OpenDKIMのインストールおよび設定(postfixの設定やDNSの設定など含む)と「milterを使った効果的な迷惑メール対策」にあるCentOS7のインストール方法にてMilter ManagerおよびPostfixの設定までが完了しているとして、OpenDKIMをMilter Managerで管理させる方法を記載します。
それぞれ関連するソフトウェアのバージョンです。
| postfix | 2.10.1 |
|---|---|
| openDKIM | 2.11.0 |
| Milter Manager | 2.1.4 |
Postfixの設定はMilter Managerの設定方法通りです。
※Postfix+openDKIMにあるような設定をPostfix(main.cfやmaster.cf)にはしません。
# ---------------------- Milter Manager ------------------------------
milter_protocol = 6
milter_default_action = accept
smtpd_milters = unix:/var/run/milter-manager/milter-manager.sock
milter_mail_macros = {auth_author} {auth_type} {auth_authen}スパム対策/ウィルス対策はそれぞれspamass-milterとclamav-milterにてすでにMilter Manager管理下にあります。
これまでcontent_filterに記載していたスパム対策/ウィルス対策用フィルターは削除するかコメントにしておきます。
目次
Milter ManagerにopenDKIMを管理させる
Milter ManagerはシステムにインストールされているMilterを自動検出できるので以下のコマンドで検出できて有効になっているかが確認できます。
# milter-manager --show-config
# default
package.platform = "centos7"
# default
package.options = nil
# /etc/milter-manager/defaults/redhat.conf:3
security.privilege_mode = true
# default
security.effective_user = "milter-manager"
# default
security.effective_group = "milter-manager"
# default
log.level = "default"
# default
log.path = nil
# default
log.use_syslog = true
# default
log.syslog_facility = "mail"
# /etc/milter-manager/milter-manager.conf:11
manager.connection_spec = "inet:10025@[127.0.0.1]"
# /etc/milter-manager/milter-manager.conf:12
manager.unix_socket_mode = 0660
# default
manager.unix_socket_group = "milter-manager"
# default
manager.remove_unix_socket_on_create = true
# default
manager.remove_unix_socket_on_close = true
# default
manager.daemon = false
# default
manager.pid_file = "/var/run/milter-manager/milter-manager.pid"
# default
manager.maintenance_interval = 10
# default
manager.suspend_time_on_unacceptable = 5
# default
manager.max_connections = 0
# default
manager.max_file_descriptors = 0
# default
manager.custom_configuration_directory = nil
# default
manager.fallback_status = "accept"
# default
manager.fallback_status_at_disconnect = "temporary-failure"
# default
manager.event_loop_backend = "glib"
# default
manager.n_workers = 0
# default
manager.packet_buffer_size = 0
# default
manager.connection_check_interval = 0
# default
manager.chunk_size = 65535
# default
manager.max_pending_finished_sessions = 0
# default
controller.connection_spec = nil
# default
controller.unix_socket_mode = 0660
# default
controller.unix_socket_group = nil
# default
controller.remove_unix_socket_on_create = true
# default
controller.remove_unix_socket_on_close = true
# default
database.type = nil
# default
database.name = nil
# default
database.host = nil
# default
database.port = nil
# default
database.path = nil
# default
database.user = nil
# default
database.password = nil
# /etc/milter-manager/applicable-conditions/authentication.conf:3
define_applicable_condition("Authenticated") do |condition|
# /etc/milter-manager/applicable-conditions/authentication.conf:4
condition.description = "Apply a milter only when sender is authorized"
end
# /etc/milter-manager/applicable-conditions/authentication.conf:11
define_applicable_condition("Unauthenticated") do |condition|
# /etc/milter-manager/applicable-conditions/authentication.conf:12
condition.description = "Apply a milter only when sender is not authorized"
end
# /etc/milter-manager/applicable-conditions/dnsbl.conf:99
define_applicable_condition("DNSBL Listed") do |condition|
# /etc/milter-manager/applicable-conditions/dnsbl.conf:100
condition.description = "Apply a milter only when connected host is listed in DNS-based Blackhole List"
end
# /etc/milter-manager/applicable-conditions/dnsbl.conf:109
define_applicable_condition("Not DNSBL Listed") do |condition|
# /etc/milter-manager/applicable-conditions/dnsbl.conf:110
condition.description = "Apply a milter only when connected host is not listed in DNS-based Blackhole List"
end
# /etc/milter-manager/applicable-conditions/remote-network.conf:25
define_applicable_condition("Remote Network") do |condition|
# /etc/milter-manager/applicable-conditions/remote-network.conf:26
condition.description = "Apply milter only if connected from remote network"
end
# /etc/milter-manager/applicable-conditions/s25r.conf:70
define_applicable_condition("S25R") do |condition|
# /etc/milter-manager/applicable-conditions/s25r.conf:71
condition.description = "Selective SMTP Rejection"
end
# /etc/milter-manager/applicable-conditions/sendmail-compatible.conf:5
define_applicable_condition("Sendmail Compatible") do |condition|
# /etc/milter-manager/applicable-conditions/sendmail-compatible.conf:6
condition.description = "Make a milter depends on Sendmail workable with Postfix"
end
# /etc/milter-manager/applicable-conditions/stress.conf:25
define_applicable_condition("Stress Notify") do |condition|
# /etc/milter-manager/applicable-conditions/stress.conf:26
condition.description = "Define stress=yes macro when stress situation"
end
# /etc/milter-manager/applicable-conditions/stress.conf:34
define_applicable_condition("No Stress") do |condition|
# /etc/milter-manager/applicable-conditions/stress.conf:35
condition.description = "Apply milter only when normal condition"
end
# /etc/milter-manager/applicable-conditions/trust.conf:87
define_applicable_condition("Trust") do |condition|
# /etc/milter-manager/applicable-conditions/trust.conf:88
condition.description = "Set {trusted_*}=yes macros for trusted session"
end
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("milter-greylist") do |milter|
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
milter.description = "Grey listing filter for sendmail"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
milter.applicable_conditions = [
# default
"Sendmail Compatible",
# default
"Stress Notify",
# default
"Trust",
# default
"Remote Network",
# default
"S25R",
# default
"Unauthenticated",
]
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/bin/systemctl"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start milter-greylist"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("clamav-milter") do |milter|
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
milter.description = "Milter module for the Clam Antivirus scanner"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
# default
milter.applicable_conditions = []
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/bin/systemctl"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start clamav-milter"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:36
define_milter("spamass-milter") do |milter|
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:44
milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:38
milter.description = "Mail filter for SpamAssassin"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:37
milter.enabled = true
# default
milter.fallback_status = "accept"
# default
milter.evaluation_mode = false
milter.applicable_conditions = [
# default
"Remote Network",
# default
"Unauthenticated",
# default
"No Stress",
]
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:39
milter.command = "/usr/bin/systemctl"
# /usr/lib64/milter-manager/binding/lib/milter/manager/detector.rb:40
milter.command_options = "start spamass-milter"
# default
milter.user_name = nil
# default
milter.connection_timeout = 297.0
# default
milter.writing_timeout = 7.0
# default
milter.reading_timeout = 7.0
# default
milter.end_of_message_timeout = 297.0
end
または
# milter-manager --show-config | egrep 'define_milter|milter.connection_spec|milter.enabled'
define_milter("milter-greylist") do |milter|
milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
milter.enabled = true
define_milter("clamav-milter") do |milter|
milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
milter.enabled = true
define_milter("spamass-milter") do |milter|
milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
milter.enabled = trueopenDKIMは検出できていないようですので/etc/milter-manager/milter-manager.local.confを作成し編集することで追加します。
# vi milter-manager.local.conf
define_milter("opendkim") do |milter|
milter.connection_spec = "unix:/run/opendkim/opendkim.sock"
milter.description = nil
milter.enabled = true
milter.fallback_status = "accept"
milter.evaluation_mode = false
milter.applicable_conditions = []
milter.command = "/usr/bin/systemctl"
milter.command_options = "start opendkim"
milter.user_name = nil
milter.connection_timeout = 300.0
milter.writing_timeout = 10.0
milter.reading_timeout = 10.0
milter.end_of_message_timeout = 300.0
end念のため再起動
# systemctl restart milter-manager設定が反映されていることを確認
# milter-manager --show-config | egrep 'define_milter|milter.connection_spec|milter.enabled'
define_milter("milter-greylist") do |milter|
milter.connection_spec = "unix:/run/milter-greylist/milter-greylist.sock"
milter.enabled = true
define_milter("clamav-milter") do |milter|
milter.connection_spec = "unix:/var/run/clamav-milter/clamav-milter.socket"
milter.enabled = true
define_milter("spamass-milter") do |milter|
milter.connection_spec = "unix:/run/spamass-milter/postfix/sock"
milter.enabled = true
define_milter("opendkim") do |milter|
milter.connection_spec = "unix:/run/opendkim/opendkim.sock"
milter.enabled = trueopenDKIMの動作を確認
外部からメールを送信または外部へメールを送信してみてpostfixのログファイル(/var/log/maillog)をチェックします。
また、メールのソースを表示してヘッダーを確認します。
※外部メールは自分が所有しているメールアドレスにしてください。
Sep 12 08:37:00 MTAホスト名 postfix/smtpd[17439]: connect from 送信元ドメイン名[IPアドレス]
Sep 12 08:37:00 MTAホスト名 milter-manager[7282]: [statistics] [milter][end][connect][stop][0.00082](2017): milter-greylist
Sep 12 08:37:01 MTAホスト名 policyd-spf[17466]: None; identity=helo; client-ip=IPアドレス; helo=送信元ドメイン名; envelope-from=送信者メールアドレス; receiver=宛先メールアドレス
Sep 12 08:37:01 MTAホスト名 policyd-spf[17466]: Pass; identity=mailfrom; client-ip=IPアドレス; helo=送信元ドメイン名; envelope-from=送信者メールアドレス; receiver=宛先メールアドレス
Sep 12 08:37:01 MTAホスト名 postfix/smtpd[17439]: キューID: client=送信元domain名[IPアドレス]
Sep 12 08:37:01 MTAホスト名 postfix/cleanup[17467]: キューID: message-id=<メッセージID>
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: connection from localhost [::1]:46338 to port 783, fd 6
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: setuid to sa-milt succeeded
Sep 12 08:37:07 MTAホスト名 spamd[13149]: spamd: processing message <メッセージID> for sa-milt:990
Sep 12 08:37:08 MTAホスト名 spamd[13149]: spamd: clean message (2.7/5.0) for sa-milt:990 in 1.5 seconds, 25646 bytes.
Sep 12 08:37:08 MTAホスト名 spamd[13149]: spamd: result: . 2 - FROM_EXCESS_BASE64,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED scantime=1.5,size=25646,user=sa-milt,uid=990,required_score=5.0,rhost=localhost,raddr=::1,rport=46338,mid=<メッセージID>,autolearn=no autolearn_force=no
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Status>=<No, score=2.7 required=5.0 tests=FROM_EXCESS_BASE64,#012#011HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,#012#011RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED#012#011autolearn=no autolearn_force=no version=3.4.0>: spamass-milter
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Level>=<**>: spamass-milter
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2019): <X-Spam-Checker-Version>=<SpamAssassin 3.4.0 (2014-02-07) on#012#011MTA-FQDN>: spamass-milter
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: 送信元ドメイン名 [IPアドレス] not internal
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: not authenticated
Sep 12 08:37:08 MTAホスト名 opendkim[7019]: キューID: no signature data
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [milter][header][add](2020): <DKIM-Filter>=< OpenDKIM Filter v2.11.0 MTA-FQDN キューID>: opendkim
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <DKIM-Filter>=< OpenDKIM Filter v2.11.0 MTA-FQDN キューID>
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Status>=< No, score=2.7 required=5.0 tests=FROM_EXCESS_BASE64,#012#011HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTML_NONELEMENT_30_40,MIME_HEADER_CTYPE_ONLY,#012#011RCVD_IN_DNSWL_NONE,SPF_PASS,T_REMOTE_IMAGE,UNPARSEABLE_RELAY,URIBL_BLOCKED#012#011autolearn=no autolearn_force=no version=3.4.0>
Sep 12 08:37:08 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Level>=< **>
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [session][header][add](2016): <X-Spam-Checker-Version>=< SpamAssassin 3.4.0 (2014-02-07) on#012#011MTA-FQDN>
Sep 12 08:37:09 MTAホスト名 spamd[13148]: prefork: child states: II
Sep 12 08:37:09 MTAホスト名 postfix/qmgr[16914]: キューID: from=<送信者メールアドレス>, size=25625, nrcpt=1 (queue active)
Sep 12 08:37:09 MTAホスト名 postfix/smtpd[17439]: disconnect from 送信元ドメイン名[IPアドレス]
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [session][end][end-of-message][pass][8.41667](2016)
Sep 12 08:37:09 MTAホスト名 milter-manager[7282]: [statistics] [sessions][finished] 404(+1) 0
Sep 12 08:37:09 MTAホスト名 dovecot: lda(宛先メールアドレス): msgid=<メッセージID>: saved mail to INBOX
Sep 12 08:37:09 MTAホスト名 postfix/pipe[17476]: キューID: to=<宛先メールアドレス>, relay=dovecot, delay=8.3, delays=8.2/0.07/0/0.11, dsn=2.0.0, status=sent (delivered via dovecot service)
Sep 12 08:37:09 MTAホスト名 postfix/qmgr[16914]: キューID: removed
スパムチェック処理後にopendkimの処理とmilter-managerにてopendkimヘッダーが追加されているのがわかります。
現在、受信ではspfやopenDKIMにて拒否する設定にはしていませんが、送信では拒否されないようにSPF+openDKIM認証に対応するようにしてあります。
※SPFやDKIM認証で設定にミスがあるとREJECT(拒否)されてしまいメールが一切受信できなくなるので注意してください。
UNIXソケットファイル関連
openDKIMのソケットファイルへのアクセスエラーやファイルが存在しないエラーの対応です。
まず、CentOS7では/var/run以下は再起動すると削除されますので削除されないように設定します。
# vi /usr/lib/tempfiles.d/opendkim.conf
d /var/run/opendkim 0710 opendkim opendkimパーミッションはpostfixやmilter-managerからアクセスできるように設定します。
milter-managerの設定を参考にすればよいと思います。
# usermod -G opendkim -a milter-manager必要であれば/var/run/opendkim/opendkim.sockにグループがアクセスできるように/etc/opendkim.confのUmask値を変更します。
# ls -la /var/run/opendkim/
合計 4
drwx--x--- 2 opendkim opendkim 80 9月 11 20:59 .
drwxr-xr-x 39 root root 1100 9月 12 10:03 ..
-rw-r--r-- 1 opendkim opendkim 5 9月 11 20:59 opendkim.pid
srw-rw---- 1 opendkim opendkim 0 9月 11 20:59 opendkim.sock恐らくopenDKIMをインストール時、/var/run/opendkimディレクトリのパーミッションがデフォルトは0700になっているはずです。
chmodで0710に変更してください。※ディレクトリ配下にアクセスするには実行権が必要です。
