Content-type: text/html; charset=UTF-8 Man page of signing-milter

signing-milter

Section: Maintenance Commands (8)
Updated: July, 2020
Index Return to Main Contents
 

NAME

signing-milter - sign email via milter protocol  

SYNOPSIS

signing-milter [options]  

DESCRIPTION

signing-milter uses the milter interface, originally distributed as part of version 8.11 of sendmail(8), to provide signing service for mail transiting a milter-aware MTA.  

OPTIONS

-h
Show summary of options and exit.
-v
Show version of program and exit.
-c clientgroup
If socket is [unix|local]:path signing-milter will adjust path to be read/writeable by group clientgroup. The group must be any group other then root and the group signing-milter runs as. The parameter is required unless using an TCP socket.
-d loglevel
Set the loglevel. The default level 3 logs all errors. Valid values are effective syslog priorities as described in /usr/include/syslog.h
-f
normally signing-milter uses the envelope sender as signeraddress to lookup in the signingtable. If enabled, signing-milter uses also the value of a header named X-Signer to lookup the signeraddress. This is useful when using VERP (Variable Envelope Return Path).
-g group
Set the group signing-milter will run as if started as root. If omitted the groupname signing-milter is used.
-k directory
for debugging purposes signing-milter can store data to files. They are created in the named directory which must be readable, writeable an executable by the user signing-milter runs as. It must not have any rights for other. signing-milter creates two files containing unsigned and signed data. The files are named plain-QUEUEID and signed-QUEUEID. If omitted no files are written.
-l all Logs to STDOUT
Some environments work better if any logging is sent to STDOUT. This switch let signing-milter write any logmessage to STDOUT. Nothing will be send via SYSLOG, /dev/log is not needed.
-m signingtable
signing-milter uses a table to lookup corresponding signingmaterial to a given sender address. This table is a cdb compiled database. The signingtable lists mailaddresses on the left (key), one ore more spaces or tabs and a full path to an associates file (value). These file must contain a signer certificate and a signer private key in PEM format.

The files containing certificates and private keys are security sensitive. Therefore they must only be readable and not writeable for the user signing-milter runs as. Also they must not be world readable.

Feature available since version 20120731:
If you put cert and key in a file named /path/to/foo-cert+key.pem then signing-milter also try to load /path/to/foo-chain.pem. If it exist it should contain intermediate and root certificates that will be included in the signature.

NOTE:
There is not special error signaled if /path/to/foo-chain.pem exist but is unreadable for the user signing-milter run as. When using chain certificates you should check the logs if it is really used.

-n modetable
signing-milter can use this optional table to lookup recipient addresses. If at least one recipient of a message is found in modetable, the result is applied to the whole message.

The value may contain any combination of the following words:

keep
for debugging purposes keep the plain and signed data unter /tmp/*-$queueid. In contrast to the option -k the directory is fix and saving occur not for all messages.
opaque
the signingmode is switched from detached to opaque. Opaque mode is intended to preserve signatures for mail transiting broken MTAs.
skip
message will not be signed and simply pass unchanged.
-s socket
Specifies the socket that should be established by the filter to receive connections from sendmail(8) in order to provide service. socket is in one of three forms: [unix|local]:path which creates a UNIX domain socket at the specified path. inet:port[@host] which creates a TCP socket on the specified port. inet6:port[@host] which creates a TCPv6 socket on the specified port. If the host is not given as either a hostname or an IP address, the socket will be listening on all interfaces. If no socket is given at all, the milter listen on inet6:30053@[::1]. Let's push IPv6, yeah!
-t timeout
This is the number of seconds signing-milter will wait for an MTA communication (read or write) before timing out.
-u user
Set the user signing-milter will run as if started under root. If omitted the username signing-milter is used.
-x
Causes signing-milter to add a header indicating the presence of this filter in the path of the message from injection to delivery. The productname, version and hostname are included in the headers contents.
 

SECURITY

The signing-milter is security-sensitive. It talks to an MTA and has access to otherwise unprotected private keys. It must run at fixed low privilege. The signing-milter refuses to run with root privileges.  

ACCOUNTS

You may start signing-milter as root. In this case signing-milter will switch to user/group signing-milter or the username given as -u and -g. You may also switch to a unprivileged user and then start signing-milter.  

LOCAL SOCKET

If you want signing-milter run with a local unixsocket it is important the socket is accessible by sendmail(8). In this case start signing-milter under root, set -u and -g (or leave them default) and set -c to a group other then root and signing-milter. signing-milter will adjust the sockets owner, group and file mode to allow proper access by sendmail(8).  

SIGNALS

signing-milter dumps statistical data on SIGALARM. The data contains the number of signed messages and the total signingtime in seconds.milliseconds separated by /. All counters are set to zero after SIGALARM. Also on SIGTERM statistical data are logged.  

STARTUP AND LOGGING

signing-milter is designed to run by a supervisor like daemontools or runit. It does not fork as daemon in background. So all logging goes to syslog using facility LOG_MAIL. All messages except priority LOG_NOTICE and LOG_INFO are also sent to stdout.  

BUGS

The private signing keys must not be protected by password. signing-milter should also support GnuPG. A changed signingtable is noticed but not reloaded. signing-milter must currently restart when the signingtable has changed. Same applies to the modetable.  

SEE ALSO

cdb(1), syslog(3), cdb(5), sendmail(8)

http://cr.yp.to/cdb.html, http://www.corpit.ru/mjt/tinycdb.html

http://cr.yp.to/proto/verp.txt  

LICENSE

signing-milter is licensed unter the terms of GNU General Public License as published by the Free Software Foundation. Only version 2 of the License is applicable.  

AUTHOR

signing-milter was written by Andreas Schulze. Portions of Code are inspired or copied from postfix and opendkim.  

COPYRIGHT

Copyright (c) 2010-2015, Andreas Schulze. All rights reserved.

 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
SECURITY
ACCOUNTS
LOCAL SOCKET
SIGNALS
STARTUP AND LOGGING
BUGS
SEE ALSO
LICENSE
AUTHOR
COPYRIGHT
This document was created by man2html, using the manual pages.
Time: 16:41:53 GMT, July 19, 2020