RMILTER(8) BSD System Manager's Manual RMILTER(8)NAMErmilter — milter for sendmail with many abilities designed for distrib‐
uted MX network
SYNOPSISrmilter [-h] [-c config_file]
DESCRIPTION
The rmilter utility is designed to act as milter for sendmail(8) MTA. It
provides several filter and mail scan features, among them are:
· Clamav scanning (via unix or tcp socket).
· Spamd scanning (supports rspamd and spamassassin)
· Spf checking (via libspf2)
· Greylisting with memcached/redis upstream
· Ratelimit with memcached/redis upstream
· Auto-whitelisting (internal and via memcached/redis upstream)
· Regexp checks.
· DCC checking (optional)
· Passing messages and/or their headers to beanstalk servers
The following additional options are supported:
-n do not daemonize on startup
-h Show greeting message, version of rmilter and exit
-c config_file
Specify config file to use
All rmilter configuration is placed in rmilter.conf file.
CONFIGURATION FILE
The configuration file has format:
⟨name⟩ = ⟨value⟩ ;
Value may be:
· String (may not contain spaces)
· Quoted string (if string may contain spaces)
· Numeric value
· Flag (y, Yes or n, No)
· Ip or network (eg. 127.0.0.1, 192.168.1.0/24)
· Socket argument (eg. host:port or /path/to/socket)
· Regexp (eg. /Match*/)
· List (eg. value1, value2, value3)
· Recipients list (user, user@domain, @domain)
· Time argument (eg. 10s, 5d)
Some directives MUST be specified only in specified sections. Section
definition looks like:
section_name {
section_directive;
...
};
Common sections:
· clamav - clamav definitions
· spamd - spamd (spamassassin or rspamd) definitions
· limits - limits definitions
· greylisting - greylisting definitions
· rule - regexp rule definition (a section per rule)
Directives that can be defined in config file:
· Global section:
- pidfile - specify path to pidfile
Default: /var/run/rmilter.pid
- tempdir - specify path to temporary directory. For maximum per‐
formance it is recommended to put it on memory file system.
Default: $TMPDIR
- tempfiles_mode - mode for files created in tempdir
Default: 0600
- bind_socket - socket credits for local bind:
1. unix:/path/to/file - bind to local socket
2. inet:port@host - bind to inet socket
Default: bind_socket = unix:/var/tmp/rmilter.sock
- max_size - maximum size of scanned message for clamav, spamd and
dcc.
Default: 0 (no limit)
- strict_auth - strict checks for mails from authenticated senders
Default: no
- spf_domains - list of domains that would be checked with spf
Default: empty (spf disabled)
- use_dcc - flag that specify whether we should use dcc checks for
mail
Default: no
- whitelist - global recipients whitelist
Default: no
· Clamav section:
- servers - clamav socket definitions in format:
1. /path/to/file
2. host[:port]
sockets are separated by ','
Default: empty
- connect_timeout - timeout in miliseconds for connecting to clamav
Default: 1s
- port_timeout - timeout in miliseconds for waiting for clamav port
response
Default: 4s
- results_timeout - timeout in miliseconds for waiting for clamav
response
Default: 20s
- error_time - time in seconds during which we are counting errors
Default: 10
- dead_time - time in seconds during which we are thinking that
server is down
Default: 300
- maxerrors - maximum number of errors that can occur during
error_time to make us thinking that this upstream is dead
Default: 10
· Spamd section:
- servers - rspamd socket definitions in format:
1. /path/to/file
2. host[:port]
sockets are separated by ‘’,
Default: empty (spam checks disabled)
- connect_timeout - timeout in miliseconds for connecting to spamd
Default: 1s
- results_timeout - timeout in miliseconds for waiting for spamd
response
Default: 20s
- error_time - time in seconds during which we are counting errors
Default: 10
- dead_time - time in seconds during which we are thinking that
server is down
Default: 300
- maxerrors - maximum number of errors that can occur during
error_time to make us thinking that this upstream is dead
Default: 10
- reject_message - reject message for spam (quoted string)
Default: “Spam message rejected; If this is not spam
contact abuse team”
- spamd_soft_fail - if action is not reject use it for other
actions (flag)
Default: true
- spamd_never_reject - never reject a message even if spamd action
is 'reject', add header instead (flag)
Default: false
- spamd_temp_fail - return temporary failure if spam servers could
not be reached (ignore otherwise) (flag)
Default: false
- spamd_greylist - greylist message only if action is greylist
(flag)
Default: true
- spam_header - add specified header if action is add_header and
spamd_soft_fail os turned on
Default: “X-Spam”
- spam_header_value - add specified value for spam_header
Default: “yes”
- rspamd_metric - rspamd metric that would define whether we reject
message as spam or not (quoted string)
Default: “default”
- whitelist - list of ips or nets that should be not checked with
spamd
Default: empty
- extended_spam_headers - add extended spamd headers to messages,
is useful for debugging or private mail servers (flag)
Default: false
- retry_timeout - timeout in miliseconds to retry check if the cur‐
rent check has failed
Default: 1s
- retry_count - number of retries before giving up
Default: 5
- tempfail_on_error - send temporary SMTP error if we have failed
to scan a message for spam
Default: false
· Memcached/redis section:
- servers_grey - memcached/redis servers for greylisting in format:
host [:port] [, host [:port]]
Default: empty
- servers_white - memcached/redis servers for whitelisting in for‐
mat similar to that is used in servers_grey
Default: empty
- servers_limits - memcached/redis servers used for limits storing,
can not be mirrored
Default: empty
- connect_timeout - timeout in miliseconds for connecting to mem‐
cached/redis
Default: 1s
- error_time - time in seconds during which we are counting errors
Default: 10
- dead_time - time in seconds during which we are thinking that
server is down
Default: 300
- maxerrors - maximum number of errors that can occur during
error_time to make us thinking that this upstream is dead
Default: 10
· Beanstalk section:
- servers - beanstalk servers for pushing headers in format:
host [:port] [, host [:port]]
Default: empty
- copy_server - address of server to which rmilter should send all
messages copies
Default: empty
- spam_server - address of server to which rmilter should send spam
messages copies
Default: empty
- connect_timeout - timeout in miliseconds for connecting to
beanstalk
Default: 1s
- error_time - time in seconds during which we are counting errors
Default: 10
- dead_time - time in seconds during which we are thinking that
server is down
Default: 300
- maxerrors - maximum number of errors that can occur during
error_time to make us thinking that this upstream is dead
Default: 10
- id_regexp - regexp that defines for which messages we should put
the whole message to beanstalk, not only headers, now this regexp
checks only In-Reply-To headers
Default: empty
- send_beanstalk_headers - defines whether we should send headers
to beanstalk servers (from servers option)
Default: no
- send_beanstalk_copy - defines whether we should send copy of mes‐
sages to beanstalk server (from copy_server option)
Default: no
- send_beanstalk_spam - defines whether we should send copy of spam
messages to beanstalk server (from spam_server option)
Default: no
· Greylisting section:
- timeout (required) - time during which we mark message greylisted
Default: 300s
- expire (required) - time during which we save a greylisting
record
Default: empty (greylisting disabled)
- whitelist - list of ip addresses or networks that should be
whitelisted from greylisting
Default: empty
- awl_enable - enable internal auto-whitelist mechanics
Default: no
- awl_pool - size for in-memory auto whitelist
Default: 10M
- awl_hits - number of messages (from this ip) that passes
greylisting to put this ip into whitelist
Default: 10
- awl_ttl - time to live for ip address in auto whitelist
Default: 3600s
· Limits section.
Rate limits are implemented as leaked bucket, so first value is
bucket burst - is peak value for messages in bucket (after reaching
it bucket is counted as overflowed and new messages are rejected),
second value is rate (how much messages can be removed from bucket
each second). It can be schematically displayed:
|------------------| <----- current value
| |
|------------------| <----- burst
| |
| |
| |
| |
\ /
----------------- ..... <----- rate (speed of emptying)
- limit_whitelist_ip - don't check limits for specified ips
Default: empty
- limit_whitelist_rcpt - don't check limits for specified recipi‐
ents
Default: no
- limit_bounce_addrs - list of address that require more strict
limits
Default: postmaster, mailer-daemon,
symantec_antivirus_for_smtp_gateways, ⟨, null,
fetchmail-daemon⟩
- limit_bounce_to - limits bucket for bounce messages (only rcpt
to)
Default: 5:0.000277778
- limit_bounce_to_ip - limits bucket for bounce messages (only rcpt
to per one source ip)
Default: 5:0.000277778
- limit_to - limits bucket for non-bounce messages (only rcpt to)
Default: 20:0.016666667
- limit_to_ip - limits bucket for non-bounce messages (only rcpt to
per one source ip)
Default: 30:0.025
- limit_to_ip_from - limits bucket for non-bounce messages (msg
from, rcpt to per one source ip)
Default: 100:0.033333333
· DKIM section.
Dkim can be used to sign messages by rmilter. Dkim support must be
provided with opendkim library and rmilter must be configured with
--enable-dkim option.
- header_canon - canonization of headers (simple or relaxed)
Default: simple
- body_canon - canonization of body (simple or relaxed)
Default: simple
- sign_alg - signature algorithm (sha1 for rsa-sha1 and sha256 for
rsa-sha256)
Default: sha1
- auth_only - sign mail for authorized users only
Default: yes
- fold_header - fold the resulting header (can break some bad MTA)
Default: no
- domain - domain entry must be enclosed in braces {}
· key - path to private key
· domain - domain to be used for signing (this matches with
SMTP FROM data)
· selector - dkim DNS selector (e.g. for selector dkim and
domain example.com DNS TXT record should be for
dkim._domainkey.example.com).
· sign_networks - also sign mail from these IP networks
EXAMPLE CONFIG
# pidfile - path to pid file
# Default: pidfile = /var/run/rmilter.pid
pidfile = /var/run/rmilter/rmilter.pid;
clamav {
# servers - clamav socket definitions in format:
# /path/to/file
# host[:port]
# sockets are separated by ','
# Default: empty
servers = clamav.test.ru, clamav.test.ru, clamav.test.ru;
# connect_timeout - timeout in miliseconds for connecting to clamav
# Default: 1s
connect_timeout = 1s;
# port_timeout - timeout in miliseconds for waiting for clamav port response
# Default: 4s
port_timeout = 4s;
# results_timeout - timeout in miliseconds for waiting for clamav response
# Default: 20s
results_timeout = 20s;
# error_time - time in seconds during which we are counting errors
# Default: 10
error_time = 10;
# dead_time - time in seconds during which we are thinking that server is down
# Default: 300
dead_time = 300;
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
# this upstream is dead
# Default: 10
maxerrors = 10;
};
spamd {
# servers - spamd socket definitions in format:
# /path/to/file
# host[:port]
# sockets are separated by ','
# Default: empty
servers = clamav.test.ru, clamav.test.ru, clamav.test.ru;
# connect_timeout - timeout in miliseconds for connecting to spamd
# Default: 1s
connect_timeout = 1s;
# results_timeout - timeout in miliseconds for waiting for spamd response
# Default: 20s
results_timeout = 20s;
# error_time - time in seconds during which we are counting errors
# Default: 10
error_time = 10;
# dead_time - time in seconds during which we are thinking that server is down
# Default: 300
dead_time = 300;
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
# this upstream is dead
# Default: 10
maxerrors = 10;
# reject_message - reject message for spam
# Default: "Spam message rejected; If this is not spam contact abuse team"
reject_message = "Spam message rejected; If this is not spam contact abuse at example.com";
# whitelist - list of ips or nets that should be not checked with spamd
# Default: empty
whitelist = 127.0.0.1/32, 192.168.0.0/16;
};
redis {
# servers_grey - memcached servers for greylisting in format:
# host[:port][, host[:port]]
# It is possible to make memcached mirroring, its syntax is {server1, server2}
servers_grey = {localhost, memcached.test.ru}, memcached.test.ru:11211;
# servers_white - memcached servers for whitelisting in format similar to that is used
# in servers_grey
# servers_white = {localhost, memcached.test.ru}, memcached.test.ru:11211;
# servers_limits - memcached servers used for limits storing, can not be mirrored
servers_limits = memcached.test.ru, memcached.test.ru:11211;
# connect_timeout - timeout in miliseconds for waiting for memcached
# Default: 1s
connect_timeout = 1s;
# error_time - time in seconds during which we are counting errors
# Default: 10
error_time = 10;
# dead_time - time in seconds during which we are thinking that server is down
# Default: 300
dead_time = 300;
# maxerrors - maximum number of errors that can occur during error_time to make us thinking that
# this upstream is dead
# Default: 10
maxerrors = 10;
};
# bind_socket - socket credits for local bind:
# unix:/path/to/file - bind to local socket
# inet:port@host - bind to inet socket
# Default: bind_socket = unix:/var/tmp/rmilter.sock;
bind_socket = unix:/var/run/rmilter/rmilter.sock;
# tempdir - path to directory that contains temporary files
# Default: $TMPDIR
tempdir = /spool/tmp;
# tempfiles_mode - mode for files created in the tempdir
# Default: 0600
# tempfiles_mode = 0600;
# max_size - maximum size of scanned mail with clamav and dcc
# Default: 0 (no limit)
max_size = 10M;
# spf_domains - path to file that contains hash of spf domains
# Default: empty
spf_domains = rambler.ru, mail.ru;
# use_dcc - whether use or not dcc system
# Default: no
use_dcc = yes;
# whitelisted recipients
# domain are whitelisted as @example.com
whitelist = postmaster, abuse;
# rule definition:
# rule {
# accept|discard|reject|tempfail|quarantine "[message]"; <- action definition
# [not] connect <regexp> <regexp>; <- conditions
# helo <regexp>;
# envfrom <regexp>;
# envrcpt <regexp>;
# header <regexp> <regexp>;
# body <regexp>;
# };
# limits section
limits {
# Whitelisted ip
limit_whitelist_ip = 194.67.45.4;
# Whitelisted recipients
limit_whitelist_rcpt = postmaster, mailer-daemon;
# Addrs for bounce checks
limit_bounce_addrs = postmaster, mailer-daemon, symantec_antivirus_for_smtp_gateways, <>, null, fetchmail-daemon;
# Limit for bounce mail
limit_bounce_to = 5:0.000277778;
# Limit for bounce mail per one source ip
limit_bounce_to_ip = 5:0.000277778;
# Limit for all mail per recipient
limit_to = 20:0.016666667;
# Limit for all mail per one source ip
limit_to_ip = 30:0.025;
# Limit for all mail per one source ip and from address
limit_to_ip_from = 100:0.033333333;
};
beanstalk {
# List of beanstalk servers, random selected
servers = queue.example.com:3132;
# Time to live for task in seconds
lifetime = 172800;
# Regexp that define for which messages we should put the whole message to beanstalk
# now only In-Reply-To headers are checked
id_regexp = "/^SomeID.*$/";
};
dkim {
domain {
key = /usr/local/etc/dkim_example.key;
domain = "example.com";
selector = "dkim";
};
domain {
key = /usr/local/etc/dkim_test.key;
domain = "test.com";
selector = "dkim";
};
header_canon = relaxed;
body_canon = relaxed;
sign_alg = sha256;
};
NOTES
There are several things that might be useful to notice.
The order of checks:
1. DKIM test from and create signing context (MAIL FROM)
2. Ratelimit (RCPT TO)
3. Greylisting (DATA)
4. Ratelimit (EOM, set bucket value)
5. Rules (EOM)
6. SPF (EOM)
7. Message size (EOM) if failed, skip clamav, dcc and spamd checks
8. DCC (EOM)
9. Spamd (EOM)
10. Clamav (EOM)
11. Beanstalk (EOM)
12. DKIM add signature (EOM)
Keys used in memcached/redis:
· rcpt - bucket for rcpt filter
· rcpt:ip - bucket for rcpt_ip filter
· rcpt:ip:from - bucket for rcpt_ip_from filter
· rcpt:<> - bucket for bounce_rcpt filter
· rcpt:ip:<> - bucket for bounce_rcpt_ip filter
· md5(from. ip. to) - key for greylisting triplet (hexed string of md5
value)
Postfix settings
There are several useful settings for postfix to work with this milter:
smtpd_milters = unix:/var/run/rmilter/rmilter.sock
milter_mail_macros = i {mail_addr} {client_addr} {client_name}
milter_protocol = 4
BSD Dec 24, 2012 BSD
