KUSANAGIのPostfixの設定不備でメール送受信ができなくなってた件

Pocket

なんか久々にKUSANAGIに入れたメールサーバーのチェックしてたら、送受信にとどまらず、Thunderbirdが蹴られるという謎現象がおきていて、1週間ぐらい悩んでようやく直りました。Thunderbirdが蹴られる件ですが、macOSだとなぜかわからないのだけど、「OCSP レスポンスサーバーに問いあわせて証明書の正当性を確認する」というチェックボックスを外すしかなかったです。海外のQ&Aサイトにちらっと書いてありました。

ここからが問題で、とにかくSMTP-AuthでPostfixが落ちる落ちる。しかもログインできない。

面倒くさいのでまずパスワードをPlainに直しました。どうせ自分しか使いませんし。

Postfixのmain.cfとmaster.cfが色々間違ってたようで(若しくはアップデートで仕様変更があったのかも?)

修正後の/etc/postfix/main.cf

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 204800000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 5120000
milter_default_action = accept
mydestination = $mydomain, localhost
mydomain = [domain_name]
myhostname = [domain_name]
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relay_domains = $mydestination
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit_auth_destination, check_policy_service unix:private/policy-spf reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_rhsbl_sender zen.spamhaus.org, reject_unknown_sender_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/CA/certs/[domain_name].crt
smtpd_tls_key_file = /etc/pki/CA/private/[domain_name].noenc.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550

修正後の/etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
smtps     inet  n       -        y      -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenivated,reject_unauth_destination
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
policyd-spf     unix  -       n       n       -       0       spawn
  user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/python-policyd-spf/policyd-spf.conf

修正後のdovecot設定

auth_mechanisms = plain login
auth_username_format = %u
auth_verbose = yes
disable_plaintext_auth = no
first_valid_uid = 1000
log_path = /var/log/dovecot/dovecot.log
mail_location = maildir:~/Maildir
mail_plugins = quota autocreate
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/passwd
  driver = passwd-file
}
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service lmtp {
  inet_listener lmtp {
    port = 0
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
ssl_cert = </etc/pki/CA/certs/[domain_name].crt
ssl_cipher_list = HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
ssl_key = </etc/pki/CA/private/[domain_name].noenc.key
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  driver = passwd
}
userdb {
  driver = passwd
}
protocol lmtp {
  mail_plugins = quota autocreate
  postmaster_address = info@[domain-name]
}
protocol imap {
  mail_max_userip_connections = 60
}

 

重要な部分だと、master.cfとmain.cfで重複した設定にしてしまうといろいろ誤動作を起こすという落とし穴と本来reject_unauth_destinationと書くべき部分をrejectって省略しちゃうとGmailすらリジェクトしてしまうという…。

まぁ、こういうノウハウはもってないとサーバ構築はいろいろと大変ですね(反省)

Leave a Reply

Your email address will not be published. Required fields are marked *