HomeServer36 の履歴(No.3)

[ トップ ]   [ 新規 | 一覧 | 検索 | 最終更新 | ヘルプ ]

• 履歴一覧
• 差分 を表示
• 現在との差分 を表示
• ソース を表示
• HomeServer36 へ行く。
  • 1 (2026-01-08 (木) 13:12:38)
  • 2 (2026-01-08 (木) 13:54:57)
  • 3 (2026-01-09 (金) 10:00:09)

---

fail2ban 有効化†

• fail2ban インストール

  [AWS MX2(sudo)]:~# sudo apt install fail2ban

• jail.local の編集

  [AWS MX2(sudo)]:~# cat /etc/fail2ban/jail.local
  [DEFAULT]
  backend = systemd
  maxretry = 3
  findtime = 600
  
  # おすすめ：7日BAN（EC2なら問題なし）→ 無期限に変更
  #bantime = 604800
  bantime = forever
  
  banaction = iptables-multiport
  
  
  # --- Postfix SASL ---
  [postfix-sasl]
  enabled  = true
  port     = smtp,submission,465
  filter   = postfix[mode=auth]
  logpath  = %(postfix_log)s
  
  
  # --- Dovecot ---
  [dovecot]
  enabled  = true
  port     = pop3,pop3s,imap,imaps,submission,465
  filter   = dovecot
  logpath  = %(dovecot_log)s

• fail2ban 起動

  [AWS MX2(sudo)]:~# sudo systemctl restart fail2ban
  [AWS MX2(sudo)]:~# sudo systemctl enable fail2ban
  Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install.
  Executing: /lib/systemd/systemd-sysv-install enable fail2ban

• fail2ban 起動状況確認

  [AWS MX2(sudo)]:~# sudo systemctl status fail2ban
  ● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2026-01-08 11:09:35 JST; 9s ago
       Docs: man:fail2ban(1)
    Process: 28396 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
    Process: 28397 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 28409 (fail2ban-server)
      Tasks: 7 (limit: 4680)
     CGroup: /system.slice/fail2ban.service
             └─28409 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
  
  Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Stopped Fail2Ban Service.
  Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Starting Fail2Ban Service...
  Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Started Fail2Ban Service.
  Jan 08 11:09:35 ip-172-31-22-38 fail2ban-server[28409]: Server ready

• フィルター有効化状況の確認

  AWS MX2(sudo)]:~# sudo fail2ban-client status postfix-sasl
  Status for the jail: postfix-sasl
  |- Filter
  |  |- Currently failed:	0
  |  |- Total failed:	0
  |  `- Journal matches:	_SYSTEMD_UNIT=postfix.service
  `- Actions
     |- Currently banned:	0
     |- Total banned:	0
     `- Banned IP list:	
  
  [AWS MX2(sudo)]:~# sudo fail2ban-client status dovecot
  Status for the jail: dovecot
  |- Filter
  |  |- Currently failed:	1
  |  |- Total failed:	2
  |  `- Journal matches:	_SYSTEMD_UNIT=dovecot.service
  `- Actions
     |- Currently banned:	0
     |- Total banned:	0
     `- Banned IP list:	

メール送信ポートの変更（ 465 → 587 )†

• mx2 のログにSASLポート（465）に対する不正アクセスの記録が大量に残っていた。
• これは典型的な SMTP AUTH ブルートフォース攻撃で、叩かれまくっている状況（ブロックしているので不正アクセスはされていない）
• 対策として 465番ポートの利用をやめ、submissionポートの587番ポートを使ってメールを送信するように変更する

− 変更するのは /etc/postfix/master.cf の中の記述 ---> master.cf、main.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
 -o smtpd_sasl_auth_enable=no
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
 
# SMTP with TLS on port 587. Currently commented.
#submission inet n       -       y       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_enforce_tls=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
#  -o smtpd_sasl_tls_security_options=noanonymous
  
# SMTP over SSL on port 465.
# Intentionally disable 465 port access (=smtps) : 20260108
#smtps     inet  n       -       y       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
#  -o smtpd_sasl_security_options=noanonymous,noplaintext
#  -o smtpd_sasl_tls_security_options=noanonymous

• postfix バージョンの指定（ワーニング対策）

  [AWS MX2(sudo)]:~# postconf -e 'compatibility_level = 2'
  [AWS MX2(sudo)]:~# postfix reload

• postfix check の実行

  [AWS MX2(sudo)]:~# postfix check
  postfix/postfix-script: warning: not owned by root: /etc/postfix/./dkim.key

  • ここで出ているエラーは無視できる（postfix ディレクトリー内にDKIMレコードがあるのは非標準だが問題は無い）

• メールクライアントの送信サーバー設定の変更

  項目	変更前	変更後
  サーバー名	mail2.hmuna.com	変更なし
  ポート	465	587(submission)
  接続の保護	SSL/TLS	STARTTLS
  認証方式	通常のパスワード認証	変更なし

sieve のデバッグ関連†

• 設定ファイルの場所（/etc/dovecot/conf.d/90-sieve.conf）

  [AWS MX2(sudo)]:/etc# ls -l dovecot/conf.d/90-sieve.conf
  -rw-r--r-- 1 root root 10855 Dec 26  2024 dovecot/conf.d/90-sieve.conf
  
  [AWS MX2(sudo)]:/etc# cat dovecot/conf.d/90-sieve.conf | grep -v "^\s*$" | grep -v "^\s*#"
  plugin {
    sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/.dovecot.sieve
    sieve_default = /var/lib/dovecot/sieve/default.sieve
    sieve_global = /var/lib/dovecot/sieve/global/
   sieve_trace_dir = /var/vmail/%d/%n/
   sieve_trace_level = actions
  }
  

• レシピの場所（/var/vmail/hmuna.com/public_mail/sieve/sieve.sieve）

  [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# ls -l sieve/sieve.sieve
  -rw------- 1 vmail mail 45947 Jan  9 08:59 sieve/sieve.sieve

• ログの場所（/var/log/mail.log mail.err）
  • sieveはdovecotの一部として動いているが、ログは mail.log と mail.err に集約されている

    [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# ls -l /var/log/mail*.*
    -rw-r----- 1 syslog adm   35392 Jan  9 08:25 /var/log/mail.err
    -rw-r----- 1 syslog adm   93124 Jan  5 06:08 /var/log/mail.err.1
    -rw-r----- 1 syslog adm    1361 Dec 27 11:43 /var/log/mail.err.2.gz
    -rw-r----- 1 syslog adm    3784 Dec 22 06:16 /var/log/mail.err.3.gz
    -rw-r----- 1 syslog adm    3597 Dec 13 21:07 /var/log/mail.err.4.gz
    -rw-r----- 1 syslog adm 4869424 Jan  9 09:02 /var/log/mail.log
    -rw-r----- 1 syslog adm 7787321 Jan  5 06:25 /var/log/mail.log.1
    -rw-r----- 1 syslog adm  645409 Dec 28 06:25 /var/log/mail.log.2.gz
    -rw-r----- 1 syslog adm  997214 Dec 22 06:25 /var/log/mail.log.3.gz
    -rw-r----- 1 syslog adm  870009 Dec 14 06:25 /var/log/mail.log.4.gz
    
    [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# tail -n 100 /var/log/mail.err
    Jan  8 22:53:46 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 22:53:47 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:09:29 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:09:30 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:23:09 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:23:09 ip-172-31-22-38 dovecot: imap(public_mail@hmuna.com): Error: stat(/var/vmail/hmuna.com/public_mail/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:24:48 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:24:48 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:40:54 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:40:55 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:47:58 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:47:58 ip-172-31-22-38 dovecot: imap(public_mail@hmuna.com): Error: stat(/var/vmail/hmuna.com/public_mail/.dovecot.sieve/tmp) failed: Not a directory
    Jan  8 23:53:25 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory

• レシピの構文チェック（sievec）（レシピ編集後に実行すべき）
  • このように何行目にエラーがあるか指摘してくれるのでバグを見つけやすい（この例では編集でゴミデータが混入していた）

    [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# sievec sieve/sieve.sieve
    sieve: line 609: error: unexpected character(s) starting with 0xef.
    sieve: line 609: error: expected end of command ';' or the beginning of a compound block '{', but found unknown characters.
    sieve: error: parse failed.
    sievec(root): Fatal: failed to compile sieve script 'sieve/sieve.sieve'

• sieve レシピのバックアップ（レシピのオーナー、パーミションのままではscpでコピーできない）

  [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# ls -la
  total 2108
  drwx------   3 vmail mail    4096 Jan  9 08:59 .
  drwx------ 400 vmail mail 2007040 Jan  9 09:20 ..
  -rw-------   1 vmail mail   45947 Jan  9 08:59 sieve.sieve
  -rw-------   1 vmail mail   45953 Jan  8 18:31 sieve.sieve~
  -rw-------   1 root  root   39652 Jan  9 08:59 sieve.svbin
  drwxrwx---   2 vmail mail    4096 Dec  7  2020 tmp

• レシピを別の場所に移し、オーナーを変更する

  [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# mkdir /sieve_backup
  [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# cp sieve.sieve /sieve_backup/
  [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# cd /sieve_backup/
  [AWS MX2(sudo)]:/sieve_backup# ls -l
  total 48
  -rw------- 1 root root 45947 Jan  9 09:49 sieve.sieve
  [AWS MX2(sudo)]:/sieve_backup# chown ubuntu:ubuntu sieve.sieve 
  [AWS MX2(sudo)]:/sieve_backup# ls -l 
  total 48
  -rw------- 1 ubuntu ubuntu 45947 Jan  9 09:49 sieve.sieve

• scp でコピーする

  munakata@muna-E14G3:~$ scp -i ~/.ssh/magu-tokyo-messenger.pem ubuntu@ec2-54-168-145-135.ap-northeast-1.compute.amazonaws.com:/sieve_backup/sieve.sieve .
  sieve.sieve                                                                                                                100%   45KB 102.5KB/s   00:00    
  munakata@muna-E14G3:~$ 

sieve レシピ バックアップ†

• sieve.sieve_20260109

     

Site admin: munakata

PukiWiki 1.5.4 © 2001-2022 PukiWiki Development Team. Powered by PHP 8.3.6. HTML convert time: 0.003 sec.