AWSにメールサーバーを移設した際に、STARTSSLからSMTPSとIMAPSの環境に変更したので、そのメモ
環境:
AWS EC2 (Amazon Linux AMI 2017.09.1 (HVM), SSD Volume Type)
セキュリティグループ:
22/tcp , 25/tcp, 80/tcp(Let’s Encryptの認証用に一時的に開ける), 465/tcp, 993/tcp を開けておく。
必要なパッケージをインストール
yum install postfix dovecot cyrus-sasl cyrus-sasl-plain
LetsEncryptでメールサーバー用の証明書を発行
wordpress をELB+EC2でHTTPS通信させる
を参照
(SMTPSに必要な箇所のみ記載)
/etc/postfix/postfix.cf
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.jhhk-family.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.jhhk-family.net/privkey.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
/etc/postfix/master.cf
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtpd_client_restrictionsは未設定。必要に応じて。
/etc/dovecot/conf.d/10-auth.conf
auth_mechanisms = plain
!include auth-system.conf.ext
/etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/letsencrypt/live/mail.jhhk-family.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.jhhk-family.net/privkey.pem
ssl_protocols = !SSLv2 !SSLv3 !TLSv1
ssl_cipher_list = HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4:!3DES:!RSA
/etc/dovecot/conf.d/10-master.conf
service imap-login {
# inet_listener imap {
# port = 143
# }
inet_listener imaps {
port = 993
ssl = yes
}
最後にpostfix、dovecot、saslを起動する。
service saslauthd start
service postfix start
service dovecot start