Milter Manager + OpenDKIM

Milter Manager + OpenDKIM

OpenDKIMのインストールおよび設定(postfixの設定やDNSの設定など含む)と「milterを使った効果的な迷惑メール対策」にあるCentOS7のインストール方法にてMilter ManagerおよびPostfixの設定までが完了しているとして、OpenDKIMをMilter Managerで管理させる方法を記載します。

それぞれ関連するソフトウェアのバージョンです。

postfix 2.10.1
openDKIM 2.11.0
Milter Manager 2.1.4

Postfixの設定はMilter Managerの設定方法通りです。
※Postfix+openDKIMにあるような設定をPostfix(main.cfやmaster.cf)にはしません。

# ---------------------- Milter Manager ------------------------------
milter_protocol                     = 6
milter_default_action               = accept
smtpd_milters                       = unix:/var/run/milter-manager/milter-manager.sock
milter_mail_macros                  = {auth_author} {auth_type} {auth_authen}

スパム対策/ウィルス対策はそれぞれspamass-milterとclamav-milterにてすでにMilter Manager管理下にあります。
これまでcontent_filterに記載していたスパム対策/ウィルス対策用フィルターは削除するかコメントにしておきます。

Milter ManagerにopenDKIMを管理させる

Milter ManagerはシステムにインストールされているMilterを自動検出できるので以下のコマンドで検出できて有効になっているかが確認できます。

# milter-manager --show-config
# default
package.platform = "centos7"
# default
package.options = nil

# /etc/milter-manager/defaults/redhat.conf:3
security.privilege_mode = true
# default
security.effective_user = "milter-manager"
# default
security.effective_group = "milter-manager"

# default
log.level = "default"
# default
log.path = nil
# default
log.use_syslog = true
# default
log.syslog_facility = "mail"

# /etc/milter-manager/milter-manager.conf:11
manager.connection_spec = "inet:10025@[127.0.0.1]"
# /etc/milter-manager/milter-manager.conf:12
manager.unix_socket_mode = 0660
# default
manager.unix_socket_group = "milter-manager"
# default
manager.remove_unix_socket_on_create = true
# default
manager.remove_unix_socket_on_close = true
# default
manager.daemon = false
# default
manager.pid_file = "/var/run/milter-manager/milter-manager.pid"
# default
manager.maintenance_interval = 10
# default
manager.suspend_time_on_unacceptable = 5
# default
manager.max_connections = 0
# default
manager.max_file_descriptors = 0
# default
manager.custom_configuration_directory = nil
# default
manager.fallback_status = "accept"
# default
manager.fallback_status_at_disconnect = "temporary-failure"
# default
manager.event_loop_backend = "glib"
# default
manager.n_workers = 0
# default
manager.packet_buffer_size = 0
# default
manager.connection_check_interval = 0
# default
manager.chunk_size = 65535
# default
manager.max_pending_finished_sessions = 0

# default
controller.connection_spec = nil
# default
controller.unix_socket_mode = 0660
# default
controller.unix_socket_group = nil
# default
controller.remove_unix_socket_on_create = true
# default
controller.remove_unix_socket_on_close = true

# default
database.type = nil
# default
database.name = nil
# default
database.host = nil
# default
database.port = nil
# default
database.path = nil
# default
database.user = nil
# default
database.password = nil

# /etc/milter-manager/applicable-conditions/authentication.conf:3
define_applicable_condition("Authenticated") do |condition|
  # /etc/milter-manager/applicable-conditions/authentication.conf:4
  condition.description = "Apply a milter only when sender is authorized"
end

# /etc/milter-manager/applicable-conditions/authentication.conf:11
define_applicable_condition("Unauthenticated") do |condition|
  # /etc/milter-manager/applicable-conditions/authentication.conf:12
  condition.description = "Apply a milter only when sender is not authorized"
end

# /etc/milter-manager/applicable-conditions/dnsbl.conf:99
define_applicable_condition("DNSBL Listed") do |condition|
  # /etc/milter-manager/applicable-conditions/dnsbl.conf:100
  condition.description = "Apply a milter only when connected host is listed in DNS-based Blackhole List"
end

# /etc/milter-manager/applicable-conditions/dnsbl.conf:109
define_applicable_condition("Not DNSBL Listed") do |condition|
  # /etc/milter-manager/applicable-conditions/dnsbl.conf:110
  condition.description = "Apply a milter only when connected host is not listed in DNS-based Blackhole List"
end

# /etc/milter-manager/applicable-conditions/remote-network.conf:25
define_applicable_condition("Remote Network") do |condition|
  # /etc/milter-manager/applicable-conditions/remote-network.conf:26
  condition.description = "Apply milter only if connected from remote network"
end

# /etc/milter-manager/applicable-conditions/s25r.conf:70
define_applicable_condition("S25R") do |condition|
  # /etc/milter-manager/applicable-conditions/s25r.conf:71
  condition.description = "Selective SMTP Rejection"
end

# /etc/milter-manager/applicable-conditions/sendmail-compatible.conf:5
define_applicable_condition("Sendmail Compatible") do |condition|
  # /etc/milter-manager/applicable-conditions/sendmail-compatible.conf:6
  condition.description = "Make a milter depends on Sendmail workable with Postfix"
end

# /etc/milter-manager/applicable-conditions/stress.conf:25
define_applicable_condition("Stress Notify") do |condition|
  # /etc/milter-manager/applicable-conditions/stress.conf:26
  condition.description = "Define stress=yes macro when stress situation"
end

# /etc/milter-manager/applicable-conditions/stress.conf:34
define_applicable_condition("No Stress") do |condition|
  # /etc/milter-manager/applicable-conditions/stress.conf:35
  condition.description = "Apply milter only when normal condition"
end

# /etc/milter-manager/applicable-conditions/trust.conf:87
define_applicable_condition("Trust") do |condition|
  # /etc/milter-manager/applicable-conditions/trust.conf:88
  condition.description = "Set {trusted_*}=yes macros for trusted session"
end

# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
  milter.description = "Grey listing filter for sendmail"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  milter.applicable_conditions = [
    # default
    "Sendmail Compatible",
    # default
    "Stress Notify",
    # default
    "Trust",
    # default
    "Remote Network",
    # default
    "S25R",
    # default
    "Unauthenticated",
  ]
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/bin/systemctl"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start milter-greylist"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
  milter.description = "Milter module for the Clam Antivirus scanner"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  # default
  milter.applicable_conditions = []
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/bin/systemctl"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start clamav-milter"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
  milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
  milter.description = "Mail filter for SpamAssassin"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
  milter.enabled = true
  # default
  milter.fallback_status = "accept"
  # default
  milter.evaluation_mode = false
  milter.applicable_conditions = [
    # default
    "Remote Network",
    # default
    "Unauthenticated",
    # default
    "No Stress",
  ]
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
  milter.command = "/usr/bin/systemctl"
  # /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
  milter.command_options = "start spamass-milter"
  # default
  milter.user_name = nil
  # default
  milter.connection_timeout = 297.0
  # default
  milter.writing_timeout = 7.0
  # default
  milter.reading_timeout = 7.0
  # default
  milter.end_of_message_timeout = 297.0
end

または

# milter-manager --show-config | egrep 'define_milter|milter.connection_spec|milter.enabled'
define_milter("milter-greylist") do |milter|
  milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
  milter.enabled = true
define_milter("clamav-milter") do |milter|
  milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
  milter.enabled = true
define_milter("spamass-milter") do |milter|
  milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
  milter.enabled = true

openDKIMは検出できていないようですので/etc/milter-manager/milter-manager.local.confを作成し編集することで追加します。

# vi milter-manager.local.conf
define_milter("opendkim") do |milter|
  milter.connection_spec = "unix:/run/opendkim/opendkim.sock"
  milter.description = nil
  milter.enabled = true
  milter.fallback_status = "accept"
  milter.evaluation_mode = false
  milter.applicable_conditions = []
  milter.command = "/usr/bin/systemctl"
  milter.command_options = "start opendkim"
  milter.user_name = nil
  milter.connection_timeout = 300.0
  milter.writing_timeout = 10.0
  milter.reading_timeout = 10.0
  milter.end_of_message_timeout = 300.0
end

念のため再起動

# systemctl restart milter-manager

設定が反映されていることを確認

# milter-manager --show-config | egrep 'define_milter|milter.connection_spec|milter.enabled'
define_milter("milter-greylist") do |milter|
  milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
  milter.enabled = true
define_milter("clamav-milter") do |milter|
  milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
  milter.enabled = true
define_milter("spamass-milter") do |milter|
  milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
  milter.enabled = true
define_milter("opendkim") do |milter|
  milter.connection_spec = "unix:/run/opendkim/opendkim.sock"
  milter.enabled = true

openDKIMの動作を確認

外部からメールを送信または外部へメールを送信してみてpostfixのログファイル(/var/log/maillog)をチェックします。
また、メールのソースを表示してヘッダーを確認します。
※外部メールは自分が所有しているメールアドレスにしてください。

Sep 12 08:37:00 MTAホスト名 postfix/smtpd[17439]: connect from 送信元ドメイン名[IPアドレス]
Sep 12 08:37:00 MTAホスト名 milter-manager[7282]: [statistics] [milter][end][connect][stop][0.00082](2017): milter-greylist
Sep 12 08:37:01 MTAホスト名 policyd-spf[17466]: None; identity=helo; client-ip=IPアドレス; helo=送信元ドメイン名; envelope-from=送信者メールアドレス; receiver=宛先メールアドレス
Sep 12 08:37:01 MTAホスト名 policyd-spf[17466]: Pass; identity=mailfrom; client-ip=IPアドレス; helo=送信元ドメイン名; envelope-from=送信者メールアドレス; receiver=宛先メールアドレス
Sep 12 08:37:01 MTAホスト名 postfix/smtpd[17439]: キューID: client=送信元domain名[IPアドレス]
Sep 12 08:37:01 MTAホスト名 postfix/cleanup[17467]: キューID: message-id=<メッセージID>
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: connection from localhost [::1]:46338 to port 783, fd 6
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: setuid to sa-milt succeeded
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: processing message <メッセージID> for sa-milt:990
Sep 12 08:37:08 MTAホスト名 spamd[13149]: spamd: clean message (2.7/5.0) for sa-milt:990 in 1.5 seconds, 25646 bytes.
Sep 12 08:37:08 MTAホスト名 spamd[13149]: spamd: result: . 2 - FROM_EXCESS_BASE64,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED scantime=1.5,size=25646,user=sa-milt,uid=990,required_score=5.0,rhost=localhost,raddr=::1,rport=46338,mid=<メッセージID>,autolearn=no autolearn_force=no
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Status>=<No, score=2.7 required=5.0 tests=FROM_EXCESS_BASE64,#012#011HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,#012#011RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED#012#011autolearn=no autolearn_force=no version=3.4.0>: spamass-milter
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Level>=<**>: spamass-milter
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Checker-Version>=<SpamAssassin 3.4.0 (2014-02-07) on#012#011MTA-FQDN>: spamass-milter
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: 送信元ドメイン名 [IPアドレス] not internal
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: not authenticated
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: no signature data
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2020): <DKIM-Filter>=< OpenDKIM Filter v2.11.0 MTA-FQDN キューID>: opendkim
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <DKIM-Filter>=< OpenDKIM Filter v2.11.0 MTA-FQDN キューID>
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Status>=< No, score=2.7 required=5.0 tests=FROM_EXCESS_BASE64,#012#011HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,#012#011RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED#012#011autolearn=no autolearn_force=no version=3.4.0>
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Level>=< **>
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Checker-Version>=< SpamAssassin 3.4.0 (2014-02-07) on#012#011MTA-FQDN>
Sep 12 08:37:09 MTAホスト名 spamd[13148]: prefork: child states: II
Sep 12 08:37:09 MTAホスト名 postfix/qmgr[16914]: キューID: from=<送信者メールアドレス>, size=25625, nrcpt=1 (queue active)
Sep 12 08:37:09 MTAホスト名 postfix/smtpd[17439]: disconnect from 送信元ドメイン名[IPアドレス]
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [session][end][end-of-message][pass][8.41667](2016)
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [sessions][finished] 404(+1) 0
Sep 12 08:37:09 MTAホスト名 dovecot: lda(宛先メールアドレス): msgid=<メッセージID>: saved mail to INBOX
Sep 12 08:37:09 MTAホスト名 postfix/pipe[17476]: キューID: to=<宛先メールアドレス>, relay=dovecot, delay=8.3, delays=8.2/0.07/0/0.11, dsn=2.0.0, status=sent (delivered via dovecot service)
Sep 12 08:37:09 MTAホスト名 postfix/qmgr[16914]: キューID: removed

スパムチェック処理後にopendkimの処理とmilter-managerにてopendkimヘッダーが追加されているのがわかります。
現在、受信ではspfやopenDKIMにて拒否する設定にはしていませんが、送信では拒否されないようにSPF+openDKIM認証に対応するようにしてあります。
※SPFやDKIM認証で設定にミスがあるとREJECT(拒否)されてしまいメールが一切受信できなくなるので注意してください。

UNIXソケットファイル関連

openDKIMのソケットファイルへのアクセスエラーやファイルが存在しないエラーの対応です。

まず、CentOS7では/var/run以下は再起動すると削除されますので削除されないように設定します。

# vi /usr/lib/tempfiles.d/opendkim.conf
d /var/run/opendkim 0710 opendkim opendkim

パーミッションはpostfixやmilter-managerからアクセスできるように設定します。
milter-managerの設定を参考にすればよいと思います。

# usermod -G opendkim -a milter-manager

必要であれば/var/run/opendkim/opendkim.sockにグループがアクセスできるように/etc/opendkim.confのUmask値を変更します。

# ls -la /var/run/opendkim/
合計 4
drwx--x---  2 opendkim opendkim   80  9月 11 20:59 .
drwxr-xr-x 39 root     root     1100  9月 12 10:03 ..
-rw-r--r--  1 opendkim opendkim    5  9月 11 20:59 opendkim.pid
srw-rw----  1 opendkim opendkim    0  9月 11 20:59 opendkim.sock

恐らくopenDKIMをインストール時、/var/run/opendkimディレクトリのパーミッションがデフォルトは0700になっているはずです。
chmodで0710に変更してください。※ディレクトリ配下にアクセスするには実行権が必要です。

phoenix 2018/09/12 (水)- 08:22

ディストリビューション

CentOS 7.x