LoginSignup
1
4

More than 3 years have passed since last update.

@lzs0627

Centos7メールサーバ構築(postfix+Dovecot+PostfixAdmin+Let'sEncrypt)

Posted at

概要

centos7でメールサーバー構築のメモです。

サーバー既存情報

■OS

# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

■MySQLがすでにインストールしている

# mysql --version
mysql  Ver 8.0.16 for Linux on x86_64 (MySQL Community Server - GPL)

■Apacheとmod_sslもインストール済

# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Apr  2 2020 13:13:23

事前準備

■ドメイン:vmail.domain.jp
■管理者メール:admin@vmail.domain.jp

今回インストールするもの

■postfix

# postconf | grep mail_version
mail_version = 2.10.1

■Dovecot

# dovecot --version
2.2.36 (1f10bfa63)

■PostfixAdmin

postfixadmin-3.2.4

■PHP

# php -v
PHP 7.3.6 (cli) (built: May 28 2019 09:32:59) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.6, Copyright (c) 1998-2018 Zend Technologies

作業手順

Let's EncryptのスクリプトをGitでCloneします。

# git clone https://github.com/certbot/certbot /usr/local/certbot

Dovecotをインストール

# yum -y install dovecot dovecot-mysql

Postfix/PostfixAdminをインストール

# yum -y install postfix postfix-mysql

Remiのリポジトリ設定

# rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-7.rpm

phpをインストール

# yum clean all
# yum -y install php73-php
# yum -y install php73-php-{mbstring,imap,mysql}

Firewall設定

# firewall-cmd --permanent --add-port={80,443}/tcp
# firewall-cmd --permanent --add-port={25,110,143,465,587,993,995}/tcp
# firewall-cmd --reload

Let's Encryptで証明書を発行

Certbot(Let's Encrypt)入門
https://certbot.open-code.club/

httpdが起動する場合、先にStopしておきましょう。

# systemctl stop httpd

証明書を発行

>/usr/local/certbot/certbot-auto certonly -n --standalone --agree-tos -d vmail.domain.jp -m admin@vmail.domain.jp --server https://acme-v02.api.letsencrypt.org/directory

成功した場合、/etc/letsencrypt/live/vmail.domain.jp/に証明書が作成されます。

# ll /etc/letsencrypt/live/vmail.domain.jp/
total 4
-rw-r--r-- 1 root root 692 May  4 21:04 README
lrwxrwxrwx 1 root root  48 May  4 21:04 cert.pem -> ../../archive/vmail.domain.jp/cert1.pem
lrwxrwxrwx 1 root root  49 May  4 21:04 chain.pem -> ../../archive/vmail.domain.jp/chain1.pem
lrwxrwxrwx 1 root root  53 May  4 21:04 fullchain.pem -> ../../archive/vmail.domain.jp/fullchain1.pem
lrwxrwxrwx 1 root root  51 May  4 21:04 privkey.pem -> ../../archive/vmail.domain.jp/privkey1.pem

Cronで毎日〜週に1回程度の頻度で自動更新するようにバッチ登録

echo "5 5 * * 1 root /usr/local/certbot/certbot-auto renew --pre-hook 'systemctl stop httpd' --post-hook 'systemctl reload postfix dovecot; systemctl start httpd'" > /etc/cron.d/certbot-auto

PostfixAdminをインストール

# cd /srv/
# git clone https://github.com/postfixadmin/postfixadmin.git
# cd postfixadmin

postfixadmin-3.2.4をチェックアウトする

# git checkout postfixadmin-3.2.4

postfixのDBを準備

# mysql -u root -p
> CREATE DATABASE IF NOT EXISTS postfix;
> CREATE USER 'postfix'@'localhost' IDENTIFIED BY 'ここDBのパスワード';
> GRANT ALL PRIVILEGES ON postfix.* TO 'postfix'@'localhost';
> FLUSH PRIVILEGES;

postfixadmin DB設定ファイルを作成

# vi /srv/postfixadmin/config.local.php

以下の内容を追加

<?php
$CONF['configured'] = true;
$CONF['default_language'] = 'ja';
$CONF['database_type'] = 'mysqli';
$CONF['database_user'] = 'postfix';
$CONF['database_password'] = 'ここDBのパスワード';
$CONF['database_name'] = 'postfix';
$CONF['domain_path'] = 'YES';
$CONF['domain_in_mailbox'] = 'NO';
$CONF['dovecotpw'] = "doveadm pw -s SHA512-CRYPT";
$CONF['encrypt'] = 'dovecot:SHA512-CRYPT';
$CONF['footer_link'] = 'https://vmail.domain.jp/postfixadmin/';
$CONF['footer_text'] = 'Return to vmail.domain.jp/postfixadmin/';
?>

テンプレートフォルダ作成

# mkdir -p /srv/postfixadmin/templates_c
# chown -R apache /srv/postfixadmin/templates_c

Apacheにpostfixadminの設定を追加

vi /etc/httpd/conf.d/postfixadmin.conf

以下の内容を追加

<VirtualHost *:443>

    ServerName vmail.domain.jp
    ServerAlias vmail.domain.jp
    DocumentRoot /var/www/html/

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/vmail.domain.jp/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/vmail.domain.jp/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/vmail.domain.jp/chain.pem

    <Directory "/var/www/html">
      Options -Indexes
      Order Deny,Allow
      Deny from None
      Allow from All
    </Directory>

    Alias /postfixadmin "/srv/postfixadmin/public"
    <Directory "/srv/postfixadmin/public">
        DirectoryIndex index.html index.php
        AllowOverride All
        Options FollowSymlinks
        Require all granted
    </Directory>

</VirtualHost>
<VirtualHost *:80>
    ServerName vmail.domain.jp
    ServerAlias vmail.domain.jp

    Redirect / https://vmail.domain.jp/
</VirtualHost>

セットアップ実⾏

# curl -s -o /dev/null -L -k https://vmail.domain.jp/postfixadmin/setup.php

PostfixADminの初期ユーザ登録

# /srv/postfixadmin/scripts/postfixadmin-cli admin add admin@vmail.domain.jp --superadmin 1 --active 1 --password 'パスワード' --password2'パスワード'
# /srv/postfixadmin/scripts/postfixadmin-cli domain add vmail.domain.jp
# /srv/postfixadmin/scripts/postfixadmin-cli domain update vmail.domain.jp --mailboxes 0
# /srv/postfixadmin/scripts/postfixadmin-cli mailbox add admin@vmail.domain.jp --password 'パスワード' --password2 'パスワード'

転送設定
# /srv/postfixadmin/scripts/postfixadmin-cli alias add root@vmail.domain.jp --goto admin@vmail.domain.jp
# /srv/postfixadmin/scripts/postfixadmin-cli alias update abuse@vmail.domain.jp --goto admin@vmail.domain.jp
# /srv/postfixadmin/scripts/postfixadmin-cli alias update hostmaster@vmail.domain.jp --goto admin@vmail.domain.jp
# /srv/postfixadmin/scripts/postfixadmin-cli alias update postmaster@vmail.domain.jp --goto admin@vmail.domain.jp
# /srv/postfixadmin/scripts/postfixadmin-cli alias update webmaster@vmail.domain.jp --goto admin@vmail.domain.jp

Postfix設定

postconf -e smtpd_banner='$myhostname ESMTP'
postconf -e smtp_header_checks='regexp:/etc/postfix/smtp_header_checks'
postconf -e mime_header_checks='regexp:/etc/postfix/mime_header_checks'
postconf -e disable_vrfy_command=yes
postconf -e smtpd_helo_required=yes
postconf -e inet_interfaces=all
postconf -e myhostname=vmail.domain.jp
postconf -e mydestination='localhost.$mydomain, localhost'
postconf -e relay_domains='$mydestination'
postconf -e virtual_alias_maps='proxy:mysql:/etc/postfix/virtual_alias_maps.cf'
postconf -e virtual_mailbox_domains=proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
postconf -e virtual_mailbox_maps='proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf'
postconf -e virtual_mailbox_base='/home/vmail'
postconf -e virtual_mailbox_limit=512000000
postconf -e message_size_limit=20480000
postconf -e virtual_minimum_uid=10000
postconf -e virtual_transport=virtual
postconf -e virtual_uid_maps='static:10000'
postconf -e virtual_gid_maps='static:10000'
postconf -e local_transport=virtual
postconf -e local_recipient_maps='$virtual_mailbox_maps'
postconf -e transport_maps='hash:/etc/postfix/transport'
postconf -e smtpd_sasl_auth_enable=yes
postconf -e smtpd_sasl_type=dovecot
postconf -e smtpd_sasl_path='/var/run/dovecot/auth-client'
postconf -e smtpd_recipient_restrictions='permit_auth_destination, permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination'
postconf -e smtpd_client_restrictions='permit_mynetworks, reject_unknown_client, permit'
postconf -e smtpd_sender_restrictions='reject_unknown_sender_domain, reject_non_fqdn_sender'
postconf -e smtpd_relay_restrictions='permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination'
postconf -e smtpd_sasl_security_options=noanonymous
postconf -e smtpd_sasl_tls_security_options='$smtpd_sasl_security_options'
postconf -e smtpd_tls_security_level=may
postconf -e smtpd_tls_auth_only=yes
postconf -e smtpd_tls_received_header=yes
postconf -e smtpd_tls_cert_file=/etc/letsencrypt/live/vmail.domain.jp/fullchain.pem
postconf -e smtpd_tls_key_file=/etc/letsencrypt/live/vmail.domain.jp/privkey.pem
postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/ca-bundle.crt'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -e smtpd_tls_ask_ccert=yes
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_use_tls=yes
postconf -e smtpd_sasl_local_domain='$mydomain'
postconf -e broken_sasl_auth_clients=yes
postconf -e smtpd_tls_loglevel=1
postconf -e smtp_tls_security_level=may
postconf -e smtp_tls_loglevel=1
postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'
postconf -e smtp_tls_protocols='!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'

/etc/postfix/master.cf変更

vi /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd
↑#を削除
smtps     inet  n       -       n       -       -       smtpd
↑#を削除
↑の下に以下を追加
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

送信者の IP とユーザーエージェントを Received ヘッダに載せない

# vi /etc/postfix/smtp_header_checks

以下を追加

/^Received: .*/ IGNORE
/^User-Agent: .*/ IGNORE

ヘッダの取り扱いを追加

vi /etc/postfix/mime_header_checks

以下を追加

/^Mime-Version:/ IGNORE

DBの接続設定追加

virtual_alias_maps.cf

# vi /etc/postfix/virtual_alias_maps.cf
user = postfix
password = ここDBのパスワード
hosts = localhost
dbname = postfix
table = alias
select_field = goto
where_field = address

virtual_mailbox_domains.cf

# vi /etc/postfix/virtual_mailbox_domains.cf
user = postfix
password = ここDBのパスワード
hosts = localhost
dbname = postfix
table = domain
select_field = domain
where_field = domain

virtual_mailbox_maps.cf

# vi /etc/postfix/virtual_mailbox_maps.cf
user = postfix
password = ${DATABASE_PASSWORD}
hosts = localhost
dbname = postfix
table = mailbox
select_field = maildir
where_field = username

postfixをリロードする

# postmap /etc/postfix/transport
# systemctl restart postfix.service
# systemctl enable postfix.service

Dovecot設定

# groupadd -g 10000 vmail
# useradd -u 10000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail
# mkdir -p /home/vmail/vmail.domain.jp/admin/{cur,new,tmp}
# chown -R vmail. /home/vmail/

dovecot.conf

# vi /etc/dovecot/dovecot.conf
#!include conf.d/*.conf
↑#を追加
↓を最後に追加
protocols = imap pop3
auth_mechanisms = plain
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
userdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}
service auth {
unix_listener auth-client {
group = postfix
mode = 0660
user = postfix
}
user = root
}
mail_home = /home/vmail/%d/%n
mail_location = maildir:~
ssl = yes
ssl_cert = </etc/letsencrypt/live/vmail.domain.jp/fullchain.pem
ssl_key = </etc/letsencrypt/live/vmail.domain.jp/privkey.pem
ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1

dovecot-sql.conf

# vi /etc/dovecot/dovecot-sql.conf
driver = mysql
connect = host=localhost dbname=postfix user=postfix password=ここDBのパスワード
default_pass_scheme = SHA512-CRYPT
user_query = SELECT '/home/vmail/%d/%n' as home, 'maildir:/home/vmail/%d/%n' as mail, 10000 AS uid, 10000 AS gid, concat('dirsize:storage=', quota) AS quota FROM mailbox WHERE username = '%u' AND active = '1'
password_query = SELECT username as user, password, '/home/vmail/%d/%n' as userdb_home,'maildir:/home/vmail/%d/%n' as userdb_mail, 10000 as userdb_uid, 10000 as userd
b_gid FROM mailbox WHERE username = '%u' AND active = '1'

dovecotを再起動

# systemctl start dovecot.service
# systemctl enable dovecot.service

ここまで作業完了

1
4
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
4