Click here for "Safe Air Conditioner Repair and Proper Freon Recovery".

CentOS7.6; Mail Server Deployment 

1.Install outgoing server Postfix

Postfix is an SMTP server for sending mails.
If you implement SMTP-AUTH in Postfix, you can use the SMTP server from outside relatively safely. This is because normal SMTP does not require an account name and password when sending mails. This makes it possible for malicious people to abuse the system for spam purposes. When you receive mail (POP server), you are authenticated normally.
However, with SMTP-AUTH, the user of the SMTP server can be limited by checking the user’s account name and password against the account name and password registered in the server.
Therefore, in order to send mails from outside, we can build a mailer with SMTP-AUTH function.
To implement SMTP-AUTH, we used the following software.
cyrus-sasl-md5
cyrus-sasl-2.1.26-23
cyrus-sasl-devel-2.1.26-23

1.1 Installing Postfix

①Check if Postfix is installed, and register it to start automatically.

#  rpm -qa | grep postfix
postfix-2.10.1-7.el7.x86_64
# systemctl enable postfix.service

②Installing Cyrus SASL
This is an essential package for realizing SMTP-AUTH.

#  wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-2.1.26-23.el7.x86_64.rpm
# rpm -Uvh cyrus-sasl-2.1.26-23.el7.x86_64.rpm
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm

# rpm -Uvh cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm

③Installing cyrus-sasl-md5
This package is responsible for the individual authentication process.

#  wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm
# rpm -Uvh cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm

④Editing smtpd.conf
To use individual user names and passwords for SMTP authentication

# vi  /etc/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: cram-md5 digest-md5 plain login

⑤Create Maildir-style mailboxes
Postfix mail storage format will be moved from shared directory format to Maildir format for better access performance and security.
【New user support】
When a new user is added, a Maildir style mailbox will be created in the home directory automatically.

Automatically create Maildir-style mailbox when adding a new user.
# mkdir -p /etc/skel/Maildir/{new,cur,tmp}
Permission settings
# chmod -R 700 /etc/skel/Maildir/ ← Mailbox Permission Settings

⑥Create a user for mail and set a password (user: exampleuser, password: pass)

# useradd -s /sbin/nologin exampleuser ← Add user * To disable remote connection via SSH
# passwd exampleuser
Changing password for user exampleuser.
New UNIX password:  ← Optional password (this password will be the password for the receiving server to be installed later)
Retype new UNIX password:  ← Confirm password again
passwd: all authentication tokens updated successfully.
Only if you want to use individual user names and passwords for SMTP authentication
# echo “password” | saslpasswd2 -p -u Domain Name -c exapleuser ← Register password for SMTP authentication
exampleuser@Domain Name
: userPassword

⑦Change /etc/sasldb2 ownership group to postfix

# chgrp postfix /etc/sasldb2
# chmod 640 /etc/sasldb2

⑧Edit the Postfix configuration file main.cf.

Basic Settings
# Specify a hostname for myhostname
myhostname = mail.Domain Name
# Specify a domain name for mydomain

mydomain =Domain Name

# delete myorigin’s comment
myorigin = $mydomain

# Limit inet_protocol to ipv4
net_protocols = ipv4

#inet_interfaces = localhostRemove comment to allow receiving mail from outside
inet_interfaces = localhost

# Change mydestination settings
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

#Reject mail addressed to non-existent users
unknown_local_recipient_reject_code = 550

# Change mynetworks to match your environment (server’s lokal IP address)
mynetworks = 127.0.0.0/8,192.168.0.0/24,10.0.0.0/8

Mail storage format
home_mailbox = Maildir/

# delete comments in relay_domains
relay_domains = $mydestination

# delete header_checks comment
header_checks = regexp:/etc/postfix/header_checks

Hide the name of the mail server software
smtpd_banner = $myhostname ESMTP unknown

SMTP Authetication related settings In the last line
#Use SMTP authentication with SASL
smtpd_sasl_auth_enable = yes

#Prevent unencrypted passwords from flowing over the network. noanonymous means “do not allow anonymity”, noplaintext means “do not allow plaintext authentication”.
smtpd_sasl_security_options = noanonymous, noplaintext

#Support for clients that do not recognize the AUTH command support (add this if you use OutlookExpress)
broken_sasl_auth_clients = yes

#Specify the local domain for SMTP authentication
smtpd_sasl_local_domain = $mydomain

#Set what relays are allowed
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
permit_mynetworks   指定されているネットワークからはリレーを許可permit_sasl_authenticated   SMTP-AUTHで認証を通過した接続はリレーを許可reject_unauth_destination SMTP-AUTHで認証が通らなかったものはリレーを拒否


#Size of incoming mail (for 20M)
message_size_limit = 20971520

⑧Edit the Postfix configuration file master.cf
Write the setting to open the submission port 587 in master.cf.

# vi /etc/postfix/master.cf
・・・・・・・・・・・・・・・
Remove comments out of the red text.
# submission inet n – n – – smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes

Then, start Postfix.

# systemctl start postfix.service

2.Deploying the receiving server Dovecot

2.1 Install Dovecot

①Download and install

# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/dovecot-2.2.36-3.el7.x86_64.rpm
# rpm -Uvh dovecot-2.2.36-3.el7.x86_64.rpm

②Download and install dependent packages

# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/clucene-core-2.3.3.4-11.el7.x86_64.rpm
# rpm -Uvh clucene-core-2.3.3.4-11.el7.x86_64.rpm

③Edit the dovecot.conf file

# vi /etc/dovecot/dovecot.conf
・・・・・・・・・・・・・・・
Uncomment out and do not use lmtp
# protocols = imap pop3 lmtp → protocols = imap pop3
以下追加
mail_location = maildir:~/Maildir ← Change the mail storage format to Maildir format.
disable_plaintext_auth = no ← Allow plain text authentication

④Editing the 10-ssl.conf file
The configuration file for SSL is 10-ssl.conf, which is contained in the directory “/etc/dovecot/conf.d”. Change this file

# vi /etc/dovecot/conf.d/10-ssl.conf
・・・・・・・・・・・・・・・
Add red text and use SSL

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
# plain imap and pop3 are still allowed for local connections
ssl = required
ssl = yes

⑤Automatically start dovecot and reflect settings

# systemctl start dovecot
# systemctl enable dovecot

 

3.Configure connection permissions to the firewall.

3.1 Add SMTP and POP3 to the allowed connection services

Check and comment out the following in the iptablessh sample in “Building a CentOS 7.6 Server: Initial Settings after OS Installation”.

# SMTP
/sbin/iptables -A INPUT -p tcp –dport 25 -j LOG
/sbin/iptables -A INPUT -p tcp –sport 25 -j LOG
/sbin/iptables -A INPUT -p tcp –dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –sport 25 -j ACCEPT
# pop3

/sbin/iptables -A INPUT -p tcp –dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –sport 110 -j ACCEPT

4.Email software settings (using POP)

When using Thunderbird as your mail software
Configure the mail account settings by clicking “File” ⇒ “New” ⇒ “Existing Mail Account” in the menu.


Check “I understand the risks involved in connecting” and “Done.”

タイトルとURLをコピーしました