10. メールサーバ構築(4) – postfix [さくらのVPS/CentOS7]

・postfixの用途

1. SMTPサーバ(OUTBOUND/INBOUND)
2. STARTTLS の TLS1.3 対応

・postfix のインストール

#-- 変数に必要な値を代入
DOMAIN=masdon.life
VERSION=3.4.5
RSPAMD_SERVER=127.0.0.1
RSPAMD_PORT=11332
IPV4=$(ip addr show eth0 | awk '/inet /{print $2}' | sed 's#/.*##')
IPV6=$(ip addr show eth0 | awk '/inet6 /&&/global/{print $2}' | sed 's#/.*##')
OUTBOUND_MTA_SERVER=127.0.0.1
LDAP_SERVER=127.0.0.1
XAUTH_HOST=127.0.0.1
LMTP_PORT=24

#-- 既存の起動スクリプトのバックアップ後、OS標準の postfix, sendmail をアンインストール
grep -v ExecStartPre= /usr/lib/systemd/system/postfix.service > /var/tmp/postfix.service
yum remove -y postfix sendmail

#-- 必要なパッケージインストール
yum install -y {cyrus-sasl,openldap,pcre,libdb}-devel

#-- source ファイルのダウンロード
cd ~/work/src
curl -O http://www.ftp.saix.net/MTA/postfix/official/postfix-${VERSION}.tar.gz
tar xvzf postfix-${VERSION}.tar.gz && cd postfix-${VERSION}

#-- postfix の build (buildオプションはcentos7のpostfixのbuildオプションを真似たつもり)
CCARGS="-Wmissing-prototypes -Wformat -Wno-comment -fPIC \
-DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre \
-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl -DUSE_TLS -I/usr/local/openssl-1.1.1d/include \
-DDEF_CONFIG_DIR=\\\"/etc/postfix\\\""

AUXLIBS="-lldap -llber -lpcre -L/usr/lib64/mysql -lmysqlclient \
-lm -L/usr/lib64/sasl2 -lsasl2 -L/usr/local/openssl-1.1.1d/lib -lssl \
-lcrypto  -pie -Wl,-z,relro,-z,now"

make -f Makefile.init makefiles CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}"
make
make install
#-- ディレクトリ設定などは全て default を選択

#-- postfix の起動
mv /var/tmp/postfix.service /usr/lib/systemd/system/
systemctl enable postfix
systemctl start postfix

・postfix の設定

#-- postmulti で inbound/outbound で設定を分ける
postmulti -e init
postmulti -I postfix-inbound -e create

postconf -c /etc/postfix -e inet_interfaces=${OUTBOUND_MTA_SERVER}
postconf -c /etc/postfix -e inet_protocols=all
postconf -c /etc/postfix -e smtpd_milters=inet:${RSPAMD_SERVER}:${RSPAMD_PORT}
postconf -c /etc/postfix -e non_smtpd_milters=inet:${RSPAMD_SERVER}:${RSPAMD_PORT}
postconf -c /etc/postfix -e smtpd_authorized_xclient_hosts=${XAUTH_HOST}
postconf -c /etc/postfix -e smtpd_sasl_auth_enable=yes
postconf -c /etc/postfix -e smtpd_sender_restrictions=reject_sender_login_mismatch
postconf -c /etc/postfix -e smtpd_sender_login_maps=ldap:/etc/postfix/ldapsendercheck.cf
postconf -c /etc/postfix -e alias_maps=hash:/etc/aliases

postconf -c /etc/postfix-inbound -e inet_interfaces=${IPV4},${IPV6}
postconf -c /etc/postfix-inbound -e inet_protocols=all
postconf -c /etc/postfix-inbound -e myhostname=${DOMAIN}
postconf -c /etc/postfix-inbound -e recipient_delimiter=+
postconf -c /etc/postfix-inbound -e smtpd_milters=inet:${RSPAMD_SERVER}:${RSPAMD_PORT}
postconf -c /etc/postfix-inbound -e smtpd_helo_restrictions=reject_invalid_hostname
postconf -c /etc/postfix-inbound -e transport_maps=ldap:/etc/postfix-inbound/ldaptransport.cf
postconf -c /etc/postfix-inbound -e virtual_alias_maps=ldap:/etc/postfix-inbound/ldapvirtualalias.cf
postconf -c /etc/postfix-inbound -e relay_domains=/etc/postfix-inbound/relay_domains
postconf -c /etc/postfix-inbound -e authorized_submit_users=static:anyone
postconf -c /etc/postfix-inbound -e alias_maps=hash:/etc/aliases
postconf -c /etc/postfix-inbound -X master_service_disable

#-- postconf が面倒になったので、、、
cat <<_EOL_>> /etc/postfix-inbound/main.cf
smtpd_recipient_restrictions =
    check_recipient_access ldap:/etc/postfix-inbound/ldaprcptcheck.cf
    reject
_EOL_

for cf in /etc/postfix/main.cf /etc/postfix-inbound/main.cf
do
cat <<_EOL_>> ${cf}
milter_default_action = tempfail
milter_protocol = 6
smtpd_junk_command_limit = 20
smtpd_helo_required = yes
smtpd_hard_error_limit = 5
message_size_limit = 20480000
milter_command_timeout=15s
milter_content_timeout=20s
# anvil_rate_time_unit = 60s
# smtpd_recipient_limit = 50
# smtpd_client_connection_count_limit = 15
# smtpd_client_message_rate_limit = 100
# smtpd_client_recipient_rate_limit = 200
# smtpd_client_connection_rate_limit = 100
disable_vrfy_command = yes
smtpd_discard_ehlo_keywords = dsn, enhancedstatuscodes, etrn
lmtp_host_lookup = native
smtp_host_lookup = native
_EOL_
done

cat <<_EOL_>/etc/postfix-inbound/ldaprcptcheck.cf
server_host = ${LDAP_SERVER}
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%s))
result_attribute = mailRoutingAddress
result_format = OK
_EOL_

cat <<_EOL_>/etc/postfix-inbound/ldaptransport.cf
server_host = ${LDAP_SERVER}
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%s))
result_attribute = mailHost
result_format = lmtp:[%s]:${LMTP_PORT}
_EOL_

cp /etc/postfix-inbound/ldaprcptcheck.cf /etc/postfix-inbound/ldapvirtualalias.cf
sed -i 's/result_format = OK/result_format = %s/' /etc/postfix-inbound/ldapvirtualalias.cf

cat <<_EOL_>/etc/postfix/ldapsendercheck.cf
server_host = ${LDAP_SERVER}
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=inetLocalMailRecipient)(mailRoutingAddress=%s))
result_attribute = mailRoutingAddress
result_format = %s
_EOL_

#-- マルチドメインの場合は、ドメインを全て記述する
cat <<_EOL_>/etc/postfix-inbound/relay_domains
${DOMAIN}
_EOL_

#-- TLS関連設定
cat <<_EOL_>> /etc/postfix-inbound/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/letsencrypt/live/${DOMAIN}/fullchain.pem
smtp_tls_key_file  = /etc/letsencrypt/live/${DOMAIN}/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls =yes
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/${DOMAIN}/fullchain.pem
smtpd_tls_key_file  = /etc/letsencrypt/live/${DOMAIN}/privkey.pem
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix-inbound/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_high_cipherlist  = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_RENEGOTIATION
_EOL_

cat <<_EOL_>> /etc/postfix/main.cf
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/letsencrypt/live/${DOMAIN}/fullchain.pem
smtp_tls_key_file  = /etc/letsencrypt/live/${DOMAIN}/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_use_tls =yes
tls_high_cipherlist  = EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
_EOL_

#-- postfix 再起動
systemctl restart postfix

postmulti -i postfix-inbound -e enable
postmulti -i postfix-inbound -p start