Go to Qiita Advent Calendar 2024 Top
LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

@ji6czd

Ubuntu 22.04にOpenSMTPDを入れたら動かなかった話

Posted at

いきなり結論

どうやら、現状ではUbuntu 22.04のパッケージからOpenSMTPDをインストールしても、ちゃんと動かないらしい。理由がわからなくて設定を必死に調整してもおそらく動かない。なので、諦めて自分でソースコードからビルドするしかなさそうだ。

いやいや、こんな設定すると動くよ、という情報があったらぜひ教えていただけるとうれしいです!

やったこと

$ sudo apt install opensmtpd
$ sudo apt install python3-certbot
$ sudo nano /etc/smtpd.conf
$ sudo shutdown -r now
  1. パッケージになっているOpenSMTPDをインストールする。
  2. その後に、このサーバで使うSSLの証明書を取得する。テストなので自己証明書でも良いのかもしれないが、一応正規のものを取得する。
  3. /etc/smtpd.confを適切に編集する。
  4. サーバをリスタートする。
smtpd.conf
#	$OpenBSD: smtpd.conf,v 1.10 2018/05/24 11:40:17 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

table aliases file:/etc/aliases

# SSL settings
pki "example_pki" cert "/etc/letsencrypt/live/example.com/fullchain.pem"
pki "example_pki" key "/etc/letsencrypt/live/example.com/privkey.pem"

# To accept external mail, replace with: listen on all
#
listen on localhost
listen on ens3
listen on ens3 port submission pki "example_pki" tls auth tag "smtp_auth"

action "local" maildir alias <aliases>
action "relay" relay

# Uncomment the following to accept external mail for domain "example.org"
#
match from any for domain "example.com" action "local"
match for local action "local"
match from local for any action "relay"
match from any for any tag "smtp_auth" action "relay"

上記のような設定ファイルになると思う。

検証

ファイアーウォールなどが適切に設定されていて、サーバの587番に接続できることを確認して、他のマシンから接続を試みる。

$ /usr/local/opt/openssl/bin/openssl s_client -connect lab.rd01.dev:587 -starttls smtp
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = example.com
verify return:1
00F62F1501000000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1600:SSL alert number 80
CONNECTED(00000005)
---
Certificate chain
<snip>
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxx
-----END CERTIFICATE-----
subject=CN = example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4462 bytes and written 351 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

ということで接続できない。

では、サーバ側のログはどうなっているだろうか。

/var/log/mail.log
Feb  7 13:27:55 lab smtpd[1996]: 94cebea3b62b8fe7 smtp connected address=client.example.com
Feb  7 13:27:55 lab smtpd[1996]: 94cebea3b62b8fe7 smtp disconnected reason="io-error: error:0A080006:SSL routines::EVP lib"

見慣れないエラーである。Googleさんに聞いてみると、
こんな記事
を発見した。そうか、バグなのか。

しゃあないからリビルド

参考にしたのは、
このサイト
である。

  1. ビルド準備
  2. インストールしたパッケージをきれいにお掃除。
  3. いろいろビルドするので、"/etc/apt/sources.list"を編集して、"deb-src"のコメントを外す。
  4. パッケージリストを更新
  5. LibreSSLをがんばってインストール。この時点では3.7.0が最新だった。一応確認してほしい。
  6. 頑張ってOpenSMTPDをインストール
  7. 頑張ってOpenSMTPDをセットアップ

ざっくりコマンドを書き並べておく。なお、smtpd.confはさっき使ったものを使い回すので、どこかにバックアップしておく。

$ sudo apt purge opensmtpd
$ sudo nano /etc/apt/sources.list # "deb-src"を有効化する
$ sudo apt update
$ sudo apt build-dep openssl
$ git clone -b v3.7.0 https://github.com/libressl-portable/portable.git libressl
$ cd libressl
$ sh autogen.sh
$ ./configure --prefix="/opt/libressl"
$ make -j4
$ sudo make install
$ sudo echo '/opt/libressl/lib' | sudo tee /etc/ld.so.conf.d/libressl.conf
$ sudo ldconfig
$ cd ..
$ wget https://www.opensmtpd.org/archives/opensmtpd-6.8.0p2.tar.gz
$ tar xvf opensmtpd-6.8.0p2.tar.gz
$ cd opensmtpd-6.8.0p2
$ LDFLAGS="-L/opt/libressl/lib" CFLAGS="-I/opt/libressl/include" ./configure --with-auth-pam --with-libssl="/opt/libressl/lib" --with-path-CAfile="/etc/ssl/certs/ca-certificates.crt" --with-path-empty="/var/lib/opensmtpd/empty" --sysconfdir="/etc/smtpd" --sbindir="/usr/sbin" --libexecdir="/usr/lib/opensmtpd" --with-path-mbox="/var/mail" --with-table-db --with-user-smtpd="smtpd" --with-user-queue="smtpq" --with-group-queue="smtpq"
$ make -j4
$ sudo make install
$ cd /usr/sbin/
$ sudo -i
# ln -s /usr/sbin/smtpctl /usr/sbin/sendmail
# ln -s /usr/sbin/smtpctl /usr/sbin/makemap
# ln -s /usr/sbin/smtpctl /usr/sbin/newaliases
# ln -s /usr/sbin/smtpctl /usr/sbin/mailq
# ln -s /usr/sbin/smtpctl /usr/sbin/mailq
# mkdir -p /var/lib/opensmtpd/empty
# for name in smtpd smtpq; do id -g ${name} > /dev/null 2>&1 || addgroup --system ${name}; done
# id smtpd > /dev/null 2>&1 || adduser --system --home /var/lib/opensmtpd/empty --no-create-home --disabled-password --gecos "OpenSMTP Daemon" --ingroup smtpd smtpd
# id smtpq > /dev/null 2>&1 || adduser --system --home /var/lib/opensmtpd/empty --no-create-home --disabled-password --gecos "OpenSMTPd queue user" --ingroup smtpq smtpq
# systemctl edit --full --force smtpd
# nano /etc/smtpd/smtpd.conf
# systemctl enable smtpd
# systemctl start smtpd
# systemctl status smtpd
# exit

"/etc/apt/sources.list"のサンプルはこんな感じ。

/etc/apt/sources.list
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://archive.ubuntu.com/ubuntu/ jammy main restricted
deb-src http://archive.ubuntu.com/ubuntu/ jammy main restricted

## Major bug fix updates produced after the final release of the
## distribution.
deb http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted
deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu/ jammy universe
deb-src http://archive.ubuntu.com/ubuntu/ jammy universe
deb http://archive.ubuntu.com/ubuntu/ jammy-updates universe
deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://archive.ubuntu.com/ubuntu/ jammy multiverse
deb-src http://archive.ubuntu.com/ubuntu/ jammy multiverse
deb http://archive.ubuntu.com/ubuntu/ jammy-updates multiverse
deb-src http://archive.ubuntu.com/ubuntu/ jammy-updates multiverse

## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse

deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted
deb-src http://security.ubuntu.com/ubuntu/ jammy-security main restricted
deb http://security.ubuntu.com/ubuntu/ jammy-security universe
deb-src http://security.ubuntu.com/ubuntu/ jammy-security universe
deb http://security.ubuntu.com/ubuntu/ jammy-security multiverse
deb-src http://security.ubuntu.com/ubuntu/ jammy-security multiverse

"systemctl edit"したときに現れるエディタには下のように入力する。

[Unit]
Description=OpenSMTPD SMTP server
Documentation=man:smtpd(8)
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/smtpd
ExecStop=/bin/kill -15 $MAINPID

[Install]
WantedBy=multi-user.target

動くかな?

/usr/local/opt/openssl/bin/openssl s_client -connect lab.rd01.dev:587 -starttls smtp
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
  <snip>
CONNECTED(00000005)
---
Certificate chain
  <snip>
Server certificate
  <snip>
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4680 bytes and written 324 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: A085CC3501ACBB035F0E1637BE08B2BF544CE094CD1A5B5FA91C10606F4009CD665695F7B0E1CCF021001D75F5DCC8ED
    Start Time: 1675753781
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
250 HELP
250-lab.example.com Hello localhost [x.x.x.x], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-AUTH PLAIN LOGIN
250 HELP
221 2.0.0 Bye
read:errno=0

動きましたとさ!

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?