なんか久々にKUSANAGIに入れたメールサーバーのチェックしてたら、送受信にとどまらず、Thunderbirdが蹴られるという謎現象がおきていて、1週間ぐらい悩んでようやく直りました。Thunderbirdが蹴られる件ですが、macOSだとなぜかわからないのだけど、「OCSP レスポンスサーバーに問いあわせて証明書の正当性を確認する」というチェックボックスを外すしかなかったです。海外のQ&Aサイトにちらっと書いてありました。
ここからが問題で、とにかくSMTP-AuthでPostfixが落ちる落ちる。しかもログインできない。
面倒くさいのでまずパスワードをPlainに直しました。どうせ自分しか使いませんし。
Postfixのmain.cfとmaster.cfが色々間違ってたようで(若しくはアップデートで仕様変更があったのかも?)
修正後の/etc/postfix/main.cf
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 disable_vrfy_command = yes home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all local_recipient_maps = proxy:unix:passwd.byname $alias_maps mail_owner = postfix mailbox_size_limit = 204800000 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 5120000 milter_default_action = accept mydestination = $mydomain, localhost mydomain = [domain_name] myhostname = [domain_name] mynetworks = 127.0.0.0/8 mynetworks_style = host myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $smtpd_milters queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES recipient_delimiter = + relay_domains = $mydestination relayhost = sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_security_level = may smtpd_banner = $myhostname ESMTP smtpd_client_restrictions = check_client_access hash:/etc/postfix/access, reject_rbl_client zen.spamhaus.org, reject_non_fqdn_sender, reject_unknown_sender_domain smtpd_milters = inet:127.0.0.1:8891 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit_auth_destination, check_policy_service unix:private/policy-spf reject smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_rhsbl_sender zen.spamhaus.org, reject_unknown_sender_domain smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/CA/certs/[domain_name].crt smtpd_tls_key_file = /etc/pki/CA/private/[domain_name].noenc.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes unknown_local_recipient_reject_code = 550
修正後の/etc/postfix/master.cf
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenivated,reject_unauth_destination -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/python /usr/bin/policyd-spf /etc/python-policyd-spf/policyd-spf.conf
修正後のdovecot設定
auth_mechanisms = plain login
auth_username_format = %u
auth_verbose = yes
disable_plaintext_auth = no
first_valid_uid = 1000
log_path = /var/log/dovecot/dovecot.log
mail_location = maildir:~/Maildir
mail_plugins = quota autocreate
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
args = scheme=CRYPT username_format=%u /etc/dovecot/passwd
driver = passwd-file
}
protocols = imap
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
group = postfix
mode = 0660
user = postfix
}
}
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service lmtp {
inet_listener lmtp {
port = 0
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
ssl_cert = </etc/pki/CA/certs/[domain_name].crt
ssl_cipher_list = HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES
ssl_key = </etc/pki/CA/private/[domain_name].noenc.key
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
driver = passwd
}
userdb {
driver = passwd
}
protocol lmtp {
mail_plugins = quota autocreate
postmaster_address = info@[domain-name]
}
protocol imap {
mail_max_userip_connections = 60
}
重要な部分だと、master.cfとmain.cfで重複した設定にしてしまうといろいろ誤動作を起こすという落とし穴と本来reject_unauth_destinationと書くべき部分をrejectって省略しちゃうとGmailすらリジェクトしてしまうという…。
まぁ、こういうノウハウはもってないとサーバ構築はいろいろと大変ですね(反省)
コメント