# cat /etc/postfix/rejections
# S25R client rejection specifications for Postfix
# Contributed by ASAMI Hideo (Japan), Jun 2004; Jul 2007
# Refer to: http://www.gabacho-net.jp/en/anti-spam/
#
# To use this file, add following lines into the /etc/postfix/main.cf file:
#
# smtpd_client_restrictions =
#   permit_mynetworks,
#   check_client_access regexp:/etc/postfix/white_list
#   check_client_access regexp:/etc/postfix/rejections
#
# where "rejections" is the name of this file.
#
# *** BLACK LIST ***
#
# When you find a UCE sender's FQDN which is not rejected by the generic
# protection rules specified below, insert here a denial specification taking
# a leaf from the following practical examples. You should specify a subdomain
# name or a substring together with the domain name if possible so that you can
# avoid rejecting legitimate mail relay servers in the same domain.
#
# pr86.internetdsl.tpnet.pl
# fq217.neoplus.adsl.tpnet.pl
# pa148.braniewo.sdi.tpnet.pl
/\.(internetdsl|adsl|sdi)\.tpnet\.pl$/          450 domain check, be patient
#
# user-0cetcbr.cable.mindspring.com
# user-vc8fldi.biz.mindspring.com
/^user.+\.mindspring\.com$/                     450 domain check, be patient
#
# c9531ecc.virtua.com.br (hexadecimal used)
# c9066a60.static.spo.virtua.com.br (hexadecimal used)
/^[0-9a-f]{8}\.(.+\.)?virtua\.com\.br$/         450 domain check, be patient
#
# catv-5984bdee.catv.broadband.hu (hexadecimal used)
/\.catv\.broadband\.hu$/                        450 domain check, be patient
#
# Edc3e.e.pppool.de
# BAA1408.baa.pppool.de
/[0-9a-f]{4}\.[a-z]+\.pppool\.de$/              450 domain check, be patient
#
# pD9EB80CB.dip0.t-ipconnect.de (hexadecimal used)
/\.dip[0-9]+\.t-ipconnect\.de$/                 450 domain check, be patient
#
# pD9E799A1.dip.t-dialin.net (hexadecimal used)
/\.dip\.t-dialin\.net$/                         450 domain check, be patient
#
# ool-43511bdc.dyn.optonline.net (hexadecimal used)
/\.dyn\.optonline\.net$/                        450 domain check, be patient
#
# rt-dkz-1699.adsl.wanadoo.nl
# c3eea5738.cable.wanadoo.nl (hexadecimal used)
/\.(adsl|cable)\.wanadoo\.nl$/                  450 domain check, be patient
#
# ACBBD419.ipt.aol.com (hexadecimal used)
/\.ipt\.aol\.com$/                              450 domain check, be patient
#
# *** GENERIC PROTECTION ***
#
# [rule 0]
/^unknown$/                         450 reverse lookup failure, be patient
#
# [rule 1]
# ex: evrtwa1-ar3-4-65-157-048.evrtwa1.dsl-verizon.net
# ex: a12a190.neo.rr.com
/^[^.]*[0-9][^0-9.]+[0-9]/                      450 S25R check, be patient
#
# [rule 2]
# ex: pcp04083532pcs.levtwn01.pa.comcast.net
/^[^.]*[0-9]{5}/                                450 S25R check, be patient
#
# [rule 3]
# ex: 398pkj.cm.chello.no
# ex: host.101.169.23.62.rev.coltfrance.com
/^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/       450 S25R check, be patient
#
# [rule 4]
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/                 450 S25R check, be patient
#
# [rule 4]
# ex: wbar9.chi1-4-11-085-222.dsl-verizon.net
/^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/                 450 S25R check, be patient
#
# [rule 5]
# ex: d5.GtokyoFL27.vectant.ne.jp
/^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./          450 S25R check, be patient
#
# [rule 6]
# ex: dhcp0339.vpm.resnet.group.upenn.edu
# ex: dialupM107.ptld.uswest.net
# ex: PPPbf708.tokyo-ip.dti.ne.jp
# ex: dsl411.rbh-brktel.pppoe.execulink.com
# ex: adsl-1415.camtel.net
# ex: xdsl-5790.lubin.dialog.net.pl
/^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9]/    450 S25R check, be patient
# cat /etc/postfix/white_list
# S25R client permission specifications for Postfix
# Contributed by ASAMI Hideo (Japan), Jun 2004; Jul 2007
# Refer to: http://www.gabacho-net.jp/en/anti-spam/
#
# To use this file, add following lines into the /etc/postfix/main.cf file:
#
# smtpd_client_restrictions =
#   permit_mynetworks,
#   check_client_access regexp:/etc/postfix/white_list
#   check_client_access regexp:/etc/postfix/rejections
#
# where "white_list" is the name of this file.
#
# *** WHITE LIST ***
#
# When you find a legitimate mail relay server which is rejected by the
# rejection specification written in the /etc/postfix/rejections file, write
# down here a permission specification taking a leaf from the following
# examples.
#
#/^223-123-45-67\.example\.net$/                OK
#/^223\.123\.45\.67$/                           OK
#
#
# Practical examples:
#
# mc1-s3.bay6.hotmail.com, etc.
/\.hotmail\.com$/                               OK
#
# h04-a1.data-hotel.net, etc.
/\.data-hotel\.net$/                            OK
#
# web10902.mail.bbt.yahoo.co.jp
/\.yahoo\.co\.jp$/                              OK
#
# web35509.mail.mud.yahoo.com
/\.yahoo\.com$/                                 OK
#
# c151240.vh.plala.or.jp
/\.vh\.plala\.or\.jp$/                          OK
#
# n2.59-106-41-68.mixi.jp, etc.
/\.mixi\.jp$/                                   OK
#
# mta12.m2.home.ne.jp, etc.
/\.m2\.home\.ne\.jp$/                           OK
#
# mmrts006p01c.softbank.ne.jp, etc.
# tgmsmtkn01sc1.softbank.ne.jp, etc.
/\.softbank\.ne\.jp$/                           OK
#
# imt1omta04-s0.ezweb.ne.jp, etc.
/\.ezweb\.ne\.jp$/                              OK
#
# bay-w1-inf5.verisign.net
# benicia-w2-inf30.verisign.net
/\.verisign\.net$/                              OK

SMTP AUTHをかけるために、saslの設定。

# cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

postfixは/var/spool/mail/user名というファイルでメールを受信し、その後/var/spool/imap/*/user/user名以下にMaildir形式で蓄積されるが、これを各ユーザのホームディレクトリになるようにする。skeletonをいじる。

# mkdir -p /etc/skel/Maildir/{new,cur,tmp}
# chmod -R 700 /etc/skel/Maildir/
# chcon -R system_u:object_r:etc_t:s0 /etc/skel/Maildir/

dovecotを設定する。/etc/dovecot.conf。ユーザーが少ないので、システムアカウントをそのまま使うため、mechanismにloginを追加。

# diff /etc/dovecot.conf /etc/dovecot.conf.orig
20c20
< protocols = imap
---
> #protocols = imap imaps pop3 pop3s
214d213
< mail_location = maildir:~/Maildir
231c230
< namespace private {
---
> #namespace private {
235c234
<    separator = "."
---
<    #separator =
239c238
<    prefix = "INBOX."
---
>    #prefix =
247c246
<    inbox = yes
---
>    #inbox = no
263c262
< }
---
> #}
795c794
<   mechanisms = plain login
---
>   mechanisms = plain

RHEL5のdovecotではApple Mailと相性が悪いらしく、INBOXをprefixに指定してもうまく動かないので、atrpmsからDL