#author("2026-01-11T23:34:01+00:00","","")
#author("2026-01-11T23:34:59+00:00","","")
#contents()

*** fail2ban 有効化 [#c1cc074f]
** fail2ban 有効化 [#c1cc074f]
- fail2ban インストール
 [AWS MX2(sudo)]:~# sudo apt install fail2ban

- jail.local の編集
 [AWS MX2(sudo)]:~# cat /etc/fail2ban/jail.local
 [DEFAULT]
 backend = systemd
 maxretry = 3
 findtime = 600
 
 # おすすめ:7日BAN(EC2なら問題なし)→ 無期限に変更
 #bantime = 604800
 bantime = forever
 
 banaction = iptables-multiport
 
 
 # --- Postfix SASL ---
 [postfix-sasl]
 enabled  = true
 port     = smtp,submission,465
 filter   = postfix[mode=auth]
 logpath  = %(postfix_log)s
 
 
 # --- Dovecot ---
 [dovecot]
 enabled  = true
 port     = pop3,pop3s,imap,imaps,submission,465
 filter   = dovecot
 logpath  = %(dovecot_log)s

- fail2ban 起動
 [AWS MX2(sudo)]:~# sudo systemctl restart fail2ban
 [AWS MX2(sudo)]:~# sudo systemctl enable fail2ban
 Synchronizing state of fail2ban.service with SysV service script with /lib/systemd/systemd-sysv-install.
 Executing: /lib/systemd/systemd-sysv-install enable fail2ban

- fail2ban 起動状況確認
 [AWS MX2(sudo)]:~# sudo systemctl status fail2ban
 ● fail2ban.service - Fail2Ban Service
    Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
    Active: active (running) since Thu 2026-01-08 11:09:35 JST; 9s ago
      Docs: man:fail2ban(1)
   Process: 28396 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
   Process: 28397 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
  Main PID: 28409 (fail2ban-server)
     Tasks: 7 (limit: 4680)
    CGroup: /system.slice/fail2ban.service
            └─28409 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
 
 Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Stopped Fail2Ban Service.
 Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Starting Fail2Ban Service...
 Jan 08 11:09:35 ip-172-31-22-38 systemd[1]: Started Fail2Ban Service.
 Jan 08 11:09:35 ip-172-31-22-38 fail2ban-server[28409]: Server ready

- フィルター有効化状況の確認
 AWS MX2(sudo)]:~# sudo fail2ban-client status postfix-sasl
 Status for the jail: postfix-sasl
 |- Filter
 |  |- Currently failed:	0
 |  |- Total failed:	0
 |  `- Journal matches:	_SYSTEMD_UNIT=postfix.service
 `- Actions
    |- Currently banned:	0
    |- Total banned:	0
    `- Banned IP list:	
 
 [AWS MX2(sudo)]:~# sudo fail2ban-client status dovecot
 Status for the jail: dovecot
 |- Filter
 |  |- Currently failed:	1
 |  |- Total failed:	2
 |  `- Journal matches:	_SYSTEMD_UNIT=dovecot.service
 `- Actions
    |- Currently banned:	0
    |- Total banned:	0
    `- Banned IP list:	

*** メール送信ポートの変更( 465 → 587 ) [#wc6727e6]
** メール送信ポートの変更( 465 → 587 ) [#wc6727e6]
- mx2 のログにSASLポート(465)に対する不正アクセスの記録が大量に残っていた。
- これは典型的な SMTP AUTH ブルートフォース攻撃で、叩かれまくっている状況(ブロックしているので不正アクセスはされていない)
- 対策として 465番ポートの利用をやめ、submissionポートの587番ポートを使ってメールを送信するように変更する

− 変更するのは /etc/postfix/master.cf の中の記述 ---> &ref(master.cf);、&ref(main.cf);
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
 # on-line: http://www.postfix.org/master.5.html).
 #
 # Do not forget to execute "postfix reload" after editing this file.
 #
 # ==========================================================================
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_sasl_auth_enable=no
 submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
 #tlsproxy  unix  -       -       y       -       0       tlsproxy
  
 # SMTP with TLS on port 587. Currently commented.
 #submission inet n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/submission
 #  -o smtpd_tls_security_level=encrypt
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_enforce_tls=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
 #  -o smtpd_sasl_tls_security_options=noanonymous
   
 # SMTP over SSL on port 465.
 # Intentionally disable 465 port access (=smtps) : 20260108
 #smtps     inet  n       -       y       -       -       smtpd
 #  -o syslog_name=postfix/smtps
 #  -o smtpd_tls_wrappermode=yes
 #  -o smtpd_sasl_auth_enable=yes
 #  -o smtpd_tls_auth_only=yes
 #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
 #  -o smtpd_sasl_security_options=noanonymous,noplaintext
 #  -o smtpd_sasl_tls_security_options=noanonymous

- postfix バージョンの指定(ワーニング対策)
 [AWS MX2(sudo)]:~# postconf -e 'compatibility_level = 2'
 [AWS MX2(sudo)]:~# postfix reload

- postfix check の実行
 [AWS MX2(sudo)]:~# postfix check
 postfix/postfix-script: warning: not owned by root: /etc/postfix/./dkim.key
-- ここで出ているエラーは無視できる(postfix ディレクトリー内にDKIMレコードがあるのは非標準だが問題は無い)

- メールクライアントの送信サーバー設定の変更
|項目|変更前|変更後|h
|サーバー名|mail2.hmuna.com|変更なし|
|BGCOLOR(AQUAMARINE):ポート|BGCOLOR(AQUAMARINE):465|BGCOLOR(AQUAMARINE):COLOR(RED):587(submission)|
|BGCOLOR(AQUAMARINE):接続の保護|BGCOLOR(AQUAMARINE):SSL/TLS|BGCOLOR(AQUAMARINE):COLOR(RED):STARTTLS|
|認証方式|通常のパスワード認証|変更なし|

*** sieve のデバッグ関連 [#pa23465f]
** sieve 関連 [#pa23465f]
- 設定ファイルの場所(/etc/dovecot/conf.d/90-sieve.conf)
 [AWS MX2(sudo)]:/etc# ls -l dovecot/conf.d/90-sieve.conf
 -rw-r--r-- 1 root root 10855 Dec 26  2024 dovecot/conf.d/90-sieve.conf
 
 [AWS MX2(sudo)]:/etc# cat dovecot/conf.d/90-sieve.conf | grep -v "^\s*$" | grep -v "^\s*#"
 plugin {
   sieve = file:/var/vmail/%d/%n/sieve;active=/var/vmail/%d/%n/.dovecot.sieve
   sieve_default = /var/lib/dovecot/sieve/default.sieve
   sieve_global = /var/lib/dovecot/sieve/global/
  sieve_trace_dir = /var/vmail/%d/%n/
  sieve_trace_level = actions
 }
 
- レシピの場所(/var/vmail/hmuna.com/public_mail/sieve/sieve.sieve)
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# ls -l sieve/sieve.sieve
 -rw------- 1 vmail mail 45947 Jan  9 08:59 sieve/sieve.sieve

- ログの場所(/var/log/mail.log mail.err)
-- sieveはdovecotの一部として動いているが、ログは mail.log と mail.err に集約されている
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# ls -l /var/log/mail*.*
 -rw-r----- 1 syslog adm   35392 Jan  9 08:25 /var/log/mail.err
 -rw-r----- 1 syslog adm   93124 Jan  5 06:08 /var/log/mail.err.1
 -rw-r----- 1 syslog adm    1361 Dec 27 11:43 /var/log/mail.err.2.gz
 -rw-r----- 1 syslog adm    3784 Dec 22 06:16 /var/log/mail.err.3.gz
 -rw-r----- 1 syslog adm    3597 Dec 13 21:07 /var/log/mail.err.4.gz
 -rw-r----- 1 syslog adm 4869424 Jan  9 09:02 /var/log/mail.log
 -rw-r----- 1 syslog adm 7787321 Jan  5 06:25 /var/log/mail.log.1
 -rw-r----- 1 syslog adm  645409 Dec 28 06:25 /var/log/mail.log.2.gz
 -rw-r----- 1 syslog adm  997214 Dec 22 06:25 /var/log/mail.log.3.gz
 -rw-r----- 1 syslog adm  870009 Dec 14 06:25 /var/log/mail.log.4.gz
 
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# tail -n 100 /var/log/mail.err
 Jan  8 22:53:46 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 22:53:47 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:09:29 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:09:30 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:23:09 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:23:09 ip-172-31-22-38 dovecot: imap(public_mail@hmuna.com): Error: stat(/var/vmail/hmuna.com/public_mail/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:24:48 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:24:48 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:40:54 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:40:55 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:47:58 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:47:58 ip-172-31-22-38 dovecot: imap(public_mail@hmuna.com): Error: stat(/var/vmail/hmuna.com/public_mail/.dovecot.sieve/tmp) failed: Not a directory
 Jan  8 23:53:25 ip-172-31-22-38 dovecot: imap(munakata@hmuna.com): Error: stat(/var/vmail/hmuna.com/munakata/.dovecot.sieve/tmp) failed: Not a directory

- &color(red){''レシピの構文チェック(sievec)''};(レシピ編集後に実行すべき)
-- このように何行目にエラーがあるか指摘してくれるのでバグを見つけやすい(この例では編集でゴミデータが混入していた)
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# sievec sieve/sieve.sieve
 sieve: line 609: error: unexpected character(s) starting with 0xef.
 sieve: line 609: error: expected end of command ';' or the beginning of a compound block '{', but found unknown characters.
 sieve: error: parse failed.
 sievec(root): Fatal: failed to compile sieve script 'sieve/sieve.sieve'

- sieve レシピのバックアップ(レシピのオーナー、パーミションのままではscpでコピーできない)
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# ls -la
 total 2108
 drwx------   3 vmail mail    4096 Jan  9 08:59 .
 drwx------ 400 vmail mail 2007040 Jan  9 09:20 ..
 -rw-------   1 vmail mail   45947 Jan  9 08:59 sieve.sieve
 -rw-------   1 vmail mail   45953 Jan  8 18:31 sieve.sieve~
 -rw-------   1 root  root   39652 Jan  9 08:59 sieve.svbin
 drwxrwx---   2 vmail mail    4096 Dec  7  2020 tmp

-- レシピを別の場所に移し、オーナーを変更する
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# mkdir /sieve_backup
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# cp sieve.sieve /sieve_backup/
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail/sieve# cd /sieve_backup/
 [AWS MX2(sudo)]:/sieve_backup# ls -l
 total 48
 -rw------- 1 root root 45947 Jan  9 09:49 sieve.sieve
 [AWS MX2(sudo)]:/sieve_backup# chown ubuntu:ubuntu sieve.sieve 
 [AWS MX2(sudo)]:/sieve_backup# ls -l 
 total 48
 -rw------- 1 ubuntu ubuntu 45947 Jan  9 09:49 sieve.sieve

-- scp でコピーする
 munakata@muna-E14G3:~$ scp -i ~/.ssh/magu-tokyo-messenger.pem ubuntu@ec2-54-168-145-135.ap-northeast-1.compute.amazonaws.com:/sieve_backup/sieve.sieve .
 sieve.sieve                                                                                                                100%   45KB 102.5KB/s   00:00    
 munakata@muna-E14G3:~$ 

*** sieve レシピ バックアップ [#u0aaac73]
-- &ref(sieve.sieve_20260109);

** Ubuntu One 有効化 [#odf0b663]
 [AWS MX2(sudo)]:/var/vmail/hmuna.com/public_mail# pro status
 SERVICE          ENTITLED  STATUS       DESCRIPTION
 cc-eal           yes       disabled     Common Criteria EAL2 Provisioning Packages
 cis              yes       disabled     Security compliance and audit tools
 esm-apps         yes       enabled      Expanded Security Maintenance for Applications
 esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
 fips             yes       disabled     NIST-certified FIPS crypto packages
 fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
 livepatch        yes       warning      Canonical Livepatch service
 ros              yes       disabled     Security Updates for the Robot Operating System
 ros-updates      yes       disabled     All Updates for the Robot Operating System
 
 NOTICES
 The running kernel has reached the end of its active livepatch window.
 Please upgrade the kernel with apt and reboot for continued livepatch coverage.
 
 For a list of all Ubuntu Pro services, run 'pro status --all'
 Enable services with: pro enable <service>
 
      Account: public_mail@hmuna.com
 Subscription: Ubuntu Pro - free personal subscription
トップ   編集 差分 履歴 添付 複製 名前変更 リロード   新規 一覧 検索 最終更新   ヘルプ   最終更新のRSS