Qmail のPOP/SMTPを TSL/SSLでのアクセスを可能にしたいと思います。
目次
tcpserverをSSL対応に
# tar xzvf ucspi-tcp-0.88.tar.gz # cd ucspi-tcp-0.88 # patch -p0 < ../ucspi-tcp-ssl-20050405.patch # patch -p1 < ../../netqmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.a_record.patch # patch -p1 < ../../netqmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.nodefaultrbl.patch # make # cp -a tcpserver /usr/local/bin/tcpserver-ssl
↑SSL用パッチをあてたtcpserverを別のファイルとして、コピーします。
SSLファイルの準備。 Let’s Encryptで、用意します。
# yum install certbot # certbot certonly --standalone -d (ドメイン名FQDN) -m (連絡先メールアドレス) --agree-tos -n Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for (ドメイン名FQDN) Waiting for verification... Cleaning up challenges Failed authorization procedure. (ドメイン名FQDN) (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://(ドメイン名FQDN)/.well-known/acme-challenge/(××): Error getting validation data IMPORTANT NOTES: - The following errors were reported by the server: Domain: (ドメイン名FQDN) Type: connection Detail: Fetching http://(ドメイン名FQDN)/.well-known/acme-challenge/(××): Error getting validation data To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
↑SSLを設定しようとしたが、firewallなどで、できなかった・・・
と・・・・
ということで、
# systemctl stop firewalld
↑firewallを一時的に止めます。
# certbot certonly --standalone -d (ドメイン名FQDN) -m (連絡先メールアドレス) --agree-tos -n Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: http-01 challenge for (ドメイン名FQDN) Waiting for verification... Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/(ドメイン名FQDN)/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/(ドメイン名FQDN)/privkey.pem Your cert will expire on 2019-XX-XX. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
↑設定できました。
cat /etc/letsencrypt/live/(ドメイン名FQDN)/fullchain.pem /etc/letsencrypt/live/(ドメイン名FQDN)/privkey.pem > /home/vpopmail/etc/(ドメイン名FQDN).pem
↑ qmail用に一つのファイルにまとめておきます。
# systemctl start firewalld
↑firewallを再開します。
TSL/SSL用サービスを用意
# cd /var/qmail/services/ # mkdir pop3d_ssl # cd pop3d_ssl/ # vi run ------------------------ #!/bin/sh PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin exec /usr/local/bin/tcpserver-ssl -s -v -q -n /home/vpopmail/etc/(ドメイン名FQDN).pem -x /home/vpopmail/etc/tcp.pop3.cdb -R -l (ホスト名FQDN) -H 0 995 /var/qmail/bin/qmail-popup (ホスト名FQDN) /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d ./Maildir/ 2>&1 ------------------------ # chmod 755 run # mkdir supervise # mkdir log # cd log # vi run ------------------------ #!/bin/sh exec /usr/local/bin/setuidgid qmailp /usr/local/bin/multilog t /var/log/qmail/pop3d_ssl ------------------------ # chmod 755 run # mkdir supervise
↑POPのTSL/SSLサービスを用意します。
# cd /var/log/qmail/ # mkdir pop3d_ssl # chown qmailp.nofiles pop3d_ssl/
↑POPのTSL/SSLのログ関係を準備します。
# cd /var/qmail/services/ # mkdir smtpd_ssl # cd smtpd_ssl/ # vi run --------------------------- #!/bin/sh PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin exec /usr/local/bin/tcpserver-ssl -s -v -n /home/vpopmail/etc/(ドメイン名FQDN).pem -x /home/vpopmail/etc/tcp.smtp.cdb -R -H -u 551 -g 503 0 465 recordio /var/qmail/bin/qmail-smtpd-submission (ホスト名FQDN) /home/vpopmail/bin/vchkpw /bin/true 2>&1 --------------------------- # chmod 755 run # mkdir supervise # mkdir log # cd log # vi run --------------------------- #!/bin/sh exec /usr/local/bin/setuidgid qmails /usr/local/bin/multilog t n1000 \ -'*' \ +'* * < HELO *' \ +'* * < EHLO *' \ +'* * < MAIL *' \ +'* * < RCPT *' \ +'* * < QUIT *' \ +'* * < RSET *' \ +'* * < NOOP *' \ +'* * > 1*' \ +'* * > 2*' \ +'* * > 3*' \ +'* * > 4*' \ +'* * > 5*' \ /var/log/qmail/smtpd_ssl --------------------------- # chmod 755 run # mkdir supervise
↑SMTPのTSL/SSLサービスを用意します。
# cd /var/log/qmail/ # mkdir smtpd_ssl # chown qmails.nofiles smtpd_ssl/
↑SMTPのTSL/SSLのログ関係を準備します。
pop/smtp for SSL のポートをfirewallに追加
# firewall-cmd --permanent --add-service=pop3s # firewall-cmd --permanent --add-service=smtps
↑firewallにポート(サービス)を追加して、外部接続ができるようにします。
サービス開始
# cd /service # ln -s /var/qmail/services/smtpd_ssl/ # ln -s /var/qmail/services/pop3d_ssl/
↑サービスを開始します。
