#!/bin/bash
set -e
DOMAIN="hungrymind.kr"
MAILDOMAIN="mail.${DOMAIN}"
EMAIL="admin@${DOMAIN}" # Let's Encrypt 등록용 이메일
USERNAME="mailuser"
echo "==> 시스템 패키지 업데이트 및 설치"
apt update && apt upgrade -y
apt install -y postfix dovecot-imapd dovecot-pop3d certbot ufw mailutils
echo "==> 사용자 생성 및 Maildir 디렉토리 설정"
# 중복된 사용자 생성 방지
id $USERNAME &>/dev/null || useradd -m $USERNAME
passwd $USERNAME
maildirmake.dovecot /home/$USERNAME/Maildir
chown -R $USERNAME:$USERNAME /home/$USERNAME/Maildir
sudo certbot certonly --standalone -d $MAILDOMAIN \\
--agree-tos -m $EMAIL --non-interactive
echo "==> Postfix 구성"
postconf -e "myhostname = ${MAILDOMAIN}"
postconf -e "myorigin = /etc/mailname"
postconf -e "mydestination = \\$myhostname, localhost.\\$mydomain, localhost, \\$mydomain"
postconf -e "inet_interfaces = all"
postconf -e "inet_protocols = ipv4"
postconf -e "home_mailbox = Maildir/"
postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/${MAILDOMAIN}/fullchain.pem"
postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/${MAILDOMAIN}/privkey.pem"
postconf -e "smtpd_use_tls = yes"
postconf -e "smtpd_tls_auth_only = yes"
postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination"
echo "${MAILDOMAIN}" > /etc/mailname
systemctl restart postfix
echo "==> Dovecot 구성"
cat <<EOF > /etc/dovecot/conf.d/10-mail.conf
mail_location = maildir:~/Maildir
EOF
cat <<EOF > /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include auth-system.conf.ext
EOF
cat <<EOF > /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_cert = </etc/letsencrypt/live/${MAILDOMAIN}/fullchain.pem
ssl_key = </etc/letsencrypt/live/${MAILDOMAIN}/privkey.pem
EOF
systemctl restart dovecot
echo "==> Let's Encrypt 인증서 발급"
certbot certonly --standalone -d $MAILDOMAIN --non-interactive --agree-tos -m $EMAIL
echo "==> 인증서 자동 갱신 설정"
echo "15 3 * * * root certbot renew --quiet && systemctl reload postfix dovecot" > /etc/cron.d/certbot-renew
echo "==> iptables 방화벽 규칙 설정"
# 기본 정책
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# 허용: 루프백
iptables -A INPUT -i lo -j ACCEPT
# 허용: 기존 연결 유지
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# 허용: SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# 허용: SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 587 -j ACCEPT
# 허용: IMAP/IMAPS
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
# 허용: HTTP/HTTPS (Let's Encrypt 인증용)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# ping 허용 (선택사항)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# 상태 저장
echo "==> iptables 규칙 저장"
iptables-save > /etc/iptables.rules
# 부팅 시 복원 설정 (netfilter-persistent 사용)
apt install -y iptables-persistent
systemctl enable netfilter-persistent
echo "==> 완료: mail.${DOMAIN} 에 메일 서버가 구축되었습니다!"
#!/bin/bash
set -e
DOMAIN="hungrymind.kr"
DKIM_SELECTOR="default"
KEY_DIR="/etc/opendkim/keys/${DOMAIN}"
echo "==> opendkim 설치"
apt update
apt install -y opendkim opendkim-tools
echo "==> DKIM 키 생성 디렉토리 생성"
mkdir -p $KEY_DIR
cd $KEY_DIR
opendkim-genkey -s $DKIM_SELECTOR -d $DOMAIN
chown opendkim:opendkim ${DKIM_SELECTOR}.private
echo "==> /run/opendkim 디렉토리 생성 및 자동 유지 설정"
mkdir -p /run/opendkim
chown opendkim:opendkim /run/opendkim
cat <<EOF > /etc/tmpfiles.d/opendkim.conf
d /run/opendkim 0755 opendkim opendkim -
EOF
systemd-tmpfiles --create
echo "==> opendkim 설정 파일 작성"
/bin/cat <<EOF > /etc/opendkim.conf
Syslog yes
UMask 002
Canonicalization relaxed/simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1h
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
KeyTable /etc/opendkim/key.table
SigningTable /etc/opendkim/signing.table
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
Socket inet:12301@localhost
PidFile /run/opendkim/opendkim.pid
EOF
echo "==> 관련 테이블/호스트 파일 작성"
cat <<EOF > /etc/opendkim/trusted.hosts
127.0.0.1
localhost
*.${DOMAIN}
EOF
cat <<EOF > /etc/opendkim/key.table
${DKIM_SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${DKIM_SELECTOR}:${KEY_DIR}/${DKIM_SELECTOR}.private
EOF
cat <<EOF > /etc/opendkim/signing.table
*@${DOMAIN} ${DKIM_SELECTOR}._domainkey.${DOMAIN}
EOF
echo "==> Postfix와 opendkim 연동"
postconf -e "milter_default_action = accept"
postconf -e "milter_protocol = 6"
postconf -e "smtpd_milters = inet:localhost:12301"
postconf -e "non_smtpd_milters = inet:localhost:12301"
echo "==> 서비스 재시작"
systemctl restart opendkim
systemctl restart postfix
echo ""
echo "✅ DKIM 설정 완료!"
echo "📌 DNS에 아래 TXT 레코드를 등록하세요:"
echo ""
cat ${KEY_DIR}/${DKIM_SELECTOR}.txt
echo ""
#!/bin/bash
set -e
DOMAIN="hungrymind.kr"
DKIM_SELECTOR="default"
KEY_DIR="/etc/opendkim/keys/${DOMAIN}"
echo "==> 기존 2048bit 키 백업"
cd "$KEY_DIR"
mv ${DKIM_SELECTOR}.private ${DKIM_SELECTOR}-2048.private.bak
mv ${DKIM_SELECTOR}.txt ${DKIM_SELECTOR}-2048.txt.bak
echo "==> 1024bit DKIM 키 재생성"
opendkim-genkey -b 1024 -s $DKIM_SELECTOR -d $DOMAIN
chown opendkim:opendkim ${DKIM_SELECTOR}.private
echo "==> opendkim 재시작"
systemctl restart opendkim
systemctl restart postfix
echo ""
echo "✅ 1024bit DKIM 키로 재생성 완료!"
echo "📌 아래 내용을 DNS TXT 레코드로 등록하세요:"
echo ""
cat ${KEY_DIR}/${DKIM_SELECTOR}.txt
echo ""