「広告」

Postfix 3.4 [SSL 送受信] CentOS7(マルチドメイン)

「広告」
記事内に広告が含まれています。
「広告」

Postfix 3.4をベースにした、POP3,POP3s,SMTP,SMTPs,IMAP,IMAPsの設定を行っていきたいと思います。

Postfix 3.6,Dovecot 2.3 SSL送受信 [CentOS Stream 8]
Postfixにて、SSL送信Dovecotにて、SSL受信を行う設定です。↑Postfix3.4 CentOS7版今回も、Conoha VPSで、行いました。Let's Encrypt↑上記の手順で、導入をします。POP3s 設定vi /...

↑CentOS Stream8版

Postfix 3.4 [dovecot] CentOS7(マルチドメイン)の続きになります。

Postfix 3.4 [dovecot] CentOS7(マルチドメイン)では、

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# telnet localhost pop3
# telnet localhost pop3
# telnet localhost pop3

と、内部からpop3を行うと、うまくいきますが、外部の違うサーバ、もしくは、外部のメールソフトから、メールを受信しようとすると、

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

というエラーが出てしまいます。

【セキュアではないサーバーへ「plaintext」でログインはできないよ】
というエラーです。

「SSLだけのアクセスだよ!」という感じですが・・・

LinuxQuestions.org

などでは、

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
10-auth.conf: "disable_plaintext_auth = no"
10-ssl.conf: "ssl=no"
10-auth.conf: "disable_plaintext_auth = no" 10-ssl.conf: "ssl=no"
10-auth.conf: "disable_plaintext_auth = no"
10-ssl.conf: "ssl=no"

とすればいい。
と、書いていますが、これでも、うまくいきません。

この場合、各クライアントからの接続は、SSLではなくても、「SSLの【設定だけ】はしなければいけない」
という事のようです。

「広告」

POP3s(995ポート)での受信設定

Let’s Encrypt の導入

無償のSSLを導入します。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# yum install certbot
(略)
Installed:
certbot.noarch 0:0.31.0-2.el7
Complete!
# yum install certbot (略) Installed: certbot.noarch 0:0.31.0-2.el7 Complete!
# yum install certbot

(略)

Installed:
  certbot.noarch 0:0.31.0-2.el7                                                                                                                  

Complete!

↑Let’s Encryptのインストールができました。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto
# wget https://dl.eff.org/certbot-auto # chmod 755 certbot-auto
# wget https://dl.eff.org/certbot-auto
# chmod 755 certbot-auto
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# systemctl stop httpd
# systemctl stop httpd
# systemctl stop httpd

↑httpdサービスを一時的に止めます。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/(ホスト名)/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/(ホスト名)/privkey.pem
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/(ホスト名)/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/(ホスト名)/privkey.pem
# ./certbot-auto certonly --standalone -d (ホスト名) -m (通知先メールアドレス) --agree-tos -n

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/(ホスト名)/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/(ホスト名)/privkey.pem

↑成功しました
「ホスト名」は、この「certbot」を起動しているサーバーと一致していないといけません。
(違うサーバーの場合、手順が複雑になります)

POP3s 設定

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
vi /etc/dovecot/conf.d/10-ssl.conf
ssl = no
 ↓
ssl = yes
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
 ↓
ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem
ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
vi /etc/dovecot/conf.d/10-ssl.conf ssl = no  ↓ ssl = yes ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem  ↓ ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
vi /etc/dovecot/conf.d/10-ssl.conf

ssl = no
 ↓
ssl = yes

ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
 ↓
ssl_cert = </etc/letsencrypt/live/(ホスト名)/fullchain.pem
ssl_key = </etc/letsencrypt/live/(ホスト名)/privkey.pem
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
vi /etc/dovecot/conf.d/10-master.conf
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
---------------------------------
 ↓
---------------------------------
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
---------------------------------
vi /etc/dovecot/conf.d/10-master.conf --------------------------------- service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { #port = 995 #ssl = yes } ---------------------------------  ↓ --------------------------------- service pop3-login { inet_listener pop3 { port = 110 } inet_listener pop3s { port = 995 ssl = yes } ---------------------------------
vi /etc/dovecot/conf.d/10-master.conf

---------------------------------
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    #port = 995
    #ssl = yes
  }
---------------------------------
 ↓
---------------------------------
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
---------------------------------
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop dovecot # systemctl start dovecot
# systemctl stop dovecot
# systemctl start dovecot

これで、POP3s(POP3 over SSL)の設定ができました。
通常の110番ポートでも、995番ポートでも接続ができて、
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
というエラーは解消されます。

「広告」

SMTP(587)、および、SMTPs (465ポート)での送信設定

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# vi /etc/postfix/main.cf
---------------------------------
#inet_interfaces = all
 ↓
inet_interfaces = all
---------------------------------
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
# vi /etc/postfix/main.cf --------------------------------- #inet_interfaces = all  ↓ inet_interfaces = all --------------------------------- smtpd_use_tls = yes smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
# vi /etc/postfix/main.cf
---------------------------------
#inet_interfaces = all
 ↓
inet_interfaces = all
---------------------------------
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/(ホスト名)/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/(ホスト名)/privkey.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache

↑4行は追加をします。

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# vi /etc/postfix/master.cf
-------------------------------------------------------------------------
#submission inet n - n - - smtpd
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
-------------------------------------------------------------------------
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
-------------------------------------------------------------------------
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
-------------------------------------------------------------------------
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
# vi /etc/postfix/master.cf ------------------------------------------------------------------------- #submission inet n - n - - smtpd # -o smtpd_sasl_auth_enable=yes # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject ------------------------------------------------------------------------- ↓ ------------------------------------------------------------------------- submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject ------------------------------------------------------------------------- ------------------------------------------------------------------------- #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes ------------------------------------------------------------------------- ↓ ------------------------------------------------------------------------- smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -------------------------------------------------------------------------
# vi /etc/postfix/master.cf

-------------------------------------------------------------------------
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-------------------------------------------------------------------------
 
-------------------------------------------------------------------------
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
↓
-------------------------------------------------------------------------
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
-------------------------------------------------------------------------
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
vi /etc/dovecot/conf.d/20-submission.conf
# Host name for the relay server (required)
#submission_relay_host =
# Host name for the relay server (required)
submission_relay_host = localhost
vi /etc/dovecot/conf.d/20-submission.conf # Host name for the relay server (required) #submission_relay_host = ↓ # Host name for the relay server (required) submission_relay_host = localhost
vi /etc/dovecot/conf.d/20-submission.conf

# Host name for the relay server (required)
#submission_relay_host =
↓
# Host name for the relay server (required)
submission_relay_host = localhost
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
-----------------------------------------
-----------------------------------------
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
-----------------------------------------
# vi /etc/dovecot/conf.d/10-master.conf ----------------------------------------- # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} ----------------------------------------- ↓ ----------------------------------------- # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } -----------------------------------------
# vi /etc/dovecot/conf.d/10-master.conf
-----------------------------------------
  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}
-----------------------------------------
↓
-----------------------------------------
  # Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
  }
-----------------------------------------

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# yum install cyrus-sasl cyrus-sasl-plain
Installed:
cyrus-sasl.x86_64 0:2.1.26-23.el7
# systemctl start saslauthd
# systemctl enable saslauthd
(訂正)上記は、必要ありません
# yum install cyrus-sasl cyrus-sasl-plain Installed: cyrus-sasl.x86_64 0:2.1.26-23.el7 # systemctl start saslauthd # systemctl enable saslauthd (訂正)上記は、必要ありません
# yum install cyrus-sasl cyrus-sasl-plain

Installed:
  cyrus-sasl.x86_64 0:2.1.26-23.el7                                                                                                              
  
# systemctl start saslauthd
# systemctl enable saslauthd

(訂正)上記は、必要ありません
「広告」

postfix,dovecot サービス再起動

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop postfix
# systemctl start postfix
# systemctl stop dovecot # systemctl start dovecot # systemctl stop postfix # systemctl start postfix
# systemctl stop dovecot
# systemctl start dovecot
# systemctl stop postfix
# systemctl start postfix

これで、無事、pop3,pop3s,smtp,smtpsでの送受信が可能となりました。

「広告」

IMAP(143ポート),IMAPS(993ポート)

上記の設定で、imap,imapsでも受信が可能となっています。

「広告」

設定後の非SSL(2019/08/09追記)

設定後、非SSLでアクセスをすると、

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections.

というエラーが出ます。

追記、SSLを設定後、

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
#vi /etc/dovecot/conf.d/10-auth.conf
#disable_plaintext_auth = yes
 ↓
disable_plaintext_auth = no
#vi /etc/dovecot/conf.d/10-auth.conf #disable_plaintext_auth = yes  ↓ disable_plaintext_auth = no
#vi /etc/dovecot/conf.d/10-auth.conf

#disable_plaintext_auth = yes
 ↓
disable_plaintext_auth = no

と設定をすると、
非SSLポート(POP3,110番、SMTP,587番)で送受信が出来ます。
当然ながら、SSLでも、送受信ができます。

 

タイトルとURLをコピーしました