Postfixの導入(lenny)

exim4の削除

デフォルトでexim4がインストールされているため、これを停止する。

# /etc/init.d/exim4 stop

exim4をアンインストールする。

# apt-get remove --purge exim4

postfixインストール

# apt-get install postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  postfix-mysql postfix-pgsql postfix-ldap postfix-pcre libsasl2-modules
  resolvconf postfix-cdb mail-reader ufw
The following NEW packages will be installed:
  postfix
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 1224kB of archives.
After this operation, 2793kB of additional disk space will be used.
Get:1 http://ftp.debian.org lenny/main postfix 2.5.5-1.1 [1224kB]
Fetched 1224kB in 9s (130kB/s)
Preconfiguring packages ...
Selecting previously deselected package postfix.
(Reading database ... 22841 files and directories currently installed.)
Unpacking postfix (from .../postfix_2.5.5-1.1_i386.deb) ...
Setting up postfix (2.5.5-1.1) ...
Adding group `postfix' (GID 108) ...
Done.
Adding system user `postfix' (UID 105) ...
Adding new user `postfix' (UID 105) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Creating /etc/postfix/dynamicmaps.cf
Adding tcp map entry to /etc/postfix/dynamicmaps.cf
Adding group `postdrop' (GID 109) ...
Done.
setting myhostname: UNKNOWN
setting alias maps
setting alias database
changing /etc/mailname to (設定したmailname)
setting myorigin
setting destinations: (設定したmailname), localhost, localhost.localdomain, localhost
setting relayhost:
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_command
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
WARNING: /etc/aliases exists, but does not have a root alias.

Postfix is now set up with a default configuration.  If you need to make
changes, edit
/etc/postfix/main.cf (and others) as needed.  To view Postfix configuration
values, see postconf(1).

After modifying main.cf, be sure to run '/etc/init.d/postfix reload'.

Running newaliases
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.
#

Dovecot(pop3,imap)の導入

インストール

# apt-get install dovecot-common dovecot-pop3d dovecot-imapd

dovecot.confの編集

# vi /etc/dovecot/dovecot.conf
・・・
# Protocols we want to be serving: imap imaps pop3 pop3s managesieve
# If you only want to use dovecot-auth, you can set this to "none".
#protocols = imap imaps
protocols = imap pop3
・・・
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = yes
disable_plaintext_auth = no
・・・
##
## Logging
##

auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes

# Log file to use for error messages, instead of sending them to syslog.
# /dev/stderr can be used to log into stderr.
#log_path = 
log_path = /var/log/dovecot.log

# Log file to use for informational and debug messages.
# Default is the same as log_path.
#info_log_path = 

# Prefix for each line written to log file. % codes are in strftime(3)
# format.
#log_timestamp = "%b %d %H:%M:%S "
log_timestamp = "%Y-%m-%d %H:%M:%S "
・・・
##
## SSL settings
##

# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
#ssl_listen =

# Disable SSL/TLS support.
#ssl_disable = no
ssl_disable = yes
・・・
##
## Mailbox locations and namespaces
##

# Location for users' mailboxes. This is the same as the old default_mail_env
# setting. The default is empty, which means that Dovecot tries to find the
# mailboxes automatically. This won't work if the user doesn't have any mail
# yet, so you should explicitly tell Dovecot the full location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See /usr/share/doc/dovecot-common/wiki/Variables.txt for full list. Some
# examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
#mail_location = 
mail_location = maildir:~/Maildir
・・・
protocol imap {
}
・・・
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
}
・・・
auth default {
  # Space separated list of wanted authentication mechanisms:
  #   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi
  # NOTE: See also disable_plaintext_auth setting.
  mechanisms = cram-md5 plain login

  #
  # Password database is used to verify user's password (and nothing more).
  # You can have multiple passdbs and userdbs. This is useful if you want to
  # allow both system users (/etc/passwd) and virtual users to login without
  # duplicating the system users into virtual database.
  #
  # <doc/wiki/PasswordDatabase.txt>
  #
  # By adding master=yes setting inside a passdb you make the passdb a list
  # of "master users", who can log in as anyone else. Unless you're using PAM,
  # you probably still want the destination user to be looked up from passdb
  # that it really exists. This can be done by adding pass=yes setting to the
  # master passdb. <doc/wiki/Authentication.MasterUsers.txt>

  # Users can be temporarily disabled by adding a passdb with deny=yes.
  # If the user is found from that database, authentication will fail.
  # The deny passdb should always be specified before others, so it gets
  # checked first. Here's an example:

  passdb passwd-file {
    # File contains a list of usernames, one per line
    #args = /etc/dovecot.deny
    #deny = yes
    args = /etc/dovecot/passwd
  }

  # PAM authentication. Preferred nowadays by most systems. 
  # Note that PAM can only be used to verify if user's password is correct,
  # so it can't be used as userdb. If you don't want to use a separate user
  # database (passwd usually), you can use static userdb.
  # REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
  # authentication to actually work. <doc/wiki/PasswordDatabase.PAM.txt>
  passdb pam {
    # [blocking=yes] [session=yes] [setcred=yes]
    # [cache_key=<key>] [<service name>]
    #
    # By default a new process is forked from dovecot-auth for each PAM lookup.
    # Setting blocking=yes uses the alternative way: dovecot-auth worker
    # processes do the PAM lookups.
    #
    # session=yes makes Dovecot open and immediately close PAM session. Some
    # PAM plugins need this to work, such as pam_mkhomedir.
    #
    # setcred=yes makes Dovecot establish PAM credentials if some PAM plugins
    # need that. They aren't ever deleted though, so this isn't enabled by
    # default.
    #
    # cache_key can be used to enable authentication caching for PAM
    # (auth_cache_size also needs to be set). It isn't enabled by default
    # because PAM modules can do all kinds of checks besides checking password,
    # such as checking IP address. Dovecot can't know about these checks
    # without some help. cache_key is simply a list of variables (see
    # /usr/share/doc/dovecot-common/wiki/Variables.txt) which must match for
    # the cached data to be used. Here are some examples:
    #   %u - Username must match. Probably sufficient for most uses.
    #   %u%r - Username and remote IP address must match.
    #   %u%s - Username and service (ie. IMAP, POP3) must match.
    # 
    # If service name is "*", it means the authenticating service name
    # is used, eg. pop3 or imap (/etc/pam.d/pop3, /etc/pam.d/imap).
    #
    # Some examples:
    #   args = session=yes *
    #   args = cache_key=%u dovecot
    #args = dovecot
  }

  # System users (NSS, /etc/passwd, or similiar)
  # In many systems nowadays this uses Name Service Switch, which is
  # configured in /etc/nsswitch.conf. <doc/wiki/AuthDatabase.Passwd.txt>
  #passdb passwd {
    # [blocking=yes] - See userdb passwd for explanation
    #args = 
  #}

  # Shadow passwords for system users (NSS, /etc/shadow or similiar).
  # Deprecated by PAM nowadays.
  # <doc/wiki/PasswordDatabase.Shadow.txt>
  #passdb shadow {
    # [blocking=yes] - See userdb passwd for explanation
    #args = 
  #}

  # PAM-like authentication for OpenBSD.
  # <doc/wiki/PasswordDatabase.BSDAuth.txt>
  #passdb bsdauth {
    # [cache_key=<key>] - See cache_key in PAM for explanation.
    #args =
  #}

  # passwd-like file with specified location
  # <doc/wiki/AuthDatabase.PasswdFile.txt>
  #passdb passwd-file {
    # Path for passwd-file
    #args = 
  #}

  # checkpassword executable authentication
  # NOTE: You will probably want to use "userdb prefetch" with this.
  # <doc/wiki/PasswordDatabase.CheckPassword.txt>
  #passdb checkpassword {
    # Path for checkpassword binary
    #args = 
  #}

  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
  #passdb sql {
    # Path for SQL configuration file
    #args = /etc/dovecot/dovecot-sql.conf
  #}

  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
  #passdb ldap {
    # Path for LDAP configuration file
    #args = /etc/dovecot/dovecot-ldap.conf
  #}

  # vpopmail authentication <doc/wiki/AuthDatabase.VPopMail.txt>
  #passdb vpopmail {
    # [cache_key=<key>] - See cache_key in PAM for explanation.
    #args =
  #}

  #
  # User database specifies where mails are located and what user/group IDs
  # own them. For single-UID configuration use "static".
  #
  # <doc/wiki/UserDatabase.txt>
  #

  # System users (NSS, /etc/passwd, or similiar). In many systems nowadays this
  # uses Name Service Switch, which is configured in /etc/nsswitch.conf.
  # <doc/wiki/AuthDatabase.Passwd.txt>
  userdb passwd {
    # [blocking=yes] - By default the lookups are done in the main dovecot-auth
    # process. This setting causes the lookups to be done in auth worker
    # proceses. Useful with remote NSS lookups that may block.
    # NOTE: Be sure to use this setting with nss_ldap or users might get
    # logged in as each others!
    #args = 
  }

  # passwd-like file with specified location
  # <doc/wiki/AuthDatabase.PasswdFile.txt>
  userdb passwd-file {
    # Path for passwd-file
    args = /etc/dovecot/passwd
  }

  # static settings generated from template <doc/wiki/UserDatabase.Static.txt>
  #userdb static {
    # Template for the fields. Can return anything a userdb could normally
    # return. For example:
    #
    #  args = uid=500 gid=500 home=/var/mail/%u
    #
    # If you use deliver, it needs to look up users only from the userdb. This
    # of course doesn't work with static because there is no list of users.
    # Normally static userdb handles this by doing a passdb lookup. This works
    # with most passdbs, with PAM being the most notable exception. If you do
    # the user verification another way, you can add allow_all_users=yes to
    # the args in which case the passdb lookup is skipped.
    #
    #args =
  #}

  # SQL database <doc/wiki/AuthDatabase.SQL.txt>
  #userdb sql {
    # Path for SQL configuration file
    #args = /etc/dovecot/dovecot-sql.conf
  #}

  # LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
  #userdb ldap {
    # Path for LDAP configuration file
    #args = /etc/dovecot/dovecot-ldap.conf
  #}

  # vpopmail <doc/wiki/AuthDatabase.VPopMail.txt>
  #userdb vpopmail {
  #}

  # "prefetch" user database means that the passdb already provided the
  # needed information and there's no need to do a separate userdb lookup.
  # This can be made to work with SQL and LDAP databases, see their example
  # configuration files for more information how to do it.
  # <doc/wiki/UserDatabase.Prefetch.txt>
  #userdb prefetch {
  #}

  # User to use for the process. This user needs access to only user and
  # password databases, nothing else. Only shadow and pam authentication
  # requires roots, so use something else if possible. Note that passwd
  # authentication with BSDs internally accesses shadow files, which also
  # requires roots. Note that this user is NOT used to access mails.
  # That user is specified by userdb above.
  user = root

  # Directory where to chroot the process. Most authentication backends don't
  # work if this is set, and there's no point chrooting if auth_user is root.
  # Note that valid_chroot_dirs isn't needed to use this setting.
  #chroot = 

  # Number of authentication processes to create
  #count = 1

  # Require a valid SSL client certificate or the authentication fails.
  #ssl_require_client_cert = no

  # Take the username from client's SSL certificate, using 
  # X509_NAME_get_text_by_NID() which returns the subject's DN's
  # CommonName. 
  #ssl_username_from_cert = no

  # It's possible to export the authentication interface to other programs:
  #socket listen {
    #master {
      # Master socket provides access to userdb information. It's typically
      # used to give Dovecot's local delivery agent access to userdb so it
      # can find mailbox locations.
      #path = /var/run/dovecot/auth-master
      #mode = 0600
      # Default user/group is the one who started dovecot-auth (root)
      #user = 
      #group = 
    #}
    #client {
      # The client socket is generally safe to export to everyone. Typical use
      # is to export it to your SMTP server so it can do SMTP AUTH lookups
      # using it.
      #path = /var/run/dovecot/auth-client
      #mode = 0660
    #}
  #}

  ## dovecot-lda specific settings
  ##
  # socket listen {
  #   master {
  #     path = /var/run/dovecot/auth-master
  #     mode = 0600
  #     user = mail # User running Dovecot LDA
  #     #group = mail # Or alternatively mode 0660 + LDA user in this group
  #   }
  # }

  socket listen {
    client {
    path = /var/spool/postfix/private/auth-dovecot
    mode = 0660
    user = postfix
    group = postfix
    }
  }

}

パスワードファイルの設定

# dovecotpw -lCRYPT MD5 MD5-CRYPT SHA SHA1 SMD5 SSHA PLAIN \
CLEARTEXT CRAM-MD5 HMAC-MD5 DIGEST-MD5 PLAIN-MD4 \
PLAIN-MD5 LDAP-MD5 LANMAN NTLM RPA

CRAM-MD5パスワードは下記コマンドで出力できます。

# dovecotpw -s CRAM-MD5
Enter new password:
Retype new password:
{CRAM-MD5}ace37ad159394e0038338b4e4dcd9481dc691401420b6a3d3ab0777ad9563491

Dovecotユーザの作成

# useradd -u 10000 -s /bin/false vmailmgr
# mkdir /home/dovecot
# mkdir /home/dovecot/mydomain.com

adminというメールアカウントを作成する場合は以下のようにします。

# mkdir /home/dovecot/mydomain.com/admin

パーミッションを変更します。

# chown -R vmailmgr.vmailmgr /home/dovecot

パスワードファイルを作成します

# vi /etc/dovecot/passwd
user1@mydomain.com:{CRAM-MD5}ace37ad159394e0038338b4e4dcd9481dc691401420b6a3d3ab0777ad9563491:10000:100000::/home/dovecot/mydomain.com/user1/::/sbin/nologin

パーミッションを600に変更します。

# chmod 600 /etc/dovecot/passwd

Postfixの設定ファイル(/etc/postfix/main.conf)の編集

# vi /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

#smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_banner = $myhostname ESMTP
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

#myhostname = UNKNOWN
myhostname = mydomain.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/

# SMTP
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-dovecot
smtpd_sasl_authenticated_header = yes

# virtual domain
virtual_mailbox_domains = mydomain.com
virtual_mailbox_base = /home/dovecot
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_uid_maps = static:10000
virtual_gid_maps = static:10000

サブミッションポートの設定

# vi /etc/postfix/master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
・・・

上記のように、submissionの#(コメント)を外し、サブミッションポートを有効にします。

バーチャルメールボックスの設定

/etc/postfix/main.cfでvirtual_mailbox_mapsを記述しましたが、そのファイルを編集します。

# vi /etc/postfix/vmailbox

メールアドレスとMaildirのディレクトリを記述します。

admin@mydomain.com mydomain.com/admin/Maildir/

上記設定で、admin@mydomain.comのMaildirは、

/home/dovecot/mydomain.com/admin/Maildir/

になります。
下記コマンドで設定が反映されます。

# postmap /etc/postfix/vmailbox

バーチャルエイリアスマップスの設定

/etc/postfix/main.cfでvirtual_alias_mapsを記述しましたが、そのファイルを編集します。
バーチャルエイリアスを使用しない場合でも、ファイルが存在しないと正常に動作しないため、空ファイルを作成します。

# touch /etc/postfix/virtual

下記コマンドで、設定が反映されます。

# postmap /etc/postfix/virtual
# strings /etc/postfix/virtual

この後、dovecotを再読み込みし動作を確認します。

# /etc/init.d/dovecot restart