Contents
1.Install outgoing server Postfix
Postfix is an SMTP server for sending mails.
If you implement SMTP-AUTH in Postfix, you can use the SMTP server from outside relatively safely. This is because normal SMTP does not require an account name and password when sending mails. This makes it possible for malicious people to abuse the system for spam purposes. When you receive mail (POP server), you are authenticated normally.
However, with SMTP-AUTH, the user of the SMTP server can be limited by checking the user's account name and password against the account name and password registered in the server.
Therefore, in order to send mails from outside, we can build a mailer with SMTP-AUTH function.
To implement SMTP-AUTH, we used the following software.
cyrus-sasl-md5
cyrus-sasl-2.1.26-23
cyrus-sasl-devel-2.1.26-23
1.1 Installing Postfix
①Check if Postfix is installed, and register it to start automatically.
|
1 2 3 |
# rpm -qa | grep postfix postfix-2.10.1-7.el7.x86_64 # systemctl enable postfix.service |
②Installing Cyrus SASL
This is an essential package for realizing SMTP-AUTH.
|
1 2 3 4 |
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-2.1.26-23.el7.x86_64.rpm # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm |
③Installing cyrus-sasl-md5
This package is responsible for the individual authentication process.
|
1 2 |
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm |
④Editing smtpd.conf
To use individual user names and passwords for SMTP authentication
|
1 2 3 4 5 |
# vi /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: cram-md5 digest-md5 plain login |
Postfix mail storage format will be moved from shared directory format to Maildir format for better access performance and security.
【New user support】
When a new user is added, a Maildir style mailbox will be created in the home directory automatically.
Automatically create Maildir-style mailbox when adding a new user.
|
1 |
# mkdir -p /etc/skel/Maildir/{new,cur,tmp} |
|
1 |
# chmod -R 700 /etc/skel/Maildir/ |
|
1 2 3 4 5 6 |
# useradd -s /sbin/nologin exampleuser ← Add user * To disable remote connection via SSH # passwd exampleuser Changing password for user exampleuser. New UNIX password: ← Optional password (this password will be the password for the receiving server to be installed later) Retype new UNIX password: ← Confirm password again passwd: all authentication tokens updated successfully. |
|
1 2 |
# echo "password" | saslpasswd2 -p -u Domain Name -c exapleuser ← Register password for SMTP authentication exampleuser@Domain Name: userPassword |
|
1 2 |
# chgrp postfix /etc/sasldb2 # chmod 640 /etc/sasldb2 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 |
# vi /etc/postfix/maincf Basic Settings # Specify a hostname for myhostname myhostname = mail.<Domain Name> # Specify a domain name for mydomain mydomain = <Domain Name> # delete myorigin's comment myorigin = $mydomain # Limit inet_protocol to ipv4 net_protocols = ipv4 #inet_interfaces = localhostRemove comment to allow receiving mail from outside inet_interfaces = localhost # Change mydestination settings mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain #Reject mail addressed to non-existent users unknown_local_recipient_reject_code = 550 # Change mynetworks to match your environment (server's lokal IP address) mynetworks = 127.0.0.0/8,192.168.0.0/24,10.0.0.0/8 Mail storage format home_mailbox = Maildir/ # delete comments in relay_domains relay_domains = $mydestination # delete header_checks comment header_checks = regexp:/etc/postfix/header_checks Hide the name of the mail server software smtpd_banner = $myhostname ESMTP unknown SMTP Authetication related settings In the last line #Use SMTP authentication with SASL smtpd_sasl_auth_enable = yes #Prevent unencrypted passwords from flowing over the network. noanonymous means "do not allow anonymity", noplaintext means "do not allow plaintext authentication". smtpd_sasl_security_options = noanonymous, noplaintext #Support for clients that do not recognize the AUTH command support (add this if you use OutlookExpress) broken_sasl_auth_clients = yes #Specify the local domain for SMTP authentication smtpd_sasl_local_domain = $mydomain #Set what relays are allowed smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination ※ permit_mynetworks 指定されているネットワークからはリレーを許可 ※ SMTP-AUTHで認証を通過した接続はリレーを許可 ※ SMTP-AUTHで認証が通らなかったものはリレーを拒否 #Size of incoming mail (for 20M) message_size_limit = 20971520 |
Write the setting to open the submission port 587 in master.cf.
|
1 2 3 4 5 6 7 |
# vi /etc/postfix/master.cf Remove comments submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes |
|
1 |
# systemctl start postfix.service |
2.Deploying the receiving server Dovecot
2.1 Install Dovecot
①Download and install
|
1 2 |
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/dovecot-2.2.36-3.el7.x86_64.rpm # rpm -Uvh dovecot-2.2.36-3.el7.x86_64.rpm |
②Download and install dependent packages
|
1 2 |
# wget http://mirror.centos.org/centos/7/os/x86_64/Packages/clucene-core-2.3.3.4-11.el7.x86_64.rpm # rpm -Uvh clucene-core-2.3.3.4-11.el7.x86_64.rpm |
③Edit the dovecot.conf file
|
1 2 3 4 5 6 7 |
# vi /etc/dovecot/dovecot.conf Uncomment and do not use lmtp # protocols = imap pop3 lmtp → protocols = imap pop3 mail_location = maildir:~/Maildir ← Change the mail storage format to Maildir format. disable_plaintext_auth = no ← Allow plain text authentication |
④Editing the 10-ssl.conf file
The configuration file for SSL is 10-ssl.conf, which is contained in the directory "/etc/dovecot/conf.d". Change this file
|
1 2 3 4 5 6 7 8 |
# vi /etc/dovecot/conf.d/10-ssl.conf Add use SSL # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> # disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps # plain imap and pop3 are still allowed for local connections # ssl = required ssl = yes |
⑤Automatically start dovecot and reflect settings
|
1 2 |
# systemctl start dovecot # systemctl enable dovecot |
3.Configure connection permissions to the firewall.
3.1 Add SMTP and POP3 to the allowed connection services
Check and comment out the following in the iptablessh sample in "Building a CentOS 7.6 Server: Initial Settings after OS Installation".
/sbin/iptables -A INPUT -p tcp --dport 25 -j LOG
/sbin/iptables -A INPUT -p tcp --sport 25 -j LOG
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 25 -j ACCEPT
# pop3
/sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --sport 110 -j ACCEPT
4.Email software settings (using POP)
When using Thunderbird as your mail software
Configure the mail account settings by clicking "File" ⇒ "New" ⇒ "Existing Mail Account" in the menu.
Check "I understand the risks involved in connecting" and "Done."