「広告」

Qmail for CentOS7,POP SMTP with TSL/SSL

「広告」
記事内に広告が含まれています。
「広告」

Qmail のPOP/SMTPを TSL/SSLでのアクセスを可能にしたいと思います。

「広告」

tcpserverをSSL対応に

# tar xzvf ucspi-tcp-0.88.tar.gz 
# cd ucspi-tcp-0.88
# patch -p0 < ../ucspi-tcp-ssl-20050405.patch 
# patch -p1 < ../../netqmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.a_record.patch 
# patch -p1 < ../../netqmail/netqmail-1.06/other-patches/ucspi-tcp-0.88.nodefaultrbl.patch 
# make
# cp -a tcpserver /usr/local/bin/tcpserver-ssl

↑SSL用パッチをあてたtcpserverを別のファイルとして、コピーします。

「広告」

SSLファイルの準備。 Let’s Encryptで、用意します。

# yum install certbot

# certbot certonly --standalone -d (ドメイン名FQDN) -m (連絡先メールアドレス) --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for (ドメイン名FQDN)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (ドメイン名FQDN) (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://(ドメイン名FQDN)/.well-known/acme-challenge/(××): Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: (ドメイン名FQDN)
   Type:   connection
   Detail: Fetching
   http://(ドメイン名FQDN)/.well-known/acme-challenge/(××):
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

↑SSLを設定しようとしたが、firewallなどで、できなかった・・・
と・・・・

ということで、

# systemctl stop firewalld

↑firewallを一時的に止めます。

# certbot certonly --standalone -d (ドメイン名FQDN) -m (連絡先メールアドレス) --agree-tos -n
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for (ドメイン名FQDN)
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/(ドメイン名FQDN)/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/(ドメイン名FQDN)/privkey.pem
   Your cert will expire on 2019-XX-XX. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

↑設定できました。

cat /etc/letsencrypt/live/(ドメイン名FQDN)/fullchain.pem /etc/letsencrypt/live/(ドメイン名FQDN)/privkey.pem > /home/vpopmail/etc/(ドメイン名FQDN).pem

↑ qmail用に一つのファイルにまとめておきます。

# systemctl start firewalld

↑firewallを再開します。

「広告」

TSL/SSL用サービスを用意

# cd /var/qmail/services/
# mkdir pop3d_ssl
# cd pop3d_ssl/
#  vi run

------------------------
#!/bin/sh
PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin
exec /usr/local/bin/tcpserver-ssl -s -v -q -n /home/vpopmail/etc/(ドメイン名FQDN).pem -x /home/vpopmail/etc/tcp.pop3.cdb -R -l (ホスト名FQDN) -H 0 995 /var/qmail/bin/qmail-popup (ホスト名FQDN) /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d ./Maildir/ 2>&1
------------------------
 
# chmod 755 run
# mkdir supervise
# mkdir log
# cd log
# vi run

------------------------
#!/bin/sh
exec /usr/local/bin/setuidgid qmailp /usr/local/bin/multilog t /var/log/qmail/pop3d_ssl
------------------------
 
# chmod 755 run
# mkdir supervise

↑POPのTSL/SSLサービスを用意します。

# cd /var/log/qmail/
# mkdir pop3d_ssl
# chown qmailp.nofiles pop3d_ssl/

↑POPのTSL/SSLのログ関係を準備します。

# cd /var/qmail/services/
# mkdir smtpd_ssl
# cd smtpd_ssl/
#  vi run

---------------------------
#!/bin/sh
PATH=/var/qmail/bin:/usr/local/bin:/bin:/usr/bin
exec /usr/local/bin/tcpserver-ssl -s -v -n /home/vpopmail/etc/(ドメイン名FQDN).pem -x /home/vpopmail/etc/tcp.smtp.cdb -R -H -u 551 -g 503 0 465 recordio /var/qmail/bin/qmail-smtpd-submission (ホスト名FQDN) /home/vpopmail/bin/vchkpw /bin/true 2>&1
---------------------------

# chmod 755 run
# mkdir supervise
# mkdir log
# cd log
# vi run

---------------------------
#!/bin/sh
exec /usr/local/bin/setuidgid qmails /usr/local/bin/multilog t n1000 \
-'*' \
+'* * < HELO *' \
+'* * < EHLO *' \
+'* * < MAIL *' \
+'* * < RCPT *' \
+'* * < QUIT *' \
+'* * < RSET *' \
+'* * < NOOP *' \
+'* * > 1*' \
+'* * > 2*' \
+'* * > 3*' \
+'* * > 4*' \
+'* * > 5*' \
/var/log/qmail/smtpd_ssl
---------------------------

# chmod 755 run
# mkdir supervise

↑SMTPのTSL/SSLサービスを用意します。

# cd /var/log/qmail/
# mkdir smtpd_ssl
# chown qmails.nofiles smtpd_ssl/

↑SMTPのTSL/SSLのログ関係を準備します。

「広告」

pop/smtp for SSL のポートをfirewallに追加

# firewall-cmd --permanent --add-service=pop3s
# firewall-cmd --permanent --add-service=smtps

↑firewallにポート(サービス)を追加して、外部接続ができるようにします。

「広告」

サービス開始

# cd /service
# ln -s /var/qmail/services/smtpd_ssl/
# ln -s /var/qmail/services/pop3d_ssl/

↑サービスを開始します。

タイトルとURLをコピーしました