spfmilter - SPF mail filter module
] [--guess|-g spf-mechanisms
] [--whitelist|-w filename
] [--explanation|-e spf-message
] [--user|-u user
Sendmail includes a facility for plugging in custom mail filters, called
milters. It's documented here: http://www.milter.org/milter_api/ Spfmilter
implements the Sender Policy Framework (SPF) as a milter, using either the
libspf or libspf2 libraries.
All milters take a standardized socket argument, which specifies how they
communicate with sendmail. This will look something like
"unix:/var/run/spfmilter.sock" for a unix-domain socket, or
"inet:2525@localhost" for an internet-domain socket. The same string
gets used in the INPUT_MAIL_FILTER macro in sendmail.mc.
In addition to the required socket argument, there are a number of flags:
- --localpolicy or -l
- Additional SPF mechanisms to apply before a sender site's own rules.
- --trustedforwarders or -t
- Whether to check trusted-forwarder.org. This is basically equivalent to
- --guess or -g
- SPF mechanisms to use for any site which doesn't specify SPF rules of its
own. Something like "+a/24 +mx/24 +ptr ~all" might be good.
- --fallback or -f
- A file of SPF mechanisms to use for specific sites that don't specify any
SPF rules of their own. The format for each line is a shell-style wildcard
pattern (? and *), whitespace, and then the SPF mechanisms to use on
rule-less domains matching the pattern. Hash mark starts a comment, and
blank lines are ignored. The --guess option is equivalent to a --fallback
file entry of "*".
- --whitelist or -w
- A file of IP addresses to always accept mail from. This could be used to
add exceptions for sites that forward mail to you site but don't do
sender-rewriting. The format for each line is a single decimal
dotted-quad, with an optional /nn network width specifier appended. Hash
mark starts a comment, and blank lines are ignored. Note that this
currently only works for IPv4 addresses, not for IPv6.
- --recipientmx or -r
- Before doing the regular SPF check, this option says to first check if the
sending system is an MX-secondary for the recipient. If it is, then the
regular SPF check is not done and the message gets an automatic
"pass". If there are multiple recipients, then this MX check
gets done for each of them. The assumption here is that your
MX-secondaries are themselves running SPF and have already done the real
check when they initially received the message.
- --explanation or -e
- The explanation message that gets returned in mail bounce messages. If a
site's SPF record has an "exp=" declaration, then that gets
used; if the site doesn't specify one, then this gets used. And if you
don't specify this option then there's a standard default message.
- --markonly or -m
- Normally spfmilter rejects mail that fails the SPF test and accepts other
mail, adding a Received-SPF header with an explanation. This flag tells
spfmilter to also accept mail that fails the test, and add the
Received-SPF header to that too. A later layer of the mail delivery
process, such as procmail, can look for this header and handle the mail
- --user or -u
- The user to switch to after starting up as root. This is just for
convenience, there is no need to start the program as root and if you want
to switch users external to this program via su, that will work fine.
- --pidfile or -p
- Write the process i.d. to the specified file.
- --nodaemon or -X
- With this flag, spfmilter will not fork itself into a background process.
Normally it does fork itself.
- --debug or -d
- Turns on debugging messages in the SPF library. You probably want to use
--nodaemon with this, or the messages might get lost.
This is very abbreviated, intended mainly as a reminder for those who have
worked with milters before. If it's your first milter, you should look on the
web for more thorough documentation. Also, these instructions are pretty
specific to FreeBSD, and will have to be adapted for other OSs.
- Make sure your sendmail is compiled with the MILTER option. (Starting with
version 8.13 this is enabled by default.) You can use this command to
sendmail -d0.1 -bt < /dev/null | grep MILTER
If you don't see MILTER in the compilation options, you will have to
- Fetch, build, and install either libspf (http://www.libspf.org/) or
- Build and install the spfmilter executable, by doing a './configure ; make
; make install'.
- Edit your sendmail.mc and add a mail filter macro, for example:
Rebuild and install sendmail.cf.
- Run spfmilter, with the same socket argument you used in sendmail.mc:
# spfmilter unix:/var/run/spfmilter.sock
- Stop and re-start sendmail.
- Look in /var/log/maillog for messages from spfmilter.
- When you've verified that it's working, add lines to your /etc/rc.conf so
it starts up at boot time:
Copyright © 2004 by Jef Poskanzer <email@example.com>. All rights