1)全体の状況は以下です。
openbsd:mailserverは いわゆるレンタルサーバーで す。 mailserver is build on called rental server .
ここにメールサーバーを立ち上げて linux : thunderbird から使います。i use this server on linux's thunderbird .
linux : thunderbird
1.2.3.4
|
|
|
internet-----em0:openbsd:mailserver( opensmtpd + dovecot)
2)MXを設定するために i set mx by the following procedure
きちんと設定できれば以下となります
host aoiyuma.mydns.jp
then
aoiyuma.mydns.jp has address 157.7.208.141
aoiyuma.mydns.jp mail is handled by 10 mail.aoiyuma.mydns.jp.
3)dovecot -n の 結果は、
# 2.2.15: /etc/dovecot/dovecot.conf
# OS: OpenBSD 5.7 amd64
auth_mechanisms = plain login
disable_plaintext_auth = no
first_valid_uid = 1000
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
listen = *
mail_location = maildir:~/Maildir
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = bsdauth
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
protocols = imap
ssl_cert = </etc/ssl/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
driver = passwd
}
こうなるためには
/etc/dovecot/dovecot.conf
protocols = imap imaps
listen = *
!include conf.d/*.conf
/etc/dovecot/conf.d/10-master.conf
service imap-login {
inet_listener imap {
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
}
inet_listener pop3s {
}
}
service lmtp {
unix_listener lmtp {
}
}
service imap {
}
service pop3 {
}
service auth {
unix_listener auth-userdb {
}
}
service auth-worker {
}
service dict {
unix_listener dict {
}
}
/etc/dovecot/conf.d/10-mail.conf <
mail_location = maildir:~/Maildir
namespace inbox {
inbox = yes
}
mmap_disable = yes
first_valid_uid = 1000
mail_plugin_dir = /usr/local/lib/dovecot
mbox_write_locks = fcntl
/etc/dovecot/conf.d/10-ssl.conf <
ssl = yes
ssl_cert = </etc/ssl/dovecotcert.pem
ssl_key = </etc/ssl/private/dovecot.pem
4) /etc/login.conf
auth-defaults:auth=passwd,skey:
auth-ftp-defaults:auth-ftp=passwd:
default:\
:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\
:umask=022:\
:datasize-max=512M:\
:datasize-cur=512M:\
:maxproc-max=256:\
:maxproc-cur=128:\
:openfiles-cur=512:\
:stacksize-cur=4M:\
:localcipher=blowfish,8:\
:ypcipher=old:\
:tc=auth-defaults:\
:tc=auth-ftp-defaults:
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles-cur=128:\
:stacksize-cur=8M:\
:localcipher=blowfish,9:\
:tc=default:
staff:\
:datasize-cur=1536M:\
:datasize-max=infinity:\
:maxproc-max=512:\
:maxproc-cur=256:\
:ignorenologin:\
:requirehome@:\
:tc=default:
authpf:\
:welcome=/etc/motd.authpf:\
:shell=/usr/sbin/authpf:\
:tc=default:
bgpd:\
:openfiles-cur=512:\
:tc=daemon:
unbound:\
:openfiles-cur=512:\
:tc=daemon:
dovecot:\
:openfiles-cur=2048:\
:openfiles-max=4096:\
:tc=daemon:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/mail/dovecot/pkg/README-server?rev=1.2 では dovecot:\ :openfiles-cur=512:\ :openfiles-max=2048:\ :tc=daemon:
5)/etc/pf.conf
ext_if="em0"
tcp_services="{ 22, 25, 80, 110, 143, 465, 587 }"
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
set reassemble yes no-df
block in log
pass out quick
antispoof quick for { lo }
pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 4915
6)/etc/mail/smtpd.conf
send mail to anything but your local domains.
鎖国?
A@openbsd.link と B@openbsd.link の間の送受信は可能。
しかし X@gmail.comとの送受信は不可能。
だから 安全
|
開
国X@gmail.comとの送受信は可能
でも ウィルスメールがはいってもこれます。
|
| listen on lo0 listen on em0 port 587 table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" alias <aliases> deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for local alias <aliases> deliver to maildir accept for local deliver to maildir reject from any for any gmailは sendingに465を使っている。 587にしたのでgmailからのが受信できないとも考えられる。 じゃあ 465にしたらどうかというと こうしてもgmailからのは受信できないし、 更に悪いことにはaoiyuma.mydns.jpか らのも受信できなくなってしまった。 で 587にした。 ただし 送信に587を使うメールサーバーから実際に受信できないかは未確認 なので、心配は残るが、 gmail 465のことを考えると大丈夫かな? |
listen on lo0 listen on em0 port 25 listen on em0 port 465 listen on em0 port 587 table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" alias <aliases> deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for local alias <aliases> deliver to maildir accept for local deliver to maildir mynetwork1 = "14.22.25.247/32" mynetwork2 = "6.2.6.2/32" accept from source $mynetwork1 for any relay accept from source $mynetwork2 for any relay accept from local for any relay |
# nano /etc/mail/aliases
# makemap /etc/mail/aliases は newaliasesに相当。
STARTTLS にする。
openssl genrsa -out
/etc/ssl/private/mail.aoiyuma.mydns.jp.key 4096openssl req -new -x509 -key /etc/ssl/private/mail.aoiyuma.mydns.jp.key -out /etc/ssl/mail.aoiyuma.mydns.jp.crt -days 365 chmod 600 /etc/ssl/mail.aoiyuma.mydns.jp.crt chmod 600 /etc/ssl/private/mail.aoiyuma.mydns.jp.key cat jp3 6.2.6.2/32 114.22.25.247/32 makemap jp3 from http://technoquarter.blogspot.jp/2015/02/openbsd-mail-server-part-2-opensmtpd.html so it listens on egress with tls (for incoming mail) and egress port 587 (submission) with tls and authentication (for outgoing mail), accepts mail for virtual users and virtual domains, and delivers this mail to Maildir. smtpd.conf は以下です pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt" pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key" listen on em0 tls pki mail.aoiyuma.mydns.jp auth-optional listen on em0 port submission tls-require pki mail.aoiyuma.mydns.jp auth table aliases db:/etc/mail/aliases.db table jp3 db:/etc/mail/jp3.db accept from any for domain "aoiyuma.mydns.jp" alias <aliases> deliver to maildir accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for local alias <aliases> deliver to maildir accept for local deliver to maildir accept from source <jp3> for any relay accept from local for any relay あと /home/fogeがあったとしたら それのshellがたとえfalse でも mkdir -p /home/foge/Mairdir/{new,cur,tmp} chown -R foge.foge /home/foge/Mairdir/ chmod -R 400 /home/foge/Mairdir/ して fogeがメールを利用できないようにした。 |
https://ipv4.fetus.jp/
tr '\n' ' ' <jp.tx
STARTTLS + spamd です,しかし不安定。
mail+nginx-server.bat-openSMTPD-spam
を実行するだけです。
pfctl -f /etc/mail/black.pf pfctl -sr /etc/rc.d/smtpd restart /etc/rc.d/dovecot restart echo '----------------' echo '----------------' echo '----------------' echo '----------------' /etc/rc.d/spamd -f restart ps ax| grep spam /etc/rc.d/spamlogd -f restart ps ax| grep spam /usr/libexec/spamd-setup ここは http://technoquarter.blogspot.jp にすっかりお世話になりました。 また opensmtpのmailing listからもたくさんの助言をいただきました。 Incoming mail: pf -> relay to spamd -> send to opensmtpd on lo0 -> deliver to maildir Outoing mail: opensmtpd on lo0 -> relay out とあるので openssl genrsa -out /etc/ssl/private/mail.aoiyuma.mydns.jp.key 4096 openssl req -new -x509 -key /etc/ssl/private/mail.aoiyuma.mydns.jp.key -out /etc/ssl/mail.aoiyuma.mydns.jp.crt -days 365 chmod 600 /etc/ssl/mail.aoiyuma.mydns.jp.crt chmod 600 /etc/ssl/private/mail.aoiyuma.mydns.jp.key してから smtpd.conf pki mail.aoiyuma.mydns.jp certificate "/etc/ssl/mail.aoiyuma.mydns.jp.crt" pki mail.aoiyuma.mydns.jp key "/etc/ssl/private/mail.aoiyuma.mydns.jp.key" listen on lo0 listen on em0 tls pki mail.aoiyuma.mydns.jp auth-optional listen on em0 port submission tls-require pki mail.aoiyuma.mydns.jp auth table aliases db:/etc/mail/aliases.db accept from any for domain "aoiyuma.mydns.jp" deliver to maildir accept for local alias <aliases> deliver to maildir accept from local /etc/mail/black.pf ext_if="em0" tcp_services="{ 22, 80, 143 }" icmp_types="echoreq" set block-policy return set loginterface $ext_if set skip on lo set reassemble yes no-df block in log pass out quick antispoof quick for { lo } pass in on $ext_if proto tcp to any port submission table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" pass in on $ext_if proto tcp from any to any port smtp rdr-to 127.0.0.1 port spamd pass in on $ext_if proto tcp from <nospamd> to any port smtp pass in log on $ext_if proto tcp from any to any port smtp pass out log on $ext_if proto tcp to any port smtp pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port $tcp_services pass in inet proto icmp all icmp-type $icmp_types pass in on $ext_if proto tcp to port 21 pass in on $ext_if proto tcp to port > 4915 /etc/rc.conf.local ftpd_flags="-llUSA" smtpd_flags="" pf=YES # Packet filter / NAT pf_rules=/etc/pf.conf # Packet filter rules file cat /etc/mail/nospamd 157.7.208.141 #自分自身 一応 Return to RBL.JP home page は以下のように合格。 Relay test 19>>> RSETrelay NOT accepted!!
Closing connection ...
>>> QUIT Relay test resultAll tests performed, no relays accepted.
http://www.noroi.jp/?date=20070415
で は spamd の運用では、pf <spamd> と pf <spamd-white> を維持する必要がある。 前者は spamd-setup を定期的に実行して、 最近のブラックリストをネットから持ってくる。 後者は spamd 自身が /var/db/spamdb の WHITE データで定期的に置き替える。 |
| netstat -na -f inet /usr/libexec/spamd-setup # ls -l /var/db/spamd -rw-r--r-- 1 _spamd _spamd 65536 Aug 1 15:03 /var/db/spamd |
7) thunderbird setting of google mail
arch linux's thunderbird automatically detect them (openbsd's one cannot).
| smtp.googlemail.com |
465 auth : Oauht2 conectio security : SSK/TLS |
| imap.googlemail.com |
993 auth : Oauht2 conectio security : SSK/TLS |
| smtp mail.aoiyuma.mydns.jp | 587 auth : normal password conectio security : STARTTLS |
| imap mail.aoiyuma.mydns.jp | 143 auth : normal password conectio security : STARTTLS |
付録1)開国していて カフェにはいったと きの対処方法
カフェで
shllscript
curl ifconfig.me > ifconfigme.txt
scp ifconfigme.txt tu@aoiyuma.mydns.jp:/home/tu
aoiyuma.mydns.jp にsshで入って
shllscript
y=`cat ./ifconfigme.txt`
cp /etc/mail/smtpd.conf /etc/mail/smtpd.conf-back
sed "s/xxx/$y\/32/g" kt > /etc/mail/smtpd.conf
/etc/rc.d/smtpd restart
ただし ktは以下です
listen on lo0
listen on em0 port 25
listen on em0 port 465
listen on em0 port 587
table aliases db:/etc/mail/aliases.db
accept from any for domain "aoiyuma.mydns.jp" alias <aliases> deliver to maildir
accept from any for domain "aoiyuma.mydns.jp" deliver to maildir
accept for local alias <aliases> deliver to maildir
accept for local deliver to maildir
mynetwork = "xxx"
accept from source $mynetwork for any relay
reject from any for any
0 件のコメント:
コメントを投稿