証明書の設置

# mkdir /root/cert

# vi /root/cert/example.com.crt

// 記述


# vi /root/cert/mail1.example.com.key

// 記述

 

Postfixインストール

# yum install -y postfix cyrus-sasl-plain cyrus-sasl-md5 cyrus-sasl

 

設定

# cp /etc/postfix/main.cf /etc/postfix/main.cf.org

 

 

# vi /etc/postfix/main.cf
 
 
 
#myhostname = host.domain.tld
#myhostname = virtual.domain.tld
myhostname = mail1.example.com
 
 
 
 
#mydomain = domain.tld
mydomain = example.com
 
 
#myorigin = $myhostname
#myorigin = $mydomain
myorigin = $mydomain
 
 

#inet_interfaces = all
#inet_interfaces = $myhostname
#inet_interfaces = $myhostname, localhost
#inet_interfaces = localhost
inet_interfaces = all


#inet_protocols = all
inet_protocols = ipv4


#mynetworks = 168.100.189.0/28, 127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
mynetworks = 127.0.0.0/8 172.31.0.0/16


#smtpd_banner = $myhostname ESMTP $mail_name
#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_banner = $myhostname ESMTP unknown



 
 
 
※最終行に追加



# SMTP認証
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination


# TLS
smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /root/cert/mail1.example.com.crt
smtpd_tls_key_file  = /root/cert/mail1.example.com.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s

# DKIM
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

 

# vi /etc/postfix/master.cf
 
 
#smtp      inet  n       -       n       -       -       smtpd ←●無効化
#smtp      inet  n       -       n       -       1       postscreen
#smtpd     pass  -       -       n       -       -       smtpd
#dnsblog   unix  -       -       n       -       0       dnsblog
#tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd  ←●有効化
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes  ←●有効化
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject  ←●有効化
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd   ←●有効化
#  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes   ←●有効化
  -o smtpd_sasl_auth_enable=yes   ←●有効化
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject   ←●有効化
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup



tlsmgr    unix  -       -       n       1000?   1       tlsmgr ←●有効であることを確認

 

 

# vi /etc/sasl2/smtpd.conf
 
 
pwcheck_method: saslauthd
mech_list: plain login
 
↓変更
 
#pwcheck_method: saslauthd
#mech_list: plain login

pwcheck_method: saslauthd
mech_list: plain login cram-md5

 

# saslpasswd2 -u example.com send-only

Password:
Again (for verification):パスワード入力

 

ユーザ：send-only@example.com
パスワード：xxxxxxxxxxx

 

# chown postfix /etc/sasldb2

 

postfix check
systemctl restart postfix
systemctl enable postfix
systemctl status postfix
systemctl restart saslauthd
systemctl enable saslauthd
systemctl status saslauthd

 

# vi /etc/logrotate.d/syslog


/var/log/cron
/var/log/secure
/var/log/spooler
/var/log/messages
{
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

/var/log/maillog
{
    daily
    size 1G
    rotate 14
    create
    dateext
    dateformat .%Y%m%d
    compress
    ifempty
    missingok
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

 

テスト

# logrotate -d /etc/logrotate.d/syslog

 

手動強制実行

# logrotate -f /etc/logrotate.conf

 

# vi /etc/crontab

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=""

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

# ログロテート実行/6時間毎
0 */6 * * * root /usr/sbin/logrotate -f /etc/logrotate.conf

 

反映させる

# systemctl restart crond

 

# yum -y install opendkim

 

cd /etc/opendkim/keys/
mkdir example.com
cd example.com
opendkim-genkey -d example.com -s selector
chown opendkim:opendkim *
chmod 440 *.private

 

# cp /etc/opendkim.conf /etc/opendkim.conf.org

 

# vi /etc/opendkim.conf


Mode    v

↓変更(デフォルトは受信時のみ確認、送信時も確認するようにする)

#Mode   v
Mode    sv



##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
##  be verified rather than being signed. Uncomment and use your domain name.
##  This parameter is not required if a SigningTable is in use.
# Domain        example.com
Domain * ←●追加



Selector        default

↓変更(セレクタ名を指定)

#Selector       default
Selector selector






KeyFile /etc/opendkim/keys/default.private

↓変更(署名に使う秘密鍵の場所)

#KeyFile        /etc/opendkim/keys/default.private
KeyFile /etc/opendkim/keys/example.com/selector.private




Socket  inet:8891@localhost

↓変更

#Socket inet:8891@localhost
Socket inet:8891@127.0.0.1

 

# vi /etc/opendkim/SigningTable

※下記を追加

*@* selector._domainkey.example.com

 

# vi /etc/opendkim/TrustedHosts
 
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
#192.168.1.0/24
 
※下記を追加
 
127.0.0.1

 

 

# vi /etc/sysconfig/opendkim
 
 
# Set the necessary startup options
OPTIONS="-x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid"
 
# Set the default DKIM selector
DKIM_SELECTOR=default
 
# Set the default DKIM key location
DKIM_KEYDIR=/etc/opendkim/keys
 
 
※下記を追加
 
AUTOCREATE_DKIM_KEYS=NO

 

設定の反映を行います

postfix check
systemctl restart postfix
systemctl enable postfix
systemctl status postfix

systemctl restart saslauthd
systemctl enable saslauthd
systemctl status saslauthd

systemctl restart opendkim
systemctl enable opendkim
systemctl status opendkim

 

確認

# cat /etc/opendkim/keys/example.com/selector.txt

selector._domainkey     IN      TXT     ( "v=DKIM1; k=rsa; "
          "p=aaaaxxxxxxxxxxxxxxxxxxxxxxxxxxzzzz" )  ; ----- DKIM key selector for example.com

 

Route53に登録

 

正引きゾーン

example.com

 

レコード

mail1.example.com.
A
111.222.333.444

selector._domainkey.example.com.
TXT
"v=DKIM1; k=rsa; " "p=p=aaaaxxxxxxxxx" "xxxxxxxxxxxxxxxxxzzzz;"

example.com.
TXT
"v=spf1 +a +mx +ip4:111.222.333.444 +a:mail1.example.com. -all"

 

逆引き

333.222.111.in-addr.arpa.

444.333.222.111.in-addr.arpa.
PTR
mail1.example.com.

 

 

 

SPF DKIM クライアント設定例

バリュードメインの場合

txt @ v=spf1 +a +mx +ip4:111.222.333.444/32 ~all
txt selector._domainkey v=DKIM1; k=rsa; p=aaaaxxxxxxxxxxxxxxxxxxxxxxxxxxzzzz;

 

Route53の場合

NAME：yuutest3.space.
TYPE：TXT
VALUE："v=spf1 +a +mx +a:mai1.example.com +ip4:111.222.333.444/32 ~all"

NAME：selector._domainkey.yuutest3.space.
TYPE：TXT
VALUE："v=DKIM1; k=rsa; " "p=aaaaxxxxx" "xxxxxxxx" "xxxxxxxxxxxxxzzzz;"

VALUEの値が長くなるので分割する必要があります。

 

関連

メールゲートウェイのSPF+DKIM+DMARC Postfix