Postfixメモ
キュー件数の統計メモ
#!/bin/bash
# Postqueueコマンドの出力を取得
postqueue_output=$(postqueue -p)
# CSVヘッダー
echo "queue_id, size, arrival_time, sender, recipient"
# 初期変数の設定
queue_id=""
size=""
arrival_time=""
sender=""
recipients=()
# Postqueueの出力を解析
echo "$postqueue_output" | while IFS= read -r line; do
# キューID、サイズ、到着時間、送信者を検出
if [[ $line =~ ^([0-9A-F]+)\ +([0-9]+)\ +(.+?[0-9]{2}\:[0-9]{2}\:[0-9]{2})\ +(.+) ]]; then
# 以前のメール情報を出力(受信者が存在する場合)
if [[ ! -z "$queue_id" ]] && (( ${#recipients[@]} > 0 )); then
for recipient in "${recipients[@]}"; do
echo "$queue_id, $size, $arrival_time, $sender, $recipient"
done
recipients=()
fi
queue_id=${BASH_REMATCH[1]}
size=${BASH_REMATCH[2]}
arrival_time=${BASH_REMATCH[3]}
sender=${BASH_REMATCH[4]}
# 受信者を検出
elif [[ $line =~ ^\ +([[:alnum:]._-]+@[[:alnum:]._-]+) ]]; then
recipients+=("${BASH_REMATCH[1]}")
fi
done
# 最後のメール情報を出力
if [[ ! -z "$queue_id" ]] && (( ${#recipients[@]} > 0 )); then
for recipient in "${recipients[@]}"; do
echo "$queue_id, $size, $arrival_time, $sender, $recipient"
done
fi
postqueue -p | grep -oP '^[0-9A-F]{10,}\*?\s+\d+\s+\w+\s+\w+\s+\K[^ ]+' | awk -F@ '{print $2}' | sort | uniq -c | sort -nr
sendmailでメールを送る添付ファイル有
dd if=/dev/zero of=attachment.txt bs=1M count=1
base64 attachment.txt
mime_email.txt
To: recipient@example.com
From: sender@example.com
Subject: Test Email
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="MAIL_BOUNDARY"
--MAIL_BOUNDARY
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
これはテストメールです。
--MAIL_BOUNDARY
Content-Type: application/octet-stream; name="attachment.txt"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.txt"
[ここにBase64でエンコードされた添付ファイルの内容]
--MAIL_BOUNDARY--
gmail宛の制限
gmail_relay unix - - n - 1 smtp
-o syslog_name=postfix/gmail
-o smtp_destination_concurrency_limit=1
-o initial_destination_concurrency=1
-o default_destination_rate_delay=1s
-o default_destination_concurrency_limit=1
transport.
gmail.com gmail_relay:
/etc/postfix/main.cf
#-------------------------------------------------------------------------------
# Default Configuration
#-------------------------------------------------------------------------------
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
#debug_peer_list =
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
#default_destination_concurrency_limit =
#default_privs =
#fallback_transport =
#fast_flush_domains =
#header_checks =
#home_mailbox =
html_directory = no
#in_flow_delay =
inet_interfaces = all
inet_protocols = ipv4
#local_destination_concurrency_limit =
local_recipient_maps =
luser_relay =
mail_owner = postfix
mail_spool_directory = /maildir/
#mailbox_command =
#mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mail-server.test
#myhostname =
mynetworks = 126.75.69.71/32
#mynetworks_style =
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
#proxy_interfaces =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
#recipient_delimiter =
#relay_domains =
#relay_recipient_maps =
#relayhost =
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
#soft_bounce =
unknown_local_recipient_reject_code = 550
#-------------------------------------------------------------------------------
# ADD Configuration
#-------------------------------------------------------------------------------
# Security
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_wrappermode = yes
tls_high_cipherlist = EECDH+AESGCM
tls_preempt_cipherlist = yes
# UCE Control
smtpd_client_restrictions = permit_mynetworks, reject
smtpd_helo_restrictions = permit_sasl_authenticated, reject
smtpd_sender_restrictions =
smtpd_recipient_restrictions =
smtpd_data_restrictions =
# Performance
default_process_limit = 1000
mailbox_size_limit = 0
message_size_limit = 0
Dovecotメモ
/etc/dovecot/dovecot.conf
#------------------------------------------------------------------------------
# dovecot.conf
#------------------------------------------------------------------------------
protocols = pop3
listen = *
dict {
}
#------------------------------------------------------------------------------
# 10-auth.conf
#------------------------------------------------------------------------------
auth_mechanisms = plain
#------------------------------------------------------------------------------
# 10-director.conf
#------------------------------------------------------------------------------
service director {
unix_listener login/director {
}
fifo_listener login/proxy-notify {
}
unix_listener director-userdb {
}
inet_listener {
}
}
service imap-login {
}
service pop3-login {
inet_listener pop3 {
port = 0
}
}
service submission-login {
}
protocol lmtp {
}
#------------------------------------------------------------------------------
# 10-mail.conf & 15-mailboxes.conf
#------------------------------------------------------------------------------
first_valid_uid = 1000
mbox_write_locks = fcntl
mail_location = maildir:/maildir/%u
namespace inbox {
inbox = yes
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
}
#------------------------------------------------------------------------------
# 10-ssl.conf
#------------------------------------------------------------------------------
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
ssl_min_protocol = TLSv1.2
ssl_cipher_list = !SHA1:!SHA256:!SHA384:!SSLv3:!DSS:AESGCM+ECDHE:AESGCM+EDH
ssl_prefer_server_ciphers = yes
#------------------------------------------------------------------------------
# 15-lda.conf
#------------------------------------------------------------------------------
protocol lda {
}
#------------------------------------------------------------------------------
# 20-imap.conf
#------------------------------------------------------------------------------
protocol imap {
}
#------------------------------------------------------------------------------
# auth-system.conf.ext
#------------------------------------------------------------------------------
passdb {
driver = pam
}
userdb {
driver = passwd
}
調べること
STARTTLSとSSL/TLSの違い、どちらを選ぶべきか
⇒ SSL/TLS(暗黙的なTLS)を選び、非暗号ポートは閉じる
通常のパスワード認証は暗号化されているのか?
平文のパスワード認証を暗号化する方法
⇒ tlsにお任せなので気にしない
smtpsでのTLSver指定v1.2以上
⇒ 済
popsでのTLSver指定v1.2以上
⇒ 済(ciphercheck.shだと誤検知してただけかも)
参考URL
Postfix
http://www.aconus.com/~oyaji/centos/smtp-centos.htm
https://qiita.com/y-araki-qiita/items/864dab044786f008e3c9
https://www.rem-system.com/mail-postfix03/
https://wjmax.hateblo.jp/entry/2017/01/22/152854
https://www.rem-system.com/mail-postfix03/#6_maincfmastercf
https://monologu.com/read-smtp-auth-manual-in-postfix/
https://www.postfix-jp.info/trans-2.2/jhtml/postconf.5.html#reject_unauth_destination
https://exfield.jp/View/pid:1246/
http://www.criterion.sc/sub_notes/Postfix_Security.html
Dovecot
ssl/tls 暗号スイート調査
https://pcvogel.sarakura.net/2022/05/09/35261
https://gist.github.com/jahir/23c4202eee12e377ef3acf1dcdc7c776
https://testssl.sh/
testssl.shの方が正確性が高い気がする。