2021-06-26 17:13:27 -04:00
# CSC Milter
2021-08-31 22:20:45 -04:00
This is a milter ("mail filter") for CSC.
It will reject a message if and only if the following conditions are satisfied:
* a message arrives on port 25 or 465
* the client is not authenticated
* the From: header (**not** the envelope header) contains a CSC address
* there is no Received: header indicating that the message was previously received by a CSC mail server
The objective is to reject messages from spammers spoofing the From: header
to a CSC address.
The last point (the Received header check) is to allow forwarding and mailing lists (e.g. a CSC member sends an email to the DSA mailing list, to which the syscom list is subscribed). This isn't perfect because the Received header can also be spoofed, but it should probably be good enough for now.
2021-06-26 17:13:27 -04:00
## Installation
As root:
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
apt install python3-milter
pip3 install .
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
Installing python3-milter will also install libmilter as a dependency.
2021-06-12 16:17:13 -04:00
2021-06-26 17:13:27 -04:00
Now open /etc/postfix/main.cf and add 'unix:/run/csc-milter/csc-milter.sock'
to the end of smptd_milters. Example:
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
smtpd_milters = unix:/var/spool/postfix/spamass/spamass.sock unix:/run/csc-milter/csc-milter.sock
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
Also open /etc/postfix/master.cf and explicitly set smtpd_milters *without*
csc-milter for the ports where csc-milter should not be running. Example:
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
...
-o smtpd_milters=unix:/var/spool/postfix/spamass/spamass.sock
...
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
Notice how smtpd_milters above does not have the csc-milter socket path. Therefore
csc-milter will not be invoked on messages arriving on port 587 (submission).
2021-08-31 22:20:45 -04:00
You also need to modify milter\_connect\_macros in
/etc/postfix/main.cf to include `{daemon_port}` and `{auth_type}` . This allows
authenticated cilents to be skipped.
2021-06-26 17:13:27 -04:00
Example:
2021-06-12 18:02:01 -04:00
```
2021-08-31 22:20:45 -04:00
milter_connect_macros = j v _ {daemon_name} {daemon_port} {auth_type}
2021-06-12 18:02:01 -04:00
```
2021-08-31 22:20:45 -04:00
Optional: add the following to /etc/postfix/main.cf:
2021-06-12 18:02:01 -04:00
```
2021-06-26 17:13:27 -04:00
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
```
Then, in /etc/postfix/smtpd\_milter\_map, add something like the following:
```
127.0.0.0/8 DISABLE
192.168.0.0/16 DISABLE
::/64 DISABLE
2001:db8::/32 DISABLE
```
This ensures that csc-milter will not be run on messages from local clients.
Replace 'DISABLE' by any additional milters which should be run. Note that
even if you do not do this, csc-milter will still accept messages from local
clients.
2021-06-12 18:02:01 -04:00
2021-08-31 22:20:45 -04:00
### Running locally
For development purposes:
```
su -s /bin/bash postfix
python3 csc_milter/main.py
```
2021-06-26 17:37:15 -04:00
### systemd
2021-08-31 22:20:45 -04:00
The Debian package installs a systemd service named csc-milter. Usage:
2021-06-26 17:37:15 -04:00
```
systemctl enable csc-milter
systemctl start csc-milter
```
2021-06-26 17:13:27 -04:00
## Tests
Run the following from the root directory:
```
pip3 install -r test_requirements.txt
pytest
2021-06-12 18:02:01 -04:00
```
