signing-milter enables you to s/mime sign an ordinary mail while passing a MTA. It is written in C and tested with the postfix MTA. It should work with any MTA implementing the milter protocol.
This repository replaces the daemontools
service manager used in the original release by the Debian standard systemd
service.
- buster
- bullseye
- bookworm
- focal
- jammy
- noble
wget -O- https://smeinecke.github.io/signing-milter/add-repository.sh | bash
apt-get install signing-milter
apt-get install wget lsb-release ca-certificates
wget -O /usr/share/keyrings/smeinecke.github.io-signing-milter.key https://smeinecke.github.io/signing-milter/public.key
echo "deb [signed-by=/usr/share/keyrings/smeinecke.github.io-signing-milter.key] https://smeinecke.github.io/signing-milter/repo $(lsb_release -sc) main" > /etc/apt/sources.list.d/signing-milter.list
apt-get update && apt-get install signing-milter
In default configuration the postfix daemon is chrooted to the spool folder located in /var/spool/postfix/
. To use the socket feature of signing-milter the socket + permissions has to be configured in the /etc/default/signing-milter
file:
#DISABLE_HOURLY_STATISTIK_LOGGING='yes'
#DISABLE_DAILY_STATISTIK_LOGGING='yes'
OPTIONS="-s unix:/var/spool/postfix/signing-milter/signing-milter.sock -c postfix"
Also create the folder within the postfix spool folder with the correct permissions:
mkdir -m o-rwx /var/spool/postfix/signing-milter
chown signing-milter:postfix /var/spool/postfix/signing-milter
The socket has to be configured in postfix in main.cf as new milter:
smtpd_milters = unix:signing-milter/signing-milter.sock
And reload/restart the services:
systemctl restart signing-milter
systemctl reload postfix
All certificates are configured in the /etc/signing-milter/sigingtable
file.
Just add the email address + path of the pem file and use
make
to update the cdb
database and trigger reloading signing-milter.
The certificates have to be readable by the signing-milter
user.
Since version 20120731 signing-milter also supports intermediate certificates.
Just name your certificate with the suffix -cert+key.pem
and put the intermediate + root certificate in a file suffixed by -chain.pem
in the same folder.
The project is based on signing-milter.org by Andreas Schulze.