MILTERD-NG MTA filter, for fast IP check from mail stream

MILTERD-NG allows administrators to add mail filters on the basis of spam databases IP address from IPSET-NG Access System control in order to filter spam and viruses in the mail processing chain. Compatible with any mail program supports MILTER-API, for example: Sendmail, Postfix, Sentrion, Switch, Mailstream Manager.

Application MILTERD-NG supports setting in the configuration file for default path /etc/milterd-ng.conf, or by using the command line or environment variables.
Priority configuration source selector next: command line -> environment variables -> configuration file.
The program supports two modes of MTA service filter: connect event and the event helo/ehelo, you can disable or enable the configuration file by editing.

The processing logic of events:

  • At the event, SMTP HELO/EHLO checks IP address of the sender on the remote IPSETD-NG server.
  • When SMTP event SMTP CONNECT checks DNS entries and IP addresses, and checks all belong to this domain.

Setting the return values MTA depending on the situation:

In the section [return] of the configuration file can configure individual behavior of the MILTERD-NG filter at different external situations.
For this behavior is responsible for setting: serv_error,dns_error,no_host_error,bad_ip_error.
Possible returned values in each case can receive the following parameters: continue, fail, reject.

Designation MTA situation for the event setting:

  • serv_error - server timeout or not response.
  • dns_error - name or service not known.
  • no_host_error - server not detect hostname.
  • bad_ip_error - no valid ip from sender.

Purpose returns the parameters of MTA:

  • continue - continue processing the current connection, message, or recipient.
  • fail - temporary failure, the corresponding SMTP command will return an appropriate 4xx status code.
  • reject - reject this connection.

To communicate MILTERD-NG filter and MTA uses a socket, the socket can be as a network, or as a file type.
Socket parameter settings found is in a [server] -> socket section of the configuration file.

  • unix:/path/name,local:/path/name - create local UNIX-domain socket that is bound to the specified pathname.
  • inet:host:port - bind to the specified TCP port on the specified local hostname.

Socket parameter example:

  • socket = unix:/var/run/milter-ng.sock
  • socket = local:/var/run/milter-ng.sock
  • socket = inet:1999@localhost

Parameter settings [server] -> cachemem allows the cache locally store the results of previous queries to the IPSETD-NG server, thereby reducing the load on the network, server and improving the performance. FAQ: - 1 MGb cache can contain about 50,000 IP addresses.

Example configuration file can be found in <ipset-ng-src-dir>/misc/config/milterd-ng.conf, also available a detailed description of the configuration parameters.

To reduce the command line parameters using environment variables, they are set to ksh shell - export command team, they are set to csh shell - setenv command team.
Priority configuration source selector next: command line -> environment variables -> configuration file.

To construct this MTA filter from the package IPSET-NG on another computer, you must download the file created after the server build,
unpack it and run the command: make clean ; make milterd
Read more about the build process, keys and options can be found in the section: tuning and compile options

Command line options:
-d, --daemon exec in daemon mode
-m, --monitor exec in monitor mode
-r, --remote=<arg> remote ipsetd-ng server IP address
-p, --port=<arg> remote ipsetd-ng port UDP/TCP-SSL port
-f, --family=<arg> select default family ipv protocol: ipv4 or ipv6
-a, --password=<arg> crypt chiper - access to server AES crypt algoritm
-g, --ctbl=<arg> MTA mode: 1,2 or 3 - connect,helo method
-q, --htbl=<arg> ipset black list table (connect method)
-j, --socket=<arg> socket - unix:, local:, inet:
-c, --cachemem=<arg> MTA mode: 1,2 or 3 - connect,helo method
-t, --timeout=<arg> timeout MTA connection
-o, --mode=<arg> MTA mode: 1,2 or 3 - connect,helo method
-b, --dnsbl enable check ip in DNSBL resource
-l, --loglevel=<arg> log level disabled, critical, medium, full, debug, debugssl
-i, --sslsni=<arg> SSL SNI server hostname
-u, --sslciph=<arg> SSL cipher string
-z, --sslcert=<arg> SSL certificate + ca + key
-s, --ssl SSL connection enable
-x, --memleak print memory leak diagnostic on exit
-e, --env display environment help
-h, --help display this help
Management daemon command line options:
-y, --clearcache clear parent runing memory cache on exit
-k, --kill stop running program copy (terminate)
Examples command line settings:

        # Example console monitor mode, file socket, & no-crypt connection:
        /usr/bin/milterd-ng -m -r 1.2.3.4 -p 1919 -f ipv4 -o 3 -g banlist -q blklist -t 60 -s unix:/var/run/mail.socket

        # Example daemon mode, network socket & crypt connection:
        /usr/bin/milterd-ng -d -r 1.2.3.4 -p 1919 -f ipv6 -o 2 -g banlist -t 60 -s inet:1999@localhost -a "my access word!"

        # Example daemon mode, network socket, enable DNSBL check & ssl connection:
        /usr/bin/milterd-ng -d -r 1.2.3.4 -p 5000 -f ipv6 -o 2 -g banlist -b -t 60 -s inet:1999@localhost \
            -s -o 45 -z /etc/ipset-ng/ssl/full.client.pem -u "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"

        # Example unification SSL certificates and keys:
        cd /etc/ipset-ng/ssl
        cat ./cert.client.pem ./cert.ca.pem ./key.client.pem > ./full.client.pem


* Example ksh:
        export NG_MILTER_port="1919"
        export NG_MILTER_remote="127.0.0.1"
* Example csh:
        setenv NG_MILTER_port="1919"
        setenv NG_MILTER_remote="127.0.0.1"
NG_MILTER_remote remote server host
NG_MILTER_port remote UDP/TCP-SSL port
NG_MILTER_family select default family ipv protocol: ipv4 or ipv6
NG_MILTER_ctbl ipset black list table (CONNECT method)
NG_MILTER_htbl ipset black list table (HELO/EHLO method)
NG_MILTER_socket socket address:
    unix:/path/name
    local:/path/name
    inet:host:port
NG_MILTER_cachemem IP address cache size, in Kb
NG_MILTER_password crypt chiper - access to server AES crypt algoritm
NG_MILTER_timeout timeout MTA connection
NG_MILTER_dnsbl enable check ip in DNSBL resource
NG_MILTER_ssl SSL connection enable
NG_MILTER_sslsni SSL SNI server hostname
NG_MILTER_sslcert SSL certificate + ca + key
NG_MILTER_sslciph SSL cipher string
NG_MILTER_ssltm SSL connection timeout
Monitor command key functions:
[0,1,2,3,4,5] - set log level:
  • 0 disabled - disable log
  • 1 critical - warning only log
  • 2 medium - info level log
  • 3 full - full log
  • 4 debug - full log, include memory access
  • 5 debugssl - full log, include memory access + ssl
[6,7,8] - manual run script event:
  • 6 - run script onstart event
  • 7 - run script onreload event
  • 8 - run script onstop event
[e] - enable/disable console output
[s] - show configuration
[w] - show WhoIs request from processed IP address, three levels of detailed information, is governed by the number of hits
[g] - show GeoIP information from processed IP address
[c] - clear IP response cache
[l] - show session statistic
  • only for data transfer mode SSL
[p] - show user certificates
  • only for data transfer mode SSL
[i] - show connect information
  • only for data transfer mode SSL
[a] - send crypt/no-crypt AES packet
  • crypt mode required password, is the same password on the ipsetd-ng server
[v] - check newer version available
[q,ESC] - stop milterd-ng and exit
[?,h] - help screen

MTA Sendmail configuration:


    # cat ./myconfig.mc
    INPUT_MAIL_FILTER(`filter1', `S=inet:1999@localhost, T=C:2m')
    define(`confINPUT_MAIL_FILTERS', `filter1')

    m4 ../m4/cf.m4 myconfig.mc > myconfig.cf


The above macros will result in the following lines being added to myconfig.cf file:

    Xfilter1, S=inet:1999@localhost, T=C:2m
    O InputMailFilters=filter1


Sendmail macro flags F= variant value:
  • R - Reject connection if filter unavailable
  • T - Temporary fail connection if filter unavailable
Sendmail macro flags T= variant value:
  • C - Timeout for connecting to a filter. If set to 0, the system's connect(2) timeout will be used. Default: 5m
  • S - Timeout for sending information from the MTA to a filter. Default: 10s
  • R - Timeout for reading reply from the filter. Default: 10s
  • E - Overall timeout between sending end-of-message to filter and waiting for the final acknowledgment. Default: 5m
Also note that a filter can be defined without adding it to the input filter list by using MAIL_FILTER() instead of INPUT_MAIL_FILTER().

MTA Postfix configuration:

Milters for SMTP mail:

    # edit /etc/postfix/main.cf
    smtpd_milters = inet:1999@localhost

    # or use extended parameters
    smtpd_milters = { inet:1999@localhost, connect_timeout=10s, default_action=accept }


Milters for non-SMTP mail:

    # edit /etc/postfix/main.cf
    non_smtpd_milters = inet:1999@localhost

    # or use extended parameters
    non_smtpd_milters = { inet:1999@localhost, connect_timeout=10s, command_timeout=20s, default_action=reject }


  • Default connect_timeout 30 seconds in event CONNECT
  • Default command_timeout 30 seconds in event HELO/EHELO
Trick: if you have a screen with too much information, we can proceed as follows: press the keyboard button [0] and [g] or/and [w] button. Now, you will only see information about the processed IP addresses.

  Meta Tags: MILTERD-NG MTA filter