NAME

authentication_milter - A Perl Mail Authentication Milter

VERSION

version 3.20240827

USAGE

authentication_milter [-c|--control <command>] [-d|--daemon] [--pidfile <file>] [-h|--help] [--prefix <dir>] [-i|--ident <ident>]

OPTIONS

-c|--control <command>
Control a running daemon process or start a new one.

start|restart

  Start a new daemon process, or restart an existing process.

stop

  Stop an already running daemon process.

status

  Show the status of a running daemon process.


Control implies --daemon, and takes account of --pidfile
If no valid data is found in the pidfile then control will
search the process list for a parent process.

If you are running multiple distinct instances of authentication
milter on a single host, each with differing configurations then you
should use the --ident identifier to differentiate between them.
-h|--help
Show this help.
-h|--help default_config
Output an example default configuration, including
config for all installed handler modules.
-h|--help installed
Show a list of installed handler modules.
-h|--help <ModuleName>
Show help for a particular handler module.

Modules installed by default include the following.

AddID Auth DKIM DMARC IPRev LocalIP PTR ReturnOK
Sanitize SenderID SpamAssassin SPF TrustedIP TLS
-d|--daemon
detach from shell and run as a daemon
--pidfile <file>
Write the process PID to the given file.
defaults to /run/authentication_milter.pid
--prefix <dir>
Read configuration from dir rather than /etc/
-i|--ident <ident>
A string identifier for use in process management and logging

This should be used when you are running multiple instances of
authentication_milter on a single host, each with different configurations.

CONFIGURATION

The milter reads configuration from /etc/authentication_milter.json

The configuration file format is as follows...

{
  "external_callback_processor" : "My::Module",       | Name of module containing external callback methods

  "debug"     : 0,                                    | Verbose debugging output
  "dryrun"    : 0,                                    | Dryrun (do not alter or reject mail)
  "logtoerr"  : 0,                                    | Also write logs to STDERR
  "error_log" : "/var/log/authentication_milter.err", | Capture STDERR to logfile

  "extended_log" : 1,                                 | Log added Authentication-Results headers in JSON format
  "legacy_log"   : 1,                                 | When logging extended Authentication-Results logs, also log in legacy format

  "errors_to"   : "John Smith <john@example.com>",    | If set, send exception emails when authmilter encounters
  "errors_from" : "AuthMilter <system@example.com>",  | an unexpected error or timeout
  "errors_headers" : {}                               | optional headers for error emails

  "log_dispatchouli" : {},                            | Optional args to pass directly into Log::Dispatchouli->new()

  "connection"             : "inet:12345@localhost",  | The connection to use
  "umask"                  : "0000",                  | Set umask (for unix socket)

  "connections" : {                                   | Other than the default connection, also bind to
                                                      | these connections.

      "name_two" : {                                  | Name of connection
          "connection"   : "unix:/var/sock/a.sock",   | The connection to use
          "umask"        : "0000",                    | Set umask
      }
      "name_one" : {                                  | Name of connection
          "connection"   : "inet:12346@localhost",    | The connection to use
      }
  },


  "runas"                  : "nobody",                | Drop privs and run as this user (root only)
  "rungroup"               : "nogroup",               | Drop privs and run as this group (root daemon only)
  "chroot"                 : "/path/to/chroot"        | Set chroot before forking (root only)
                                                      | N.B. This path will need to be setup with all required
                                                      | files or the server WILL segfault.
  "listen_backlog"         : 20,                      | socket listen backlog limit (default 20)
  "min_children"           : 20,                      | Min number of children to pre fork
  "max_children"           : 200,                     | Max number of children to pre fork
  "min_spare_children"     : 10,                      | Min number of spare children to maintain
  "max_spare_children"     : 20,                      | Max number of spare children to maintain
  "max_requests_per_child" : 200,                     | Max number of requests per child process (prefork)

  "metric_connection" : "inet:12346@localhost",       | Optional connection on which to expose metrics interface
  "metric_timeout"    : 10,                           | Timeout for metrics IPC (default 5)
  "metric_tempfile"   : "/tmpfs/authmilter_metrics",  | Path to shared metrics data, defaults to <lib_path>/metrics
  "metric_basic_http" : 1,                            | Disable extended http services such as config and grafana json pages

  "cache_dir"        : "/var/cache/auth_milter",      | Path to the shared cache directory
  "spool_dir"        : "/var/spool/auth_milter",      | Path to the shared spool directory
  "lib_dir"          : "/var/lib/auth_milter",        | Path to the shared lib directory
  "lock_file"        : "/var/run/authmilter.lock",    | Optionally specify the location of the Net::Server lock file

  # metric_port and metric_host are deprecated.
  # please use metric_connection instead
  "metric_port"            : 8081,                    | Optional port on which to expose metrics interface
  "metric_host"            : "127.0.0.1",             | Optional host for binding metrics interface

  "protocol"               : "milter",                | The protocol the milter is to use
                                                      | can be either milter or smtp

  "milter_quarantine" : "0",                          | Allow Milter protocol quarantine when running in milter mode
                                                      | (experimental)

  "patch_net_server"  : "1",                          | If true, try and patch some Net::Server issues

  "smtp" : {                                          | Parameters for use when protocol is smtp
      "server_name"    : "scan.example.com",          | The server name to use for the server
      "sock_type"      : "inet",                      | Socket type (inet or unix)
      "sock_host"      : "localhost",                 | Host to connect to (when inet)
      "sock_port"      : "2525",                      | Port to connect to (when inet)
      "sock_path"      : "/var/run/smtp.sock",        | Socket path to connect to (when unix)
      "timeout_in"     : "10",                        | Timeout when waiting for inbound SMTP data
      "timeout_out"    : "10",                        | Timeout when waiting for outbound SMTP data
      "pipeline_limit" : "50",                        | Limit the number of transactions accepted in an SMTP pipeline
      "queue_type"     : "before",                    | SMTP Queue type, either before or after. After queues have
                                                      | an upstream queue ID, before queues do not.
      "temp_dir"       : "/tmp/",                     | Directory for temporary spool files, defaults to in memory
      "chunk_limit"    : 1048576,                     | Process body in chunks of approx this many bytes

      "tcp:12346" : {                                 | Outbound SMTP details can be set per inbound port/socket
                                                      | This allows outbound SMTP to be routed differently for
                                                      | different inbound ports. The key is the inbound port specified
                                                      | as unix:<socket path> or inet:<port>
                                                      | It is not currently possible to set based on listening host.
                                                      | If a specific config set is not found them we use the default
                                                      | set as defined above.
          "server_name" : "scan.example.com",         | The server name to use for the server
          "sock_type"   : "inet",                     | Socket type (inet or unix)
          "sock_host"   : "localhost",                | Host to connect to (when inet)
          "sock_port"   : "2526",                     | Port to connect to (when inet)
          "timeout_in"  : "10",                       | Timeout when waiting for inbound SMTP data
          "timeout_out" : "10"                        | Timeout when waiting for outbound SMTP data
      },
      "unix:/var/sock/a.sock" : {
          "server_name" : "util.example.com",
          "sock_type"   : "unix",
          "sock_path"   : "/var/run/smtp.sock",
          "timeout_in"  : "10",
          "timeout_out" : "10"
      }

  },

                                                      | Timeouts for callbacks, should be slightly lower
                                                      | than the corresponding timeouts in Postfix
                                                      | Timeouts are ignored if missing.
  "connect_timeout"       : 30,                       | Timeout in seconds for Connect callbacks
  "command_timeout"       : 30,                       | Timeout in seconds for Helo,Mail,Rcpt,Data and Unknown callbacks
  "content_timeout"       : 300,                      | Timeout in seconds Header,Eoh, Body and Eom callbacks
  "dequeue_timeout"       : 300,                      | Timeout in seconds for Dequeue callbacks

  "max_dequeue"           : 5,                        | How many dequeue processes can we run at once
  "check_for_dequeue"     : 60,                       | How often in seconds should a dequeue process be spawned

  "dns_resolvers"         : [                         | Explicit list of DNS resolvers to use
      "8.8.8.8",
      "127.0.0.1"
  ],
  "dns_timeout"           : 10,                       | Timeout in seconds for DNS lookups
  "dns_retry"             : 2,                        | Number of times a lookup will retry per call
  "cache_dns_timeouts"    : 1,                        | By default org domains, that result in a DNS timeout are cached
  "dns_servfail_timeout"  : 1000000,                  | How long microseconds a SERVFAIL can take before being considered a timeout
                                                      |     by the internal resolver

  "authserv_id"           : "mx.example.com",         | The authserv-id value to use in Authentication-Results headers
                                                      | This value is optional, and overrides the authserv id set by the
                                                      | MTA in milter mode, and the server_name config option for SMTP
                                                      | mode connections. It is recommended to omit this value unless you
                                                      | have a specific need and understand the implications.

  "hide_none"             : 0,                        | Do not add the Authentication-Results header if the result is 'none'

  "header_indent_style"   : "entry",                  | Optional style to indent/fold Authentication-Results header by.
  "header_fold_at"        : 77,                       | Optional line length to attempt folding of Authentication-Results header at.
                                                      | Header lines over this size will be folded at token boundaries where possible.
  "header_indent_by"      : 4,                        | Optional number of spaces to indent/fold Authentication-Results header by.
                                                      | The style matches those defined in Mail::AuthenticationResults.
                                                      | options are none; no folding
                                                      |             entry; fold on each entry
                                                      |             subentry; fold on each subentry
                                                      |             full; fold on each item
                                                      | the default style is entry, and the default by is 4
                                                      | NB. This only apply when there are no handlers using the
                                                      | legacy string method of adding a section to the header.

  "tempfail_on_error"               : "1",            | Tempfail on errors
  "tempfail_on_error_authenticated" : "0",            | Tempfail on errors for Authenticated IP Connections
  "tempfail_on_error_local"         : "0",            | Tempfail on errors for Local IP Connections
  "tempfail_on_error_trusted"       : "0",            | Tempfail on errors for Trusted IP Connections

  "ip_map" : {                                        | List of IP Addresses or CIDR ranges to remap.
      "1.2.3.4" : {                                   | Any incoming IP address which matches a given key
          "ip": "5.6.7.8", "helo" : mx.test"          | will be remapped to use the value supplied
      },                                              | This is useful, for example, when internal infrastructure
      "dead:beef::/32" : {                            | connects to your MX via a private internal address, but you
          "ip" : "5.6.7.8", "helo" : "mx.test"        | want to run IP based checks (eg SPF) against its external
                                                      |
          "helo_map" : {                              | Additionally match and remap based on a received HELO host
              "test.host" : {                         | from a matching IP address, for milter protocol this is done at the HELO stage, ie
                  "ip" : "5.6.7.9",                   | after the connect stage, so handlers which run in the connect stage will not see
                  "helo" : "mx2.test"                 | this remapped ip address. SMTP protocol runs both remaps before passing control to
              }                                       | the connect handlers, so connect handlers see ip addresses remapped by HELO.
          }
      }                                               | IP address instead.
  },

  "handlers" : {                                      | Config for each handlers, can be prefixed with !
                                                      | to disable that handler without having to remove
                                                      | its config.

        "ActiveModule" : {

          "auth_header_name" :                        | Available to all handlers, the name of the Header
              "Authentication-Results"                | for which an Authentication-Results will be added
                                                      | for this handler.
                                                      |
                                                      | Defaults to "Authentication-Results"
                                                      |
                                                      | If you would like to add multiple Authentiction-Results
                                                      | headers with a single header name then you may postfix
                                                      | the header name with : followed by a unique string.
                                                      |  eg "Authentication-Results:1"
                                                      |     "Authentication-Results:experimental"
                                                      | The : and anything following will be disregarded when
                                                      | generating the header name.

          "foo" : "bar"
      },
      "!InactiveModule" : {},
                                                      | Additionally, config for a module can be placed in a file
                                                      | with filename /etc/authentication_milter.d/ModuleName.json
                                                      | the contents of which should be the JSON assigned to the
                                                      | entry here.

                                                      | Please see the help for each handler for its individual
                                                      | configuration requirements.
  }
}

DMARC

This milter uses Mail::DMARC as a backend for DMARC checks, this module requires that a configuration file is setup.

You should create and populate /etc/mail-dmarc.ini

For DMARC reporting you are also required to setup a datastore, including creating a basic table structure. The detauls of this are to be found in the Mail::DMARC documentation.

At this time forensic reports are not supported by Mail::DMARC or this milter. Only aggregate reports will be generated.

To check reports please use the dmarc_view_reports command, to send reports please use the dmarc_send_reports command. These are included with the Mail::DMARC module.

AUTHOR

Marc Bradshaw <marc@marcbradshaw.net>

COPYRIGHT AND LICENSE

This software is copyright (c) 2020 by Marc Bradshaw.

This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.