Skip to content

Latest commit

 

History

History
157 lines (119 loc) · 3.77 KB

setup-mta-auththentication_milter.md

File metadata and controls

157 lines (119 loc) · 3.77 KB
title up prev next
DKIM and ARC: Setup MTA: Using Authentication Milter
setup-mta.md
setup-keys.md
setup-mta.md#tests

DKIM and ARC: Setup MTA: Using Authentication Milter

Requirements

  • MTA: Postfix or Sendmail

  • Authentication Milter, originally distributed as Mail-Milter-Authentication CPAN module

  • You have to choose authserv-id to determine the results of domain validation. In this document mx.example.org is used for example.

Installation

If your operating system provies a package for Authentication Milter, installing it is recommended.

Otherwise, you may install CPAN module (In this case, many dependent modules will also be installed, so you may want to consider using perlbrew or similar).

If you use cpanm, you can install as follows (replace $PREFIX with the prefix of Perl you are using):

# cpanm --notest --install-args "--install_path sbin=$PREFIX/sbin" Mail::SPF
# cpanm --notest Mail::Milter::Authentication

Note that some external libraries such as OpenSSL/LibreSSL are required to build all dependencies.

Authentication Milter also needs some directories.

# mkdir /var/cache/authentication_milter
# mkdir /var/lib/authentication_milter
# mkdir /var/spool/authentication_milter

Configuration

Setting Authentication Milter

You have to create authentication_milter.json in /etc directory (or appropriate location). The following are the default settings with minimal modifications.

  • runas and rungroup are set to unprivileged user and its group.
  • Replace mx.example.org with the authserv-id you chose.
{
    "error_log"   : "/var/log/authentication_milter.err",
    "connection"  : "inet:12345@localhost",
    "umask"       : "0007",
    "runas"       : "nobody",
    "rungroup"    : "nobody",
    "authserv_id" : "mx.example.org",

    "connect_timeout" : 30,
    "command_timeout" : 30,
    "content_timeout" : 300,
    "dns_timeout"     : 10,
    "dns_retry"       : 2,

    "handlers" : {

        "SPF" : {
            "hide_none" : 0
        },

        "DKIM" : {
            "hide_none" : 0,
        },

        "DMARC" : {
            "hide_none" : 0,
            "detect_list_id" : "1"
        },

        "PTR" : {},

        "SenderID" : {
            "hide_none" : 1
        },

        "IPRev" : {},

        "Auth" : {},

        "LocalIP" : {},

        "TrustedIP" : {
            "trusted_ip_list" : []
        },

        "!AddID" : {},

        "ReturnOK" : {},

        "Sanitize" : {}
    }
}

If you installed Authentication Milter with CPAN package, you may also create startup script as necessity. A sample init script is included in the source tarball.

Note

  • You may also perform unit test of Authentication Milter using authentication_milter_client.

Setting MTA

  • Postfix

    Add following settings to main.cf:

    smtpd_milters = (existing settings) inet:localhost:12345
milter_default_action = accept

  • Sendmail

    Edit sendmail.cf to add following settings:

    O InputMailFilters=authmilter
Xauthmilter, S=inet:12345@localhost

    Or, if you are generating sendmail.cf from sendmail.mc, add following lines after FEATURE lines:

    define(`confINPUT_MAIL_FILTERS', `authmilter')
MAIL_FILTER(`authmilter', `S=inet:12345@localhost')

    Above is equivalent to below:

    INPUT_MAIL_FILTER(`authmilter', `S=inet:12345@localhost')

After you finished setting up MTA, test it.