05.メールサーバ構築 – postfix編[さくらのクラウド/CentOS8]

9. postfix のインストール

#-- 必要な情報を変数に設定
# DOMAIN=sacloud.ma3ki.net
# source /etc/sysconfig/network-scripts/ifcfg-eth0

#-- 必要なパッケージのインストール
# dnf install -y postfix {pcre,libdb,libnsl2,mysql,openssl}-devel

#-- dnfでインストールできる postfix は systemd のユニットファイルが欲しかっただけなのでアンインストール
# grep -v ExecStartPre= /usr/lib/systemd/system/postfix.service > /var/tmp/postfix.service
# dnf remove -y postfix

#-- dnfでインストールした postfix は ldap が使用できないため、最新バージョン(3.5.8)のソースから build する
# mkdir -p /root/mailserver/postfix
# cd /root/mailserver/postfix
# VERSION=3.5.8
# curl -O http://mirror.postfix.jp/postfix-release/official/postfix-${VERSION}.tar.gz
# tar xvzf postfix-${VERSION}.tar.gz && cd postfix-${VERSION}

# CCARGS="-Wmissing-prototypes -Wformat -Wno-comment -fPIC \
-DHAS_LDAP -DLDAP_DEPRECATED=1 -DHAS_PCRE -I/usr/include/pcre \
-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/include/sasl -DUSE_TLS -DDEF_CONFIG_DIR=\\\"/etc/postfix\\\""

# AUXLIBS="-lldap -llber -lpcre -ldb -lnsl -lresolv -L/usr/lib64/mysql -lmysqlclient \
-lm -L/usr/lib64/sasl2 -lsasl2 -lssl -lcrypto  -pie -Wl,-z,relro,-z,now"

#-- build
# make -f Makefile.init makefiles CCARGS="${CCARGS}" AUXLIBS="${AUXLIBS}"
# make
# make upgrade

#-- systemdのユニットファイルの設置と修正
# mv /var/tmp/postfix.service /usr/lib/systemd/system/
# sed -i -e "s/^\(After=syslog.target network.target\)/\1 network-online.target\nWants=network-online.target/" /usr/lib/systemd/system/postfix.service
# systemctl daemon-reload

#-- postfix の設定

#-- postmulti の有効化
# postmulti -e init
# postmulti -I postfix-inbound -e create

#-- outbound用のpostfix固有設定
# postconf -c /etc/postfix -e inet_interfaces=127.0.0.1
# postconf -c /etc/postfix -e smtpd_milters=inet:127.0.0.1:11332
# postconf -c /etc/postfix -e non_smtpd_milters=inet:127.0.0.1:11332
# postconf -c /etc/postfix -e smtpd_authorized_xclient_hosts=127.0.0.1
# postconf -c /etc/postfix -e smtpd_sasl_auth_enable=yes
# postconf -c /etc/postfix -e smtpd_sender_restrictions=reject_sender_login_mismatch
# postconf -c /etc/postfix -e smtpd_sender_login_maps="ldap:/etc/postfix/ldapsendercheck.cf"

#-- inbound用のpostfix固有設定
# postconf -c /etc/postfix-inbound -X master_service_disable
# postconf -c /etc/postfix-inbound -e inet_interfaces=${IPADDR}
# postconf -c /etc/postfix-inbound -e myhostname=${DOMAIN}
# postconf -c /etc/postfix-inbound -e recipient_delimiter=+
# postconf -c /etc/postfix-inbound -e smtpd_milters=inet:127.0.0.1:11332
# postconf -c /etc/postfix-inbound -e smtpd_helo_restrictions="reject_invalid_hostname reject_non_fqdn_hostname reject_unknown_hostname"
# postconf -c /etc/postfix-inbound -e smtpd_sender_restrictions="reject_non_fqdn_sender reject_unknown_sender_domain"
# postconf -c /etc/postfix-inbound -e relay_domains=/etc/postfix-inbound/relay_domains
# postconf -c /etc/postfix-inbound -e authorized_submit_users=static:anyone
# postconf -c /etc/postfix-inbound -e smtpd_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt
# postconf -c /etc/postfix-inbound -e smtpd_tls_ask_ccert=yes
# postconf -c /etc/postfix-inbound -e smtpd_tls_cert_file=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
# postconf -c /etc/postfix-inbound -e smtpd_tls_key_file=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
# postconf -c /etc/postfix-inbound -e smtpd_tls_ciphers=high
# postconf -c /etc/postfix-inbound -e smtpd_tls_loglevel=1
# postconf -c /etc/postfix-inbound -e smtpd_tls_mandatory_ciphers=high
# postconf -c /etc/postfix-inbound -e 'smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
# postconf -c /etc/postfix-inbound -e 'smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
# postconf -c /etc/postfix-inbound -e smtpd_tls_received_header=yes
# postconf -c /etc/postfix-inbound -e smtpd_tls_session_cache_database=btree:/var/lib/postfix-inbound/smtpd_tls_session_cache
# postconf -c /etc/postfix-inbound -e smtpd_use_tls=yes
# postconf -c /etc/postfix-inbound -e lmtp_destination_concurrency_limit=40
# postconf -c /etc/postfix-inbound -e transport_maps="ldap:/etc/postfix-inbound/ldaptransport.cf"
# postconf -c /etc/postfix-inbound -e virtual_alias_maps="ldap:/etc/postfix-inbound/ldapvirtualalias.cf"
# postconf -c /etc/postfix-inbound -e smtpd_recipient_restrictions="check_recipient_access ldap:/etc/postfix-inbound/ldaprcptcheck.cf reject"

#-- outbound,inbound共通設定
# for cf in /etc/postfix /etc/postfix-inbound
do
  postconf -c ${cf} -e alias_maps=hash:/etc/aliases
  postconf -c ${cf} -e inet_protocols=ipv4
  postconf -c ${cf} -e milter_default_action=tempfail
  postconf -c ${cf} -e milter_protocol=6
  postconf -c ${cf} -e milter_command_timeout=15s
  postconf -c ${cf} -e milter_connect_timeout=20s
  postconf -c ${cf} -e smtpd_junk_command_limit=20
  postconf -c ${cf} -e smtpd_helo_required=yes
  postconf -c ${cf} -e smtpd_hard_error_limit=5
  postconf -c ${cf} -e message_size_limit=20480000
  postconf -c ${cf} -e disable_vrfy_command=yes
  postconf -c ${cf} -e smtpd_discard_ehlo_keywords=dsn,enhancedstatuscodes,etrn
  postconf -c ${cf} -e lmtp_host_lookup=native
  postconf -c ${cf} -e smtp_host_lookup=native
  postconf -c ${cf} -e smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt
  postconf -c ${cf} -e smtp_tls_cert_file=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
  postconf -c ${cf} -e smtp_tls_key_file=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
  postconf -c ${cf} -e smtp_tls_loglevel=1
  postconf -c ${cf} -e smtp_tls_security_level=may
  postconf -c ${cf} -e smtp_use_tls=yes
  postconf -c ${cf} -e tls_high_cipherlist=EECDH+AESGCM
  postconf -c ${cf} -e tls_preempt_cipherlist=yes
  postconf -c ${cf} -e tls_random_source=dev:/dev/urandom
  postconf -c ${cf} -e tls_ssl_options=NO_RENEGOTIATION
done

#-- ldap用の設定を作成
# cat <<-_EOL_>/etc/postfix-inbound/ldaprcptcheck.cf
server_host = 127.0.0.1
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=mailRecipient)(mailAlternateAddress=%s))
result_attribute = mailRoutingAddress
result_format = OK
search_base = dc=%3,dc=%2,dc=%1
_EOL_

# cat <<-_EOL_>/etc/postfix-inbound/ldaptransport.cf
server_host = 127.0.0.1
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=mailRecipient)(mailAlternateAddress=%s))
result_attribute = mailMessageStore
result_format = lmtp:[%s]:24
search_base = dc=%3,dc=%2,dc=%1
_EOL_

# cp /etc/postfix-inbound/ldaprcptcheck.cf /etc/postfix-inbound/ldapvirtualalias.cf
sed -i 's/result_format = OK/result_format = %s/' /etc/postfix-inbound/ldapvirtualalias.cf

# cat <<-_EOL_>/etc/postfix/ldapsendercheck.cf
server_host = 127.0.0.1
bind = no
version = 3
scope = sub
timeout = 15
query_filter = (&(objectClass=mailRecipient)(mailRoutingAddress=%s))
result_attribute = mailRoutingAddress
result_format = %s
search_base = dc=%3,dc=%2,dc=%1
_EOL_

#-- ドメインの追加
# cat <<_EOL_>/etc/postfix-inbound/relay_domains
${DOMAIN}
_EOL_

#-- 送信アーカイブ設定
# echo "/^(.*)@${DOMAIN}\$/    archive+\$1-Sent@${DOMAIN}" >> /etc/postfix/sender_bcc_maps
# postconf -c /etc/postfix -e sender_bcc_maps=regexp:/etc/postfix/sender_bcc_maps

#-- 受信アーカイブ設定
# cat <<_EOL_>/etc/postfix-inbound/recipient_bcc_maps
if !/^archive\+/
/^(.*)@${DOMAIN}\$/  archive+\$1-Recv@${DOMAIN}
endif
_EOL_
# postconf -c /etc/postfix-inbound -e recipient_bcc_maps=regexp:/etc/postfix-inbound/recipient_bcc_maps

#-- postfix の再起動と postfix-inbound インスタンスの有効化
# systemctl enable postfix
# systemctl start postfix
# postmulti -i postfix-inbound -e enable
# postmulti -i postfix-inbound -p start

#-- aliases の設定変更
# sed -i "s/^postmaster:.*/postmaster:	root@${DOMAIN}/" /etc/aliases
# newaliases

次の投稿では nginx をセットアップします。

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です

日本語が含まれない投稿は無視されますのでご注意ください。(スパム対策)