Non docker deployment

[buzzzo]

Hi

Is it possible to deploy the milter without docker ? seem to be quite heavyweight to run a container for just one milter service. Thx

[chillout2k]

Hi

Is it possible to deploy the milter without docker ? seem to be quite heavyweight to run a container for just one milter service. Thx

Yes, it is possible to run the milter without docker or any other container environment or dependencies. Just make sure you have all the python dependencies (requirements.txt) installed on your target system. Further the milter gets configured by environment variables. A shell script could do it for you, there's no magic.

If you do not already use any kind of container technology in your environment, then yes, it might seem to be heavyweight, but in fact it's not ;-)

What's your use case and how does your environment look like?

[buzzzo]

Youre right.

With docker compose was a breeze to install.

Could you post a complete postfix configuration and opendkim too? Thx

[chillout2k]

Youre right.

With docker compose was a breeze to install.

Could you post a complete postfix configuration and opendkim too? Thx

No guarantees, that the config will work out of the box. Due to lack of time the following config snippets are just unverified brain dumps ;)

Hope that helps! In case you have any further questions, please don´t hesitate to ask :)

opendkim.conf of a localy installed OpenDKIM milter:

BaseDirectory  /tmp
Mode  v
LogWhy  yes
Syslog  yes
SyslogSuccess  yes
Socket  inet:1234@127.0.0.1
UserID  opendkim
Nameservers  ip-addr.of.your.dns-resolver (e.g. 127.0.0.1,8.8.8.8,1.1.1.1)
AuthservID  DKIMAuthservID

docker-compose.yml of ExOTA-Milter:

version: '2.4'
services:
  exota-milter:
    image: chillout2k/exota-milter-amd64
    environment:
      LOG_LEVEL: 'debug'
      MILTER_SOCKET: 'inet:4321@0.0.0.0'
      MILTER_POLICY_FILE: '/data/policy.json'
      MILTER_DKIM_ENABLED: 'True'
      MILTER_DKIM_ALIGNMENT_REQUIRED: 'True'
      MILTER_TRUSTED_AUTHSERVID: 'DKIMAuthservID'
      MILTER_X509_ENABLED: 'True'
      MILTER_X509_TRUSTED_CN: 'mail.protection.outlook.com'
      MILTER_X509_IP_WHITELIST='127.0.0.1,::1'
      MILTER_ADD_HEADER: 'True'
      MILTER_AUTHSERVID: 'ThisAuthservID'
    volumes:
    - "./data/:/data/:ro"
    ports:
    - "127.0.0.1:4321:4321"

Relevant main.cf parts of a localy installed postfix MS365 exchange online submission-relay:

[...]
mynetworks = 
  127.0.0.0/8
  40.92.0.0/15
  40.107.0.0/16
  52.100.0.0/14
  104.47.0.0/17
  2a01:111:f400::/48
  2a01:111:f403::/48

smtpd_recipient_restrictions = 
  permit_mynetworks
  reject

# TLS is a MUST as the ExOTA-Milter expects a client certificate (CN: `mail.protection.outlook.com`)
smtpd_tls_security_level = encrypt
smtpd_tls_req_ccert = yes

# Milter chain
# 1. OpenDKIM-Milter
# 2. ExOTA-Milter
# 3. Content-scanner (rspamd/amavis+spamassassin/clamav/...)
smtpd_milters = inet:127.0.0.1:1234, inet:127.0.0.1:4321
[...]

[buzzzo]

Thx, could "MILTER_DKIM_ALIGNMENT_REQUIRED: 'True' " changed to "false" to have something more relaxed ?

Thx again

[chillout2k]

Thx, could "MILTER_DKIM_ALIGNMENT_REQUIRED: 'True' " changed to "false" to have something more relaxed ?

Thx again

Yes, you can disable DKIM-alignment globaly as well as per policy. The latter needs to have it globaly enabled, but the override takes place per policy like this:

{
  "example.com": {
    "tenant_id": "abcd1234-18c5-45e8-88de-987654321cba",
    "dkim_enabled": true,
    "dkim_alignment_required": false
  }
}

In that case it´s enough to have a valid DKIM signature (result=pass) which was created by a SDID other than 5322.from_domain. You only should disable this temporary or in case of troubleshooting as this is the authentication factor with most security potential. Not aligned DKIM-signatures are nearly worthless in term of sender domain identification. DMARC is another scenario where DKIM alignment is crucial.

[chillout2k]

@buzzzo: I have documented the installation procedures for docker/kubernetes/systemd here.

Would be nice if you could throw an eyeball on it :)

Thanks in advance 🍻

[chillout2k]

45