Python Milter FAQ

Polish

  • Compiling Python Milter
  • Running Python Milter
  • Using SPF
  • Using SRS
  • Compiling Python Milter

    1. Q. I have tried to download the current milter code and my virus scan traps several viruses in the download.

      A. The milter source includes a number of deactivated viruses in the test directory. All but the first and last lines of the base64 encoded virus data has been removed. I suppose I should randomize the first and last lines as well, since pymilter just deletes executables, and doesn't look for signatures.

    2. Q. I have installed sendmail from source, but Python milter won't compile.

      A. Even though libmilter is officially supported in sendmail-8.12, you need to build and install it in separate steps. Take a look at the RPM spec file for sendmail-8.12. The %prep section shows you how to create a site.config.m4 that enables MILTER. The %build section shows you how to build libmilter in a separate invocation of make. The %install section shows you how to install libmilter with a separate invocation of make.

    3. Q. Why is mfapi.h not found when I try to compile Python milter on RedHat 7.2?

      A. RedHat forgot to include the header in the RPM. See the RedHat 7.2 requirements.

    4. Q. Python milter compiles ok, but I get an error like this when I try to import the milter module:
      ImportError: /usr/lib/python2.4/site-packages/milter.so: undefined symbol: smfi_setmlreply
      

      A. Your libmilter.a is from sendmail-8.12 or earlier. You need sendmail-8.13 or later to support setmlreply. You can disable setmlreply by changing setup.py. Change:

                  define_macros = [ ('MAX_ML_REPLY',32) ]
      
      in setup.py to
                  define_macros = [ ('MAX_ML_REPLY',1) ]
      

    Running Python Milter

    1. Q. The sample.py milter prints a message, then just sits there.
      To use this with sendmail, add the following to sendmail.cf:
      
      O InputMailFilters=pythonfilter
      Xpythonfilter,        S=local:inet:1030@localhost
      
      See the sendmail README for libmilter.
      sample  milter startup
      

      A. You need to tell sendmail to connect to your milter. The sample milter tells you what to add to your sendmail.cf to tell sendmail to use the milter. You can also add an INPUT_MAIL_FILTER macro to your sendmail.mc file and rebuild sendmail.cf - see the sendmail README for milters.

    2. Q. I've configured sendmail properly, but still nothing happens when I send myself mail!

      A. Sendmail only milters SMTP mail. Local mail is not miltered. You can pipe a raw message through sendmail to test your milter:

      $ cat rawtextmsg | sendmail myname@my.full.domain
      
      Now check your milter log.

    3. Q. Why do I get this ImportError exception?
      File "mime.py", line 370, in ?
          from sgmllib import declstringlit, declname
          ImportError: cannot import name declstringlit
      

      A. declstringlit is not provided by sgmllib in all versions of python. For instance, python-2.2 does not have it. Upgrade to milter-0.4.5 or later to remove this dependency.

    4. Q. Why do I get milter.error: cannot add recipient?
      
      

      A. You must tell libmilter how you might mutate the message with set_flags() before calling runmilter(). For instance, Milter.set_flags(Milter.ADDRCPT). You must add together all of ADDHDRS, CHGBODY, ADDRCPT, DELRCPT, CHGHDRS that apply.

      NOTE - recent versions default flags to enabling all features. You must now call set_flags() if you wish to disable features for efficiency.

    5. Q. Why does sendmail sometimes print something like: "...write(D) returned -1, expected 5: Broken pipe" in the sendmail log?

      A. Libmilter expects "rcpt to" shortly after getting "mail from". "Shortly" is defined by the timeout parameter you passed to Milter.runmilter() or milter.settimeout(). If the timeout is 10 seconds, and looking up the first recipient in DNS takes more than 10 seconds, libmilter will give up and break the connection. Milter.runmilter() defaulted to 10 seconds in 0.3.4. In 0.3.5 it will keep the libmilter default of 2 hours.

    6. Q. Why does milter block messages with big5 encoding? What if I want to receive them?

      A. sample.py is a sample. It is supposed to be easily modified for your specific needs. We will of course continue to move generic code out of the sample as the project evolves. Think of sample.py as an active config file.

      If you are running bms.py, then the block_chinese option in /etc/mail/pymilter.cfg controls this feature.

    7. Q. How do I use a network socket instead of a unix socket?

      A. Use inet: instead of unix: in the URL for your socket in sendmail.mc/sendmail.cf and in *milter.cfg. The default protocol is unix. So the default config would be:

      In sendmail.mc:

      InputMailFilters=pythonfilter
      Xpythonfilter,        S=local:/var/run/milter/pythonsock
      
      In pymilter.cfg:
      [milter]
      socket=/var/run/milter/pythonsock
      
      NOTE: for spfmilter, the config is "socketname" instead of "socket".

      To have your python milter listen on port 1234 of the network interface with IP 192.168.0.10:

      In sendmail.mc:

      InputMailFilters=pythonfilter
      Xpythonfilter,        S=inet:1234@192.168.0.10
      
      In pymilter.cfg:
      [milter]
      socket=inet:1234@192.168.0.10
      
    8. Q. Why does sendmail coredump with milters on OpenBSD?

      A. Sendmail has a problem with unix sockets on old versions of OpenBSD. OpenBSD users report that this problem has been fixed, so upgrading OpenBSD will fix this. Otherwise, you can use an internet domain socket instead. For example, in sendmail.cf use

      Xpythonfilter, S=inet:1234@localhost
      
      and change sample.py accordingly.

    9. Q. How can I change the bounce message for an invalid recipient? I can only change the recipient in the eom callback, but the eom callback is never called when the recipient is invalid!

      A. For sendmail-8.13 and later, use pymilter-0.9.3 and clear Milter.P_RCPT_REJ in the _protocol_mask class var:

      class myMilter(Milter.Base):
        def envrcpt(self,to,*params):
            return Milter.CONTINUE
      myMilter._protocol_mask = myMilter.protocol_mask() & ~Milter.P_RCPT_REJ
      
      For sendmail-8.12 and earlier, configure sendmail to use virtusertable, and send all unknown addresses to /dev/null. For example,

      /etc/mail/virtusertable

      @mycorp.com	dev-null
      dan@mycorp.com	dan
      sally@mycorp.com	sally
      

      /etc/aliases

      dev-null:	/dev/null
      
      Now your milter will get to the eom callback, and can change the envelope recipient at will. Thanks to Dredd at milter.org for this solution.

    10. Q. I am having trouble with the setreply method. It always outputs "milter.error: cannot set reply".

      A. Check the sendmail log for errors. If sendmail is getting milter timeouts, then your milter is taking too long and sendmail gave up waiting. You can adjust the timeouts in your sendmail config. Here is a milter declaration for sendmail.cf with all timeouts specified:

      Xpythonfilter, S=local:/var/log/milter/pythonsock, F=T, T=C:5m;S:20s;R:60s;E:5m
      
    11. Q. Once I feed my milter a valid address (which returns Milter.ACCEPT from the envrcpt() method) the envrcpt() method is no longer called. Is there something I can do to change this behavior?

      A. Return Milter.CONTINUE instead of Milter.ACCEPT from envrcpt().

    12. Q. There is a Python traceback in the log file! What happened to my email?

      A. By default, when the milter fails with an untrapped exception, a TEMPFAIL result (451) is returned to the sender. The sender will then retry every hour or so for several days. Hopefully, someone will notice the traceback, and workaround or fix the problem. Beginning with milter-0.8.2, you can call milter.set_exception_policy(milter.CONTINUE) to cause an untrapped exception to continue processing with the next callback or milter instead. For completeness, you can also set the exception policy to milter.REJECT.

    13. Q. I read some notes such as "Check valid domains allowed by internal senders to detect PCs infected with spam trojans." but could not understand the idea. Could you clarify the content ?

      A. The internal_domains configuration specifies which MAIL FROM domains are used by internal connections. If an internal PC tries to use some other domain, it is assumed to be a "Zombie".

      Here is a sample log line:

      2005Jun22 12:01:04 [12430] REJECT: zombie PC at  192.168.100.171  sending MAIL FROM  debby@fedex.com
      
      No, fedex.com does not use pymilter, and there is no one named debby at my client. But the idiot using the PC at 192.168.100.171 has downloaded and installed some stupid weatherbar/hotbar/aquariumscreensaver that is actually a spam bot.

      The internal_domains option is simplistic, it assumes all valid senders of the domains are internal. SPF provides a much more general check of IP and MAIL FROM for external email. Pymilter should soon have a local policy feature for more general checking of internal mail.

    14. Q. mail_archive isn't working. Or I don't understand how it's suppose to work. I have mail_archive = /var/mail/mail_archive in pymilter.cfg but nothing ever gets dumped into /var/mail/mail_archive.

      A. The 'mail' user needs to have write access. Permission failures should be logged as a traceback in milter.log if it doesn't.

    Using SPF

    1. Q. So how do I use the SPF support? The sample.py milter doesn't seem to use it.

      A. The milter package contains several more useful milters. The spfmilter.py milter checks SPF. The bms.py milter supports spf and too many other things. The RedHat RPMs will set almost everything up for you. For other systems:

      1. Arrange to run spfmilter.py or bms.py in the background (as a service perhaps) and redirect output and errors to a logfile. For instance, on AIX you'll want to use SRC (System Resource Controller).
      2. Copy spfmilter.cfg or pymilter.cfg to /etc/mail or the directory you run bms.py in, and edit it. The comments should explain the options.
      3. Start spfmilter.py or bms.py in the background as arranged.
      4. Add Xpythonfilter (or whatever you configured as miltername) to sendmail.cf or add an INPUT_MAIL_FILTER to sendmail.mc. Regen sendmail.cf if you use sendmail.mc and restart sendmail.
      5. Arrange to rotate log files and remove old defang files in tempdir. The RedHat RPM uses logrotate for logfiles and a simple cron script using find to clean tempdir.

      spfmilter.py runs as a service, and does just SPF. It uses the sendmail access file to configure SPF responses just like bms.py, but supports only REJECT and OK.

    2. Q. Can I somehow disable SPF checking for outgoing mail? The spf milter is always writing a useless (and wrong) Received-SPF header when I send mail.

      A. Geeky answer: Please define what you mean by "outgoing". An MTA receives incoming mail transactions via SMTP, and either delivers them via a local delivery agent or relays them to another MTA. You might call it "outgoing" when it relays to another MTA, but spf milter is never invoked for "outgoing" connections, and can never check SPF. (Sometimes you do want to check SPF on outgoing connections as a last minute check that your own SPF record is correct, and you have to use an SMTP proxy or another MTA instance to do that.) Note that a given incoming connection often results in both local deliveries and relays to other MTAs.

      Useful answer: spfmilter.py does not check SPF for incoming connections that are "internal". You define IPs that are considered "internal" in the configuration (e.g. 192.168.*), and Transactions using SMTP AUTH are also considered internal. You probably need to configure your internal email sources to avoid spurious SPF checks.

    3. Q. bms.py sends the SPF DSN at least once for domains that don't publish a SPF. How do I stop this behavior?

      A. The SPF response is controlled by /etc/mail/access (actually the file you specify with access_file in the [spf] section of pymilter.cfg). Responses are OK, CBV, DSN, and REJECT. DSN sends the DSN.

      You can change the defaults. For instance, I have:

      SPF-None:	REJECT
      SPF-Neutral:	CBV
      SPF-Softfail:	DSN
      SPF-Permerror:	DSN
      
      I have best_guess = 1, so SPF none is converted to PASS/NEUTRAL for policy lookup, and 3 strikes (no PTR, no HELO, no SPF) becomes "SPF NONE" for local policy purposes (the Received-SPF header always shows the official SPF result.)

      You can change the default for specific domains:

      # these guys aren't going to pay attention to CBVs anyway...
      SPF-None:cia.gov	REJECT
      SPF-None:fbi.gov	REJECT
      SPF-Neutral:aol.com	REJECT
      SPF-Softfail:ebay.com	REJECT
      

    Using SRS

    1. Q. The SRS part doesn't seem to work as whenever I try to start /etc/init.d/pysrs, I get this in /var/log/milter/pysrs.log:
      ConfigParser.NoOptionError: No option 'fwdomain' in section: 'srs'
      

      A. You need to specify the forward domain - i.e. the domain you want SRS to rewrite stuff to.

      For instance, I have:

      # sample SRS configuration
      [srs]
      secret = don't you wish
      maxage = 8
      hashlength = 5
      ;database=/var/log/milter/srs.db
      fwdomain = bmsi.com
      sign=bmsi.com,mail.bmsi.com,gathman.org
      srs=bmsaix.bmsi.com,bmsred.bmsi.com,stl.gathman.org,bampa.gathman.org
      
      The sign is for local domains which are signed. The srs list is for other domains which you are relaying, and which need to have SRS checked/undone for bounces.