spfmilter(8) SPF mail filter module


spfmilter [--localpolicy|-l spf-mechanisms] [--trustedforwarders|-t] [--guess|-g spf-mechanisms] [--fallback|-f filename] [--whitelist|-w filename] [--recipientmx|-r] [--explanation|-e spf-message] [--markonly|-m] [--user|-u user] [--pidfile|-p filename] [--nodaemon|-X] [--debug|-d] socket


Sendmail includes a facility for plugging in custom mail filters, called milters. It's documented here: http://www.milter.org/milter_api/ Spfmilter implements the Sender Policy Framework (SPF) as a milter, using either the libspf or libspf2 libraries.


All milters take a standardized socket argument, which specifies how they communicate with sendmail. This will look something like "unix:/var/run/spfmilter.sock" for a unix-domain socket, or "inet:2525@localhost" for an internet-domain socket. The same string gets used in the INPUT_MAIL_FILTER macro in sendmail.mc.

In addition to the required socket argument, there are a number of flags:

--localpolicy or -l
Additional SPF mechanisms to apply before a sender site's own rules.
--trustedforwarders or -t
Whether to check trusted-forwarder.org. This is basically equivalent to "-l include:spf.trusted-forwarder.org".
--guess or -g
SPF mechanisms to use for any site which doesn't specify SPF rules of its own. Something like "+a/24 +mx/24 +ptr ~all" might be good.
--fallback or -f
A file of SPF mechanisms to use for specific sites that don't specify any SPF rules of their own. The format for each line is a shell-style wildcard pattern (? and *), whitespace, and then the SPF mechanisms to use on rule-less domains matching the pattern. Hash mark starts a comment, and blank lines are ignored. The --guess option is equivalent to a --fallback file entry of "*".
--whitelist or -w
A file of IP addresses to always accept mail from. This could be used to add exceptions for sites that forward mail to you site but don't do sender-rewriting. The format for each line is a single decimal dotted-quad, with an optional /nn network width specifier appended. Hash mark starts a comment, and blank lines are ignored. Note that this currently only works for IPv4 addresses, not for IPv6.
--recipientmx or -r
Before doing the regular SPF check, this option says to first check if the sending system is an MX-secondary for the recipient. If it is, then the regular SPF check is not done and the message gets an automatic "pass". If there are multiple recipients, then this MX check gets done for each of them. The assumption here is that your MX-secondaries are themselves running SPF and have already done the real check when they initially received the message. Note: This build of spfmilter does not support this option because library limitations.
--explanation or -e
The explanation message that gets returned in mail bounce messages. If a site's SPF record has an "exp=" declaration, then that gets used; if the site doesn't specify one, then this gets used. And if you don't specify this option then there's a standard default message.
--markonly or -m
Normally spfmilter rejects mail that fails the SPF test and accepts other mail, adding a Received-SPF header with an explanation. This flag tells spfmilter to also accept mail that fails the test, and add the Received-SPF header to that too. A later layer of the mail delivery process, such as procmail, can look for this header and handle the mail appropriately.
--user or -u
The user to switch to after starting up as root. This is just for convenience, there is no need to start the program as root and if you want to switch users external to this program via su, that will work fine.
--pidfile or -p
Write the process i.d. to the specified file.
--nodaemon or -X
With this flag, spfmilter will not fork itself into a background process. Normally it does fork itself.
--debug or -d
Turns on debugging messages in the SPF library. You probably want to use --nodaemon with this, or the messages might get lost.


This is very abbreviated, intended mainly as a reminder for those who have worked with milters before. If it's your first milter, you should look on the web for more thorough documentation. Also, these instructions are pretty specific to FreeBSD, and will have to be adapted for other OSs.

Make sure your sendmail is compiled with the MILTER option. (Starting with version 8.13 this is enabled by default.) You can use this command to check:
    sendmail -d0.1 -bt < /dev/null | grep MILTER
If you don't see MILTER in the compilation options, you will have to re-build sendmail.
Fetch, build, and install either libspf (http://www.libspf.org/) or libspf2 (http://www.libspf2.org/).
Build and install the spfmilter executable, by doing a './configure ; make ; make install'.
Edit your sendmail.mc and add a mail filter macro, for example:
    INPUT_MAIL_FILTER(`spfmilter',`S=unix:/var/run/spfmilter.sock, T=S:8m;R:8m')
Rebuild and install sendmail.cf.
Run spfmilter, with the same socket argument you used in sendmail.mc:
    # spfmilter unix:/var/run/spfmilter.sock
Stop and re-start sendmail.
Look in /var/log/maillog for messages from spfmilter.
When you've verified that it's working, add lines to your /etc/rc.conf so it starts up at boot time:


Copyright (c)2004 by Jef Poskanzer <[email protected]>. All rights reserved.