印刷
カテゴリ: サーバ構築メモ
参照数: 345

Dovecot-SASLでSMTPの認証

ホストOS:Debian GNU/Linux 10.7
ゲストOS:Debian GNU/Linux 10.7

PostFixの設定が完了している状態でDovecot-SASL(cram-md5)でSMTP認証を導入する。
PostFixの設定は、割愛する。

公式サイト https://www.dovecot.org/

1.Dovecotをインストールする

# aptitude -y install dovecot-common dovecot-pop3d dovecot-imapd

2.メールプロトコルを設定する

↓ 設定箇所抜粋

# cd /etc/dovecot
# vi dovecot.conf

# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
protocols = imap pop3

# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
listen = *, ::

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf

3. 10-mail.confの設定(Maildir形式に設定する)

↓ 設定箇所抜粋

# /etc/dovecot/conf.d/10-mail.conf

# There are a few special variables you can use, eg.:
#
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if there's no domain
#   %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
#   mail_location = maildir:~/Maildir
#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
mail_location = maildir:~/Maildir

# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
  #type = private

  # Hierarchy separator to use. You should use the same separator for all
  # namespaces or some clients get confused. '/' is usually a good one.
  # The default however depends on the underlying mail storage format.
  #separator =

  # Prefix required to access this namespace. This needs to be different for
  # all namespaces. For example "Public/".
  #prefix =

  # Physical location of the mailbox. This is in same format as
  # mail_location, which is also the default for it.
  #location =

  # There can be only one INBOX, and this setting defines which namespace
  # has it.
  inbox = yes

4. 10-ssl.confの設定(暗号化するため鍵の設定をする)

↓ 設定箇所抜粋

# vi /etc/dovecot/conf.d/10-ssl.conf

##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/ssl/certs/鍵.pem
ssl_key = </etc/ssl/private/鍵.key

# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems.
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem

# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1.2
#ssl_protocols = SSLv2

5. 10-master.conf(ポート番号の設定をする)

↓ 設定箇所抜粋

# vi /etc/dovecot/conf.d/10-master.conf

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
}

service lmtp {
  unix_listener lmtp {
    #mode = 0666
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).
  unix_listener auth-userdb {
    #mode = 0666
    #user =
    #group =
  }

  #Postfix smtp-auth
  unix_listener /var/spool/postfix/private/auth {
    mode = 0666
    user = postfix
    group = postfix
  }

  # Auth process is run as this user.
  #user = $default_internal_user
}

6. 10-logging.conf(ログの設定をする)

↓ 設定箇所抜粋

##
## Log destination.
##

# Log file to use for error messages. "syslog" logs to syslog,
# /dev/stderr logs to stderr.
#log_path = syslog

# Log file to use for informational messages. Defaults to log_path.
#info_log_path =
# Log file to use for debug messages. Defaults to info_log_path.
debug_log_path = /var/log/dovecot.log

# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
#syslog_facility = mail

##
## Logging verbosity and debugging.
##

# Log filter is a space-separated list conditions. If any of the conditions
# match, the log filter matches (i.e. they're ORed together). Parenthesis
# are supported if multiple conditions need to be matched together.
# Supported conditions are:
#  event:<name wildcard> - Match event name. '*' and '?' wildcards supported.
#  source:<filename>[:<line number>] - Match source code filename [and line]
#  field:<key>=<value wildcard> - Match field key to a value. Can be specified
#    multiple times to match multiple keys.
#  cat[egory]:<value> - Match a category. Can be specified multiple times to
#    match multiple categories.
# For example: event:http_request_* (cat:error cat:storage)

# Filter to specify what debug logging to enable. This will eventually replace
# mail_debug and auth_debug settings.
#log_debug =

# Crash after logging a matching event. For example category:error will crash
# any time an error is logged, which can be useful for debugging.
#log_core_filter =

# Log unsuccessful authentication attempts and the reasons why they failed.
auth_verbose = yes

# In case of password mismatches, log the attempted password. Valid values are
# no, plain and sha1. sha1 can be useful for detecting brute force password
# attempts vs. user simply trying the same password over and over again.
# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
#auth_verbose_passwords = no

# Even more verbose logging for debugging purposes. Shows for example SQL
# queries.
auth_debug = yes

# In case of password mismatches, log the passwords and used scheme so the
# problem can be debugged. Enabling this also enables auth_debug.
#auth_debug_passwords = no

# Enable mail process debugging. This can help you figure out why Dovecot
# isn't finding your mails.
mail_debug = yes

# Show protocol level SSL errors.
verbose_ssl = yes

7. auth-passwdfile.conf.ext(PWファイルの設定をする)

↓ 設定箇所抜粋

# vi /etc/dovecot/conf.d/auth-passwdfile.conf.ext

passdb {
  driver = passwd-file
#  args = scheme=CRYPT username_format=%u /etc/dovecot/users
args = /etc/cram-md5.pwd
}

userdb {
  driver = passwd-file
 #args = username_format=%u /etc/dovecot/users
args = /etc/cram-md5.pwd

▼新規ユーザMaildir自動作成設定
◎今後adduserで追加するユーザーはMaildirディレクトリが自動で作成される。

# maildirmake.dovecot /etc/skel/Maildir

▼ユーザPWを作成する

# doveadm pw -s CRAM-MD5

Enter new password:hogehoge
Retype new password:hogehoge
{CRAM-MD5}dcbe8064d829ee98ad16817611150a6c7ee5fe1c9dfd79f5395be892f162bfd3


ハッシュ化されたPWをメモして/etc/cram-md5.pwdファイルに書き込む。上記の例では、hogehoge文字列をハッシュ化した。

# vi /etc/cram-md5.pwd
user007:{CRAM-MD5}dcbe8064d829ee98ad16817611150a6c7ee5fe1c9dfd79f5395be892f162bfd3:1000:1000::/home/user007

8. 設定値チェック

↓ 抜粋

# doveconf
# 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.4 ()
# OS: Linux 4.19.0-13-amd64 x86_64 Debian 10.7
# Hostname: XXX.XXX.XXX
# NOTE: Send doveconf -n output instead when asking for help.
auth_anonymous_username = anonymous
auth_cache_negative_ttl = 1 hours
auth_cache_size = 0
auth_cache_ttl = 1 hours
auth_cache_verify_password_with_worker = no
auth_debug = yes
auth_debug_passwords = no
auth_default_realm =
auth_failure_delay = 2 secs
auth_gssapi_hostname =
auth_krb5_keytab =
auth_master_user_separator =
auth_mechanisms = plain  cram-md5
auth_policy_check_after_auth = yes
・
・
・

▼自動起動設定

# systemctl enable dovecot.service
Synchronizing state of dovecot.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dovecot

▼自動起動確認

# systemctl is-enabled dovecot
enabled

▼サービス状態確認

# systemctl status dovecot
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2021-01-17 18:02:24 JST; 1 weeks 0 days ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
 Main PID: 431 (dovecot)
    Tasks: 9 (limit: 3491)
   Memory: 20.5M
   CGroup: /system.slice/dovecot.service
           tq  431 /usr/sbin/dovecot -F
           tq 1182 dovecot/anvil
           tq 1183 dovecot/log
           tq 1191 dovecot/config
           tq 1335 dovecot/stats
           tq24025 dovecot/imap-login
           tq24027 dovecot/imap-login
           tq24028 dovecot/imap
           mq24030 dovecot/imap

▼プロセス使用ポート確認

# lsof -i
COMMAND     PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dovecot     431     root   22u  IPv4   15137      0t0  TCP *:pop3 (LISTEN)
dovecot     431     root   23u  IPv6   15138      0t0  TCP *:pop3 (LISTEN)
dovecot     431     root   24u  IPv4   15139      0t0  TCP *:pop3s (LISTEN)
dovecot     431     root   25u  IPv6   15140      0t0  TCP *:pop3s (LISTEN)
dovecot     431     root   39u  IPv4   15165      0t0  TCP *:imap2 (LISTEN)
dovecot     431     root   40u  IPv6   15166      0t0  TCP *:imap2 (LISTEN)
dovecot     431     root   41u  IPv4   15167      0t0  TCP *:imaps (LISTEN)
dovecot     431     root   42u  IPv6   15168      0t0  TCP *:imaps (LISTEN)
ntpd        462      ntp   16u  IPv6   14186      0t0  UDP *:ntp
ntpd        462      ntp   17u  IPv4   14189      0t0  UDP *:ntp
ntpd        462      ntp   18u  IPv4   14193      0t0  UDP localhost:ntp
ntpd        462      ntp   19u  IPv4   14195      0t0  UDP XXX.XXXf.XXX:ntp
ntpd        462      ntp   20u  IPv6   14197      0t0  UDP localhost:ntp
ntpd        462      ntp   21u  IPv6   14199      0t0  UDP [fe80::5054:ff:fe0e:d401]:ntp
sshd        497     root    3u  IPv4   14316      0t0  TCP *:ssh (LISTEN)
sshd        497     root    4u  IPv6   14327      0t0  TCP *:ssh (LISTEN)
master    23355     root   13u  IPv4 6072805      0t0  TCP *:smtp (LISTEN)
master    23355     root   14u  IPv6 6072806      0t0  TCP *:smtp (LISTEN)
master    23355     root   18u  IPv4 6072811      0t0  TCP *:submissions (LISTEN)
master    23355     root   19u  IPv6 6072812      0t0  TCP *:submissions (LISTEN)
imap-logi 24025 dovenull   19u  IPv4 6358845      0t0  TCP XXX.XXXf.XXX:imaps->XXX.XXXf.XXX:64088 (ESTABLISHED)
imap-logi 24027 dovenull   19u  IPv4 6358860      0t0  TCP XXX.XXXf.XXX:imaps->XXX.XXXf.XXX:62822 (ESTABLISHED)
sshd      25180     root    3u  IPv4 6440172      0t0  TCP XXX.XXXf.XXX:ssh->deb:53822 (ESTABLISHED)
sshd      25197     hoge   3u  IPv4 6440172      0t0  TCP XXX.XXXf.XXX:ssh->deb:53822 (ESTABLISHED)

以上