spfmilter - SPF mail filter module
spfmilter [--localpolicy|-l spf-mechanisms] [--trustedforwarders|-t]
[--guess|-g spf-mechanisms] [--fallback|-f filename] [--whitelist|-w
filename] [--recipientmx|-r] [--explanation|-e spf-message]
[--markonly|-m] [--user|-u user] [--pidfile|-p filename]
[--nodaemon|-X] [--debug|-d] socket
Sendmail includes a facility for plugging in custom mail filters,
called milters. It’s documented here:
http://www.milter.org/milter_api/ Spfmilter implements the Sender
Policy Framework (SPF) as a milter, using either the libspf or libspf2
All milters take a standardized socket argument, which specifies how
they communicate with sendmail. This will look something like
"unix:/var/run/spfmilter.sock" for a unix-domain socket, or
"inet:2525@localhost" for an internet-domain socket. The same string
gets used in the INPUT_MAIL_FILTER macro in sendmail.mc.
In addition to the required socket argument, there are a number of
--localpolicy or -l
Additional SPF mechanisms to apply before a sender site’s own
--trustedforwarders or -t
Whether to check trusted-forwarder.org. This is basically
equivalent to "-l include:spf.trusted-forwarder.org".
--guess or -g
SPF mechanisms to use for any site which doesn’t specify SPF
rules of its own. Something like "+a/24 +mx/24 +ptr ~all" might
--fallback or -f
A file of SPF mechanisms to use for specific sites that don’t
specify any SPF rules of their own. The format for each line is
a shell-style wildcard pattern (? and *), whitespace, and then
the SPF mechanisms to use on rule-less domains matching the
pattern. Hash mark starts a comment, and blank lines are
ignored. The --guess option is equivalent to a --fallback file
entry of "*".
--whitelist or -w
A file of IP addresses to always accept mail from. This could
be used to add exceptions for sites that forward mail to you
site but don’t do sender-rewriting. The format for each line is
a single decimal dotted-quad, with an optional /nn network width
specifier appended. Hash mark starts a comment, and blank lines
are ignored. Note that this currently only works for IPv4
addresses, not for IPv6.
--recipientmx or -r
Before doing the regular SPF check, this option says to first
check if the sending system is an MX-secondary for the
recipient. If it is, then the regular SPF check is not done and
the message gets an automatic "pass". If there are multiple
recipients, then this MX check gets done for each of them. The
assumption here is that your MX-secondaries are themselves
running SPF and have already done the real check when they
initially received the message. Note: This build of spfmilter
does not support this option because library limitations.
--explanation or -e
The explanation message that gets returned in mail bounce
messages. If a site’s SPF record has an "exp=" declaration,
then that gets used; if the site doesn’t specify one, then this
gets used. And if you don’t specify this option then there’s a
standard default message.
--markonly or -m
Normally spfmilter rejects mail that fails the SPF test and
accepts other mail, adding a Received-SPF header with an
explanation. This flag tells spfmilter to also accept mail that
fails the test, and add the Received-SPF header to that too. A
later layer of the mail delivery process, such as procmail, can
look for this header and handle the mail appropriately.
--user or -u
The user to switch to after starting up as root. This is just
for convenience, there is no need to start the program as root
and if you want to switch users external to this program via su,
that will work fine.
--pidfile or -p
Write the process i.d. to the specified file.
--nodaemon or -X
With this flag, spfmilter will not fork itself into a background
process. Normally it does fork itself.
--debug or -d
Turns on debugging messages in the SPF library. You probably
want to use --nodaemon with this, or the messages might get
This is very abbreviated, intended mainly as a reminder for those who
have worked with milters before. If it’s your first milter, you should
look on the web for more thorough documentation. Also, these
instructions are pretty specific to FreeBSD, and will have to be
adapted for other OSs.
1) Make sure your sendmail is compiled with the MILTER option.
(Starting with version 8.13 this is enabled by default.) You
can use this command to check:
sendmail -d0.1 -bt < /dev/null | grep MILTER
If you don’t see MILTER in the compilation options, you will
have to re-build sendmail.
2) Fetch, build, and install either libspf (http://www.libspf.org/)
or libspf2 (http://www.libspf2.org/).
3) Build and install the spfmilter executable, by doing a
’./configure ; make ; make install’.
4) Edit your sendmail.mc and add a mail filter macro, for example:
Rebuild and install sendmail.cf.
5) Run spfmilter, with the same socket argument you used in
# spfmilter unix:/var/run/spfmilter.sock
6) Stop and re-start sendmail.
7) Look in /var/log/maillog for messages from spfmilter.
8) When you’ve verified that it’s working, add lines to your
/etc/rc.conf so it starts up at boot time:
Copyright (c)2004 by Jef Poskanzer <firstname.lastname@example.org>. All rights
25 May 2004 spfmilter(8)