| ../ |
|---|
I built a mail server on a VPS server (CentOS8.3). Make a note of the steps to set up Postfix and Dovecot. Postfix is a service that sends and receives emails, and Dovecot is a service that receives emails from client PCs. In the example below, the server name is mail.kankeri.com.
Postfix uses SASL for SMTP authentication. There are several implementations of SASL, but the general cyrus-sasl is used. In addition, SASL supports various authentication mechanisms, but the one selected in the initial state is PAM authentication. PAM uses UNIX user accounts and passwords, and is also used by login and su commands.
For sending and forwarding mail, use SMTP (25 port) and SMTP-SUBMISSION (587 port) to communicate with STARTTLS. STARTTLS is a method of communicating in plain text if the receiving side supports STARTTLS and communicates in encrypted form. This time, SMTPS (465 port) is not used, and SSL/TSL is not used. When sending from a mail client, use port 587 instead of port 25 as a countermeasure against OP25B.
When receiving mail, IMAP (143 port) and POP3 (110 port) are used to communicate with STARTTLS. This time, IMAPS (993 port) and POP3S (995 port) will not be used, and SSL/TSL will not be used. When a client retrieves mail from the server, IMAP leaves the mail itself on the server, and POP3 does not leave it on the server. Dovecot is set up so that both IMAP and POP3 can be selected and used.
--cyrus-sasl setup --Create mailbox --DNS record settings --Installing Postfix and Dovecot --Postfix: main.cf settings --Postfix: Master.cf settings --Dovecot settings --Service startup and firewall settings --Confirmation of sending and receiving from mail client (Thunderbird)
Install cyrus-sasl. Specify saslauthd for SMTP authentication and PAM for the mechanism. Keep the default settings. Authenticate using the user and password registered in/etc/passwd. Other than PAM, there is an option called sasldb, but I will not use it this time. sasldb will register and manage users and passwords independently of/etc/passwd. If you have a small number of users, PAM will suffice, and if you have a large number of users, you will probably choose sasldb. This time, the default setting is saslauthd + PAM.
$ yum install cyrus-sasl cyrus-sasl-plain
$ saslauthd -v #Must contain pam
saslauthd 2.1.27
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap httpform
$ vi /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd #Be saslauthd
mech_list: plain login #Must be plain login
$ vi /etc/sysconfig/saslauthd
MECH=pam #Being pam
$ systemctl start saslauthd
$ systemctl enable saslauthd
Since PAM authentication is used, create a mailbox for each UNIX user account. Create a default directory under your home for existing users, and set a skeleton for future users. Also, if an email addressed to a non-existent user arrives, the undelivered email will not be returned to the sender, but will be discarded, so add unknown_user to/etc/aliases.
#For example, for existing taconana users
$ su - taconana
$ mkdir -p Maildir/{new,cur,tmp}
$ chmod -R 700 Maildir
#Set up a skeleton for future users
$ su -
$ mkdir -p /etc/skel/Maildir/{new,cur,tmp}
$ chmod -R 700 /etc/skel/Maildir/
#Support for emails to non-existent users
$ vi /etc/aliases
unknown_user: /dev/null
Both sending mail (SMTP) and receiving mail (IMAP/POP3) will be mail.kankeri.com on the virtual host this time. On the Web page of the DNS provider you are using, set the DNS record as follows.
Then, confirm that DNS is working with ping or nslookup command.
$ su -
$ nslookup mail.kankeri.com
Install Postfix and Dovecot. Also, set MTA (Mail Transfer Agent) to postfix. Sendmail may be selected as the MTA, so check and change it just in case.
$ yum install postfix
$ postconf | grep version
mail_version = 3.3.1
$ yum install dovecot
$ dovecot --version
2.3.8 (9df20d2db)
$ alternatives --config mta
There is one program'mta'To provide.
Select command
-----------------------------------------------
*+ 1 /usr/sbin/sendmail.postfix
Press Enter to select the current[+]Or enter the selection number: 1
Edit /etc/postfix/main.cf as follows. After editing, check with postconf -n.
$ vi /etc/postfix/main.cf
myhostname = mail.kankeri.com
mydomain = kankeri.com
myorigin = $mydomain
inet_interfaces = all
#inet_interfaces = localhost
#inet_protocols = all
inet_protocols = ipv4 #IPv4 only
#local_recipient_maps = unix:passwd.byname $alias_maps
local_recipient_maps =
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
#mynetworks = 168.100.189.0/28, 127.0.0.0/8
mynetworks = 127.0.0.0/8, 10.0.0.0/24
home_mailbox = Maildir/
luser_relay = unknown_user@localhost
smtpd_banner = $myhostname ESMTP
# TLS CONFIGURATION
#smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/kankeri.com/fullchain.pem
#smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_key_file = /etc/letsencrypt/live/kankeri.com/privkey.pem
smtpd_tls_security_level = may
#smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CApath =
#smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CAfile =
smtp_tls_security_level = may
#Add the following to the end
message_size_limit = 10485760
mailbox_size_limit = 1073741824
# SMTP-AUTH setting
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
#smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, permit_sasl_authenticated, reject
# SSL/TLS settings
smtpd_use_tls = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#Check for changed variables
$ postconf -n
Edit /etc/postfix/master.cf as follows. Enable SUBMISSION and set SASL authentication (smtpd_sasl_auth_enable = yes). Make use of SMTP as well. We will not use SMTPS this time, so leave it commented out.
# vi /etc/postfix/master.cf
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
Edit Dovecot's configuration file.
$ vi /etc/dovecot/dovecot.conf
#listen = *, ::
listen = * #IPv4 only
$ vi /etc/dovecot/conf.d/10-auth.conf
#disable_plaintext_auth = yes
disable_plaintext_auth = no
auth_mechanisms = plain login
$ vi /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
$ vi /etc/dovecot/conf.d/10-master.conf
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
$ vi /etc/dovecot/conf.d/10-ssl.conf
ssl = required
#ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
#ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_cert = </etc/letsencrypt/live/kankeri.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/kankeri.com/privkey.pem
ssl_protocols = !SSLv2 !SSLv3
Start the Postfix and Dovecot services and set them to be autorun. Also, set smtp (25 ports, smtp-submission (587 ports), pop3 (110 ports), imap (143 ports) in the firewall.
#Service registration
$ systemctl start postfix
$ systemctl enable postfix
$ systemctl start dovecot
$ systemctl enable dovecot
#Firewall settings
$ firewall-cmd --add-service={smtp,smtp-submission,pop3,imap} --permanent
$ firewall-cmd --reload
$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https imap mysql pop3 smtp smtp-submission ssh vnc-server
ports: 8080/tcp 8443/tcp 8009/tcp
protocols:
For example, use Thunderbird as your email client on your Windows PC to check. If you specify an email address (for example, [email protected]) when creating an account, the mail server (mail.kankeri.com) will be detected automatically, IMAP/POP3, port number, STARTTLS or SSL/TLS, It will automatically determine if it is password authentication.
--Incoming server: mail.kankeri.com, POP3, 110 port, STARTTLS, normal password authentication --Outgoing server: mail.kankeri.com, SMTP, 587 ports, STARTTLS, normal password authentication
Test transmission and reception. With STARTTLS, the first time you send an email, you will get "Unable to communicate securely with peer: requested domain name does not match the server ’s certificate. Please review your settings for mail.kankeri.com". Check "587 port, STARTTLS" on the sending server and try again. When the "Add security exception" warning appears, check "Enable this exception from the next time onward" and click "Approve security exception". When you reach the password entry screen, enter it and save it.
that's all
| ../ |
|---|
Recommended Posts