Skip to content

A milter that performs DKIM and ARC signatures.

License

Notifications You must be signed in to change notification settings

masa23/arcmilter

Repository files navigation

arcmilter Go Report Card GoDoc MIT licensed

A milter that performs DKIM and ARC signatures.
I intended to comply with RFC6376 and RFC8617, but since it is designed for personal use, thorough testing is needed for actual operation.
I welcome feedback and pull requests.

Signing Conditions

  • DKIM
    • Sign if there is a private key for the domain in the From field.
    • Do not sign emails that are already DKIM signed.
  • ARC
    • Sign during receipt if there is a private key for the domain in the Rcpt-To field.
    • Do not sign during sending.

Installation

Binary Installation

  • Please download the binary from the release page.

  • For CentOS/RHEL, you can install it using the following command:

    # rpm -ivh arcmilter_*_amd64.rpm
  • For Debian/Ubuntu, you can install it using the following command:

    # dpkg -i arcmilter_*_amd64.deb

Manual Build & Installation

  • You need to have an environment with golang installed.
    # git clone github.com/masa23/arcmilter
    # (cd arcmilter/cmd/arcmilter && go build)
    
    # install -m 700 arcmilter/cmd/arcmilter/arcmilter /usr/local/bin/
    # install -m 600 arcmilter/cmd/arcmilter/arcmilter.yaml /usr/local/etc/arcmilter.yaml
    # sed -e 's#/usr/bin/arcmilter#/usr/local/bin/arcmilter#' -e '#/etc/arcmilter.yaml#/usr/local/etc/arcmilter/arcmilter.yaml#' \
            arcmilter/misc/files/arcmilterctl.service > /etc/systemd/system/arcmilterctl.service
    # systemctl daemon-reload

Configuration

  • Configuration File

    # vi /etc/arcmilter/arcmilter.yaml
    
    MilterListen:
      Network: tcp
      Address: 127.0.0.1:10029
    #MilterListen:
    #  Network: unix
    #  Address: /var/run/arcmilter.sock
    #  Mode: 0600
    #  Owner: postfix // Default: Execution user
    #  Group: postfix // Default: Execution group
    ControlSocketFile:
      Path: /var/run/arcmilterctl.sock
      Mode: 0600
    PIDFile:
      Path: /var/run/arcmilter.pid
    LogFile:
      Path: /var/log/arcmilter.log
      Mode: 0600
    MyNetworks:
    - 127.0.0.0/8
    - ::1/128
    Domains:
      "example.jp": // Domain for DKIM signing in From field, and ARC signing in Rcpt-To field
        HeaderCanonicalization: "relaxed" // Header normalization method
        BodyCanonicalization: "relaxed"   // Body normalization method
        Selector: "default"               // Selector
        PrivateKeyFile: "/etc/arcmilter/keys/example.jp.key" // Path to private key
        DKIM: true  // Enable DKIM signing
        ARC: true   // Enable ARC signing
      "example.com": // You can configure multiple domains
        HeaderBodyCanonicalization: "relaxed"
        BodyCanonicalization: "relaxed"
        Selector: "default"
        ARCSelector: "default"
        PrivateKeyFile: "/etc/arcmilter/keys/example.com.key"
        DKIM: true
        ARC: true
    User: mail  // User to run the milter
    Group: mail // Group to run the milter
    ARCSignHeaders: // Headers to sign with ARC
      - "DKIM-Signature"
      - "Date"
      - "From"
      - "To"
      - "Message-Id"
    DKIMSignHeaders: // Headers to sign with DKIM
      - "Date"
      - "From"
      - "To"
      - "Reply-To"
      - "Message-ID"
      - "Subject"
    Debug: false
  • Generating Private Key

    # openssl genpkey -algorithm rsa -out /etc/arcmilter/keys/example.jp.key -pkeyopt rsa_keygen_bits:2048
  • Generating Public Key

    # openssl pkey -in /etc/arcmilter/keys/example.jp.key -pubout -out /etc/arcmilter/keys/example.jp.pub
  • Configuring DNS Records

    # openssl pkey -in /etc/arcmilter/keys/example.jp.pub -pubin -outform DER | openssl base64 -A | tr -d '\n' | fold -w 120 | sed -e 's/^/"/g' -e 's/$/"/g'
  • Example of DNS Record

    <selector>._domainkey IN TXT  ("v=DKIM1; h=sha256; k=rsa; p="
                                   "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxBYDpP2LvLICZKSyzA9noR39zm8FGi2F2f83zldwvxyqaKgnmJ0sNsx86zfcbF1JosTLVXdyPE/u"
                                   "eaILXQ4CLK065m39NTv+UzIyg1Jsp9KeOnfia1/Bn3dYjLV/Ix84SwMtP15k7zY+2l4or38/uyhTGFpLF/bET2LlP8eBxXHtg6t1A798qR4/ZGVauKCDkbye"
                                   "YHjGJ6DktYmjk9Cv2DC7x3SYekHjGQMamswHZl7kYlKgiZKDVevXWcd5IFWONOObzZdgO2boDf/wrqS1eA0BFstbTRdENj1tH573pku3vrOPfJF123E8h6ii"
                                   "86jISHmtWg500WPJ8LB8Gzc7CQIDAQAB")
    

Start

# systemctl start arcmilter.service

Example Configuration for Postfix

# vi /etc/postfix/main.cf

For TCP
smtpd_milters = inet:127.0.0.1:10029

For UNIX socket
smtpd_milters = unix:/var/run/arcmilter.sock

Thanks!

The following external libraries are used.

The following library was used as a reference during production.

About

A milter that performs DKIM and ARC signatures.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages