Contents
1.Install outgoing server Postfix
Postfix is an SMTP server for sending mails.
If you implement SMTP-AUTH in Postfix, you can use the SMTP server from outside relatively safely. This is because normal SMTP does not require an account name and password when sending mails. This makes it possible for malicious people to abuse the system for spam purposes. When you receive mail (POP server), you are authenticated normally.
However, with SMTP-AUTH, the user of the SMTP server can be limited by checking the user’s account name and password against the account name and password registered in the server.
Therefore, in order to send mails from outside, we can build a mailer with SMTP-AUTH function.
To implement SMTP-AUTH, we used the following software.
cyrus-sasl-md5
cyrus-sasl-2.1.26-23
cyrus-sasl-devel-2.1.26-23
1.1 Installing Postfix
①Check if Postfix is installed, and register it to start automatically.
| # rpm -qa | grep postfix postfix-2.10.1-7.el7.x86_64# systemctl enable postfix.service |
②Installing Cyrus SASL
This is an essential package for realizing SMTP-AUTH.
| # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-2.1.26-23.el7.x86_64.rpm # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-devel-2.1.26-23.el7.x86_64.rpm |
③Installing cyrus-sasl-md5
This package is responsible for the individual authentication process.
| # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm # rpm -Uvh cyrus-sasl-md5-2.1.26-23.el7.x86_64.rpm |
④Editing smtpd.conf
To use individual user names and passwords for SMTP authentication
| # vi /etc/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: cram-md5 digest-md5 plain login |
⑤Create Maildir-style mailboxes
Postfix mail storage format will be moved from shared directory format to Maildir format for better access performance and security.
【New user support】
When a new user is added, a Maildir style mailbox will be created in the home directory automatically.
| Automatically create Maildir-style mailbox when adding a new user. # mkdir -p /etc/skel/Maildir/{new,cur,tmp} Permission settings # chmod -R 700 /etc/skel/Maildir/ ← Mailbox Permission Settings |
⑥Create a user for mail and set a password (user: exampleuser, password: pass)
| # useradd -s /sbin/nologin exampleuser ← Add user * To disable remote connection via SSH # passwd exampleuser Changing password for user exampleuser. New UNIX password: ← Optional password (this password will be the password for the receiving server to be installed later) Retype new UNIX password: ← Confirm password again passwd: all authentication tokens updated successfully. Only if you want to use individual user names and passwords for SMTP authentication # echo “password” | saslpasswd2 -p -u Domain Name -c exapleuser ← Register password for SMTP authentication exampleuser@Domain Name: userPassword |
⑦Change /etc/sasldb2 ownership group to postfix
| # chgrp postfix /etc/sasldb2 # chmod 640 /etc/sasldb2 |
⑧Edit the Postfix configuration file main.cf.
| Basic Settings # Specify a hostname for myhostname myhostname = mail.Domain Name # Specify a domain name for mydomain mydomain =Domain Name # delete myorigin’s comment # Limit inet_protocol to ipv4 #inet_interfaces = localhostRemove comment to allow receiving mail from outside # Change mydestination settings #Reject mail addressed to non-existent users # Change mynetworks to match your environment (server’s lokal IP address) Mail storage format # delete comments in relay_domains # delete header_checks comment Hide the name of the mail server software SMTP Authetication related settings In the last line #Prevent unencrypted passwords from flowing over the network. noanonymous means “do not allow anonymity”, noplaintext means “do not allow plaintext authentication”. #Support for clients that do not recognize the AUTH command support (add this if you use OutlookExpress) #Specify the local domain for SMTP authentication #Set what relays are allowed
|
⑧Edit the Postfix configuration file master.cf
Write the setting to open the submission port 587 in master.cf.
| # vi /etc/postfix/master.cf ・・・・・・・・・・・・・・・ Remove comments out of the red text. # submission inet n – n – – smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes |
Then, start Postfix.
| # systemctl start postfix.service |
2.Deploying the receiving server Dovecot
2.1 Install Dovecot
①Download and install
| # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/dovecot-2.2.36-3.el7.x86_64.rpm # rpm -Uvh dovecot-2.2.36-3.el7.x86_64.rpm |
②Download and install dependent packages
| # wget http://mirror.centos.org/centos/7/os/x86_64/Packages/clucene-core-2.3.3.4-11.el7.x86_64.rpm # rpm -Uvh clucene-core-2.3.3.4-11.el7.x86_64.rpm |
③Edit the dovecot.conf file
| # vi /etc/dovecot/dovecot.conf ・・・・・・・・・・・・・・・ Uncomment out and do not use lmtp # protocols = imap pop3 lmtp → protocols = imap pop3以下追加 mail_location = maildir:~/Maildir ← Change the mail storage format to Maildir format. disable_plaintext_auth = no ← Allow plain text authentication |
④Editing the 10-ssl.conf file
The configuration file for SSL is 10-ssl.conf, which is contained in the directory “/etc/dovecot/conf.d”. Change this file
| # vi /etc/dovecot/conf.d/10-ssl.conf ・・・・・・・・・・・・・・・ Add red text and use SSL # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> # disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps # plain imap and pop3 are still allowed for local connections ssl = required ssl = yes |
⑤Automatically start dovecot and reflect settings
| # systemctl start dovecot # systemctl enable dovecot |
3.Configure connection permissions to the firewall.
3.1 Add SMTP and POP3 to the allowed connection services
Check and comment out the following in the iptablessh sample in “Building a CentOS 7.6 Server: Initial Settings after OS Installation”.
| # SMTP /sbin/iptables -A INPUT -p tcp –dport 25 -j LOG /sbin/iptables -A INPUT -p tcp –sport 25 -j LOG /sbin/iptables -A INPUT -p tcp –dport 25 -j ACCEPT /sbin/iptables -A INPUT -p tcp –sport 25 -j ACCEPT # pop3 /sbin/iptables -A INPUT -p tcp –dport 110 -j ACCEPT /sbin/iptables -A INPUT -p tcp –sport 110 -j ACCEPT |
4.Email software settings (using POP)
When using Thunderbird as your mail software
Configure the mail account settings by clicking “File” ⇒ “New” ⇒ “Existing Mail Account” in the menu.
Check “I understand the risks involved in connecting” and “Done.”
