Postfix 3.4をベースにした、POP3,POP3s,SMTP,SMTPs,IMAP,IMAPsの設定を行っていきたいと思います。
Postfix 3.6,Dovecot 2.3 SSL送受信 [CentOS Stream 8]
Postfixにて、SSL送信Dovecotにて、SSL受信を行う設定です。↑Postfix3.4 CentOS7版今回も、Conoha VPSで、行いました。Let's Encrypt↑上記の手順で、導入をします。POP3s 設定vi /...
server-recipe.com
2021.06.09
↑CentOS Stream8版
Postfix 3.4 [dovecot] CentOS7(マルチドメイン)の続きになります。
Postfix 3.4 [dovecot] CentOS7(マルチドメイン)では、
# telnet localhost pop3
# telnet localhost pop3
# telnet localhost pop3
と、内部からpop3を行うと、うまくいきますが、外部の違うサーバ、もしくは、外部のメールソフトから、メールを受信しようとすると、
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
というエラーが出てしまいます。
【セキュアではないサーバーへ「plaintext」でログインはできないよ】
というエラーです。
「SSLだけのアクセスだよ!」という感じですが・・・
などでは、
10-auth.conf: "disable_plaintext_auth = no"
10-ssl.conf: "ssl=no"
10-auth.conf: "disable_plaintext_auth = no"
10-ssl.conf: "ssl=no"
10-auth.conf: "disable_plaintext_auth = no" 10-ssl.conf: "ssl=no"
とすればいい。
と、書いていますが、これでも、うまくいきません。
この場合、各クライアントからの接続は、SSLではなくても、「SSLの【設定だけ】はしなければいけない」
という事のようです。
目次
POP3s(995ポート)での受信設定
Let’s Encrypt の導入
無償のSSLを導入します。
# yum install certbot
(略)
Installed:
certbot.noarch 0:0.31.0-2.el7
Complete!
# yum install certbot
(略)
Installed:
certbot.noarch 0:0.31.0-2.el7
Complete!
# yum install certbot (略) Installed: certbot.noarch 0:0.31.0-2.el7 Complete!
↑Let’s Encryptのインストールができました。
# wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto
# wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto
# wget https://dl.eff.org/certbot-auto # chmod 755 certbot-auto
# systemctl stop httpd
# systemctl stop httpd
# systemctl stop httpd
↑httpdサービスを一時的に止めます。
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/(ホスト名)/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/(ホスト名)/privkey.pem
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/(ホスト名)/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/(ホスト名)/privkey.pem
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/(ホスト名)/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/(ホスト名)/privkey.pem
↑成功しました
「ホスト名」は、この「certbot」を起動しているサーバーと一致していないといけません。
(違うサーバーの場合、手順が複雑になります)
POP3s 設定
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = no
↓
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
↓
ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem
ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = no
↓
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
↓
ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem
ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
vi /etc/dovecot/conf.d/10-ssl.conf ssl = no ↓ ssl = yes ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem ↓ ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
vi /etc/dovecot/conf.d/10-master.conf
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
---------------------------------
↓
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
---------------------------------
vi /etc/dovecot/conf.d/10-master.conf
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
---------------------------------
↓
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
---------------------------------
vi /etc/dovecot/conf.d/10-master.conf
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
---------------------------------
↓
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
---------------------------------
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop dovecot # systemctl start dovecot
これで、POP3s(POP3 over SSL)の設定ができました。
通常の110番ポートでも、995番ポートでも接続ができて、
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
というエラーは解消されます。
SMTP(587)、および、SMTPs (465ポート)での送信設定
# vi /etc/postfix/main.cf
---------------------------------
#inet_interfaces = all
↓
inet_interfaces = all
---------------------------------
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
# vi /etc/postfix/main.cf
---------------------------------
#inet_interfaces = all
↓
inet_interfaces = all
---------------------------------
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
# vi /etc/postfix/main.cf --------------------------------- #inet_interfaces = all ↓ inet_interfaces = all --------------------------------- smtpd_use_tls = yes smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
↑4行は追加をします。
# vi /etc/postfix/master.cf
-------------------------------------------------------------------------
#submission inet n - n - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
-------------------------------------------------------------------------
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
# vi /etc/postfix/master.cf
-------------------------------------------------------------------------
#submission inet n - n - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
-------------------------------------------------------------------------
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
# vi /etc/postfix/master.cf ------------------------------------------------------------------------- #submission inet n - n - - smtpd # -o smtpd_sasl_auth_enable=yes # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject ------------------------------------------------------------------------- ↓ ------------------------------------------------------------------------- submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject ------------------------------------------------------------------------- ------------------------------------------------------------------------- #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes ------------------------------------------------------------------------- ↓ ------------------------------------------------------------------------- smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -------------------------------------------------------------------------
vi /etc/dovecot/conf.d/20-submission.conf
# Host name for the relay server (required)
#submission_relay_host =
↓
# Host name for the relay server (required)
submission_relay_host = localhost
vi /etc/dovecot/conf.d/20-submission.conf
# Host name for the relay server (required)
#submission_relay_host =
↓
# Host name for the relay server (required)
submission_relay_host = localhost
vi /etc/dovecot/conf.d/20-submission.conf # Host name for the relay server (required) #submission_relay_host = ↓ # Host name for the relay server (required) submission_relay_host = localhost
# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
-----------------------------------------
↓
-----------------------------------------
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
-----------------------------------------
# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
-----------------------------------------
↓
-----------------------------------------
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
-----------------------------------------
# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
-----------------------------------------
↓
-----------------------------------------
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
-----------------------------------------
# yum install cyrus-sasl cyrus-sasl-plain
Installed:
cyrus-sasl.x86_64 0:2.1.26-23.el7
# systemctl start saslauthd
# systemctl enable saslauthd
(訂正)上記は、必要ありません
# yum install cyrus-sasl cyrus-sasl-plain
Installed:
cyrus-sasl.x86_64 0:2.1.26-23.el7
# systemctl start saslauthd
# systemctl enable saslauthd
(訂正)上記は、必要ありません
# yum install cyrus-sasl cyrus-sasl-plain Installed: cyrus-sasl.x86_64 0:2.1.26-23.el7 # systemctl start saslauthd # systemctl enable saslauthd (訂正)上記は、必要ありません
postfix,dovecot サービス再起動
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop postfix
# systemctl start postfix
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop postfix
# systemctl start postfix
# systemctl stop dovecot # systemctl start dovecot # systemctl stop postfix # systemctl start postfix
これで、無事、pop3,pop3s,smtp,smtpsでの送受信が可能となりました。
IMAP(143ポート),IMAPS(993ポート)
上記の設定で、imap,imapsでも受信が可能となっています。
設定後の非SSL(2019/08/09追記)
設定後、非SSLでアクセスをすると、
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
というエラーが出ます。
追記、SSLを設定後、
#vi /etc/dovecot/conf.d/10-auth.conf
#disable_plaintext_auth = yes
↓
disable_plaintext_auth = no
#vi /etc/dovecot/conf.d/10-auth.conf
#disable_plaintext_auth = yes
↓
disable_plaintext_auth = no
#vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes ↓ disable_plaintext_auth = no
と設定をすると、
非SSLポート(POP3,110番、SMTP,587番)で送受信が出来ます。
当然ながら、SSLでも、送受信ができます。
