signing-milter - sign email via milter protocol
interface, originally distributed as part of version 8.11 of
to provide signing service for mail transiting a milter-aware MTA.
Show summary of options and exit.
Show version of program and exit.
- -c clientgroup
If socket is
to be read/writeable by group
The group must be any group other then root and the group
runs as. The parameter is required unless using an TCP socket.
- -d loglevel
Set the loglevel. The default level 3 logs all errors. Valid values are
effective syslog priorities as described in
uses the envelope sender as signeraddress to lookup in the signingtable.
uses also the value of a header named
to lookup the signeraddress. This is useful when using VERP
(Variable Envelope Return Path).
- -g group
Set the group
will run as if started as root. If omitted the groupname signing-milter is used.
- -k directory
for debugging purposes
can store data to files. They are created in the named directory which must be
readable, writeable an executable by the user
runs as. It must not have any rights for other.
creates two files containing unsigned and signed data. The files are named
plain-QUEUEID and signed-QUEUEID. If omitted no files are written.
- -m signingtable
uses a table to lookup corresponding signingmaterial to a given sender address.
This table is a
compiled database. The signingtable lists mailaddresses on the left (key), one
ore more spaces or tabs and a full path to an associates file (value). These
file must contain a signer certificate and a signer private key in PEM format.
The files containing certificates and private keys are security sensitive.
Therefore they must only be readable and not writeable for the user
runs as. Also they must not be world readable.
Feature available since version 20120731:
If you put cert and key in a file named /path/to/foo-cert+key.pem then
also try to load /path/to/foo-chain.pem. If it exist it should contain
intermediate and root certificates that will be included in the signature.
There is not special error signaled if /path/to/foo-chain.pem exist
but is unreadable for the user
When using chain certificates you should check the logs if it is really used.
- -n modetable
can use this optional table to lookup recipient addresses. If at least one
recipient of a message is found in modetable, the result is applied to the
The value may contain any combination of the following words:
for debugging purposes keep the plain and signed data unter /tmp/*-$queueid.
In contrast to the option
the directory is fix and saving occour not for all messages.
the signingmode is switched from detached to opaque. Opaque mode is intended
to preserve signatures for mail transiting broken MTAs.
message will not be signed and simply pass unchanged.
- -s socket
Specifies the socket that should be established by the filter to receive
in order to provide service.
is in one of three forms:
which creates a UNIX domain socket at the specified path.
which creates a TCP socket on the specified port.
which creates a TCPv6 socket on the specified port. If the host is not given as
either a hostname or an IP address, the socket will be listening on all
interfaces. If no socket is given at all, the milter listen on
Let's push IPv6, yeah!
- -t timeout
This is the number of seconds
will wait for an MTA communication (read or write) before timing out.
- -u user
Set the user
will run as if started under root. If omitted the username signing-milter is
to add a header indicating the presence of this filter in the path of the
message from injection to delivery. The productname, version and hostname
are included in the headers contents.
is security-sensitive. It talks to an MTA and has access to otherwise
unprotected private keys. It must run at fixed low privilege. The
refuses to run with root privileges.
You may start signing-milter as root. In this case
will switch to user/group signing-milter or the username given as -u and -g.
You may also switch to a unprivileged user and then start signing-milter.
If you want
run with a local unixsocket it is important the socket is accessible by
In this case start
under root, set -u and -g (or leave them default) and set -c to a group
other then root and signing-milter.
will adjust the sockets owner, group and file mode to allow proper access by
dumps statistical data on SIGALARM. The data contains the number of signed
messages and the total signingtime in seconds.milliseconds separated by /. All
counters are set to zero after SIGALARM. Also on SIGTERM statistical data are
STARTUP AND LOGGING
is designed to run by a supervisor like daemontools or runit. It does not fork
as daemon in background. So all logging goes to syslog using facility LOG_MAIL.
All messages exept priority LOG_NOTICE and LOG_INFO are also sent to stdout.
The private signing keys must not be protected by password.
should also support GnuPG. A changed signingtable is noticed but not reloaded.
must currently restart when the signingtable has changed. Same applies to the
is licensed unter the terms of GNU General Public License as published by
the Free Software Foundation. Only version 2 of the License is applicable.
was written by Andreas Schulze. Portions of Code are inspired or copied from
postfix and opendkim.
Copyright (c) 2010-2015, Andreas Schulze. All rights reserved.
- LOCAL SOCKET
- STARTUP AND LOGGING
- SEE ALSO
This document was created by man2html, using the manual pages.
Time: 00:00:00 GMT, March 6, 2015